16hot 的博客

当你用ipfilter和ipnat做NAT路由器及防火墙，而且路由器的客户端有BT在运行，在BT运 行了一段时间后容易造成浏览网页和下载其它东西的阻塞。其原因是BT会产生大量的连接和会话，超过了NAT表和状态表的容量。解决的方法就是增大NAT表 和状态表的容量和减少连接空闲的时间。

增大NAT表和状态表的容量：
ipf_nattable_sz=2047->30011(素数)
ipf_nattable_max=30000->300000
fr_statesize=5739->11471(素数)
fr_statemax=4013->8039(素数)#fr_statesize的70%

减少连接空闲的时间:
fr_tcptimeout=480->180
fr_tcpclosewait=480->60
fr_tcphalfclosed=14400->300
fr_tcpclosed=120->60
fr_tcplastack=480->120
fr_tcpidletimeout=864000->7200
fr_udptimeout=240->90
fr_icmptimeout=120->35

在命令行下修改参数：(假设已经在内核中加载了ipl.ko模块)
/sbin/ipf -D -T ipf_nattable_sz=30011,ipf_nattable_max=300000,
fr_tcptimeout=180,fr_tcpclosewait=60,fr_tcphalfclosed=300,
fr_tcpidletimeout=7200,fr_tcpclosed=60,fr_tcplastack=120,
fr_udptimeout=90,fr_icmptimeout=35,
fr_statemax=8039,fr_statesize=11471 -E

再看一下是否已经改好：
sysctl net.inet.ipf
net.inet.ipf.fr_minttl: 4
net.inet.ipf.fr_chksrc: 0
net.inet.ipf.fr_defaultauthage: 600
net.inet.ipf.fr_authused: 0
net.inet.ipf.fr_authsize: 32
net.inet.ipf.ipf_hostmap_sz: 2047
net.inet.ipf.ipf_rdrrules_sz: 127
net.inet.ipf.ipf_natrules_sz: 127
net.inet.ipf.ipf_nattable_sz: 30011*
net.inet.ipf.fr_statemax: 8039*
net.inet.ipf.fr_statesize: 11471*
net.inet.ipf.fr_running: 1
net.inet.ipf.fr_ipfrttl: 120
net.inet.ipf.fr_defnatage: 1200
net.inet.ipf.fr_icmptimeout: 35*
net.inet.ipf.fr_udpacktimeout: 24
net.inet.ipf.fr_udptimeout: 90*
net.inet.ipf.fr_tcpclosed: 60*
net.inet.ipf.fr_tcptimeout: 180*
net.inet.ipf.fr_tcplastack: 120*
net.inet.ipf.fr_tcpclosewait: 60*
net.inet.ipf.fr_tcphalfclosed: 300*
net.inet.ipf.fr_tcpidletimeout: 7200*
net.inet.ipf.fr_active: 0
net.inet.ipf.fr_pass: 134217730
net.inet.ipf.fr_flags: 0
打*号表示已经修改过了。

或者另一种方法看一下：
ipf -T list
fr_flags min 0 max 0xffffffff current 0
fr_active min 0 max 0 current 0
fr_control_forwarding min 0 max 0×1 current 0
fr_update_ipid min 0 max 0×1 current 0
fr_chksrc min 0 max 0×1 current 0
fr_minttl min 0 max 0×1 current 4
fr_icmpminfragmtu min 0 max 0×1 current 68
fr_pass min 0 max 0xffffffff current 134217730
fr_tcpidletimeout min 0×1 max 0x7fffffff current 7200*
fr_tcpclosewait min 0×1 max 0x7fffffff current 60*
fr_tcplastack min 0×1 max 0x7fffffff current 120*
fr_tcptimeout min 0×1 max 0x7fffffff current 180*
fr_tcpclosed min 0×1 max 0x7fffffff current 60*
fr_tcphalfclosed min 0×1 max 0x7fffffff current 300*
fr_udptimeout min 0×1 max 0x7fffffff current 90*
fr_udpacktimeout min 0×1 max 0x7fffffff current 24
fr_icmptimeout min 0×1 max 0x7fffffff current 35*
fr_icmpacktimeout min 0×1 max 0x7fffffff current 12
fr_iptimeout min 0×1 max 0x7fffffff current 120
fr_statemax min 0×1 max 0x7fffffff current 8039*
fr_statesize min 0×1 max 0x7fffffff current 11471*
fr_state_lock min 0 max 0×1 current 0
fr_state_maxbucket min 0×1 max 0x7fffffff current 28
fr_state_maxbucket_reset min 0 max 0×1 current 1
ipstate_logging min 0 max 0×1 current 1
fr_nat_lock min 0 max 0×1 current 0
ipf_nattable_sz min 0×1 max 0x7fffffff current 30011*
ipf_nattable_max min 0×1 max 0x7fffffff current 300000*
ipf_natrules_sz min 0×1 max 0x7fffffff current 127
ipf_rdrrules_sz min 0×1 max 0x7fffffff current 127
ipf_hostmap_sz min 0×1 max 0x7fffffff current 2047
fr_nat_maxbucket min 0×1 max 0x7fffffff current 30
fr_nat_maxbucket_reset min 0 max 0×1 current 1
nat_logging min 0 max 0×1 current 1
fr_defnatage min 0×1 max 0x7fffffff current 1200
fr_defnatipage min 0×1 max 0x7fffffff current 120
fr_defnaticmpage min 0×1 max 0x7fffffff current 6
ipfr_size min 0×1 max 0x7fffffff current 257
fr_ipfrttl min 0×1 max 0x7fffffff current 120
ipl_suppress min 0 max 0×1 current 1
ipl_buffer_sz min 0 max 0 current 0
ipl_logmax min 0 max 0x7fffffff current 7
ipl_logall min 0 max 0×1 current 0
ipl_logsize min 0 max 0×80000 current 8192
ippr_ftp_debug min 0 max 0xa current 0
打*号表示已经修改过了。

由于使用了ipf -D 的参数，ipf的过滤规则和NAT规则都已清除。所以需要重新加载：
ipf -f /etc/ipf.rules
ipnat -f /etc/ipnat.rules

修改后可以大大地减少网络堵塞的机会。
_________________

原文地址：

http://www.freebsdchina.org/forum/viewtopic.php?t=38611