Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Feb 2007 17:04:18 +0200
From:      Giorgos Keramidas <>
To:        RW <>
Subject:   Re: PF slowing down file copies
Message-ID:  <20070222150418.GA3298@kobe.laptop>
In-Reply-To: <>
References:  <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 2007-02-22 14:30, RW <> wrote:
>On Wed, 21 Feb 2007 19:38:39 +0100
>J65nko <> wrote:
>> For keeping state on TCP connections you should only create state on
>> the first packet of the 3 way TCP handshake. Using "flags S/SA" will
>> ensure this. This will prevent problems with TCP windows scaling..
> Why? Creating a state entry causes subsequent packets, in the same tcp
> connection, to bypass the rules altogether.

Because a state entry is a rule by itself.  A special 'rule', but still
a rule.  As such, each state-table entry requires a finite amount of
resources.  Conserving resources, whenever possible, is a good idea.

Creating 10 packets for a connection whose 'traffic' requires 10 TCP
segments to be transmitted, and 9000 state entries for a TCP connection
whose data payload needs 9000 segments to be transmitted is kind of
silly.  Especially since it is entirely legal and easy to do the same
thing with only 2 state entries (one for each connection).

Want to link to this message? Use this URL: <>