[ previous ] [ next ] [ threads ]
 
 From:  Josh <josh at nemesis dot net>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Problem with deployment (timeout related)...
 Date:  Sat, 02 Oct 2004 01:39:54 -0700
> Yes - I'm pretty sure you're hitting the maximum of ~4000 state table
> entries. That's the default value for ipfilter, and can unfortunately
> not be changed without recompiling the kernel.
> Since m0n0wall wasn't initially meant for high volume setups like
> yours, the state/NAT hash table sizes and maximums were just left at


Just want to chime in -

I know this wasn't m0n0's original purpose, but it's inclusion of
VLAN support makes it _very_ attractive for the ISP managed
firewall environment.  Not many commercial firewalls support
an unlimited number of vlans - and they are pricey.

The other thing m0n0 would need (if I'm understanding the
rulesets right) is having an outbound firewall rule for
'WAN' instead of 'ANY'   (ie - to allow isolation between
different OPT interfaces).  I would love to see this in the
next beta as it would have other benefits as well.

Fail-over/HA would be nice too ;)

Thanks

-josh