Christian Karpp wrote:
> Hi,
>
> I'd like to understand how aging of NAT entries work. I'm currently
> struggling with my NAT table filling up and never expiring any entries.
>
> I'm using only two rules:
> map en0 10.10.0.0/16 -> a.b.c.d/32 age 2
> rdr en0 a.b.c.d port 80 -> 10.10.20.4 port 80
>
> One machine on the private net does *a lot* of DNS queries and fills
> up the NAT table pretty quickly with entries like:
> MAP 10.10.10.3 51019 <- -> a.b.c.d 51019 [e.f.g.h 53]
>
> No entry ever expires as I can tell from an 'ipnat -s' thus when 30000
> lines have been added, no new connections will be handled. Neither by
> the MAP nor by the RDR statement. I have to manually flush the table
> ('ipnet -F') first to make things work again.
>
> I'm using a build of IPFilter v4.1.13, compiled with default options,
> running on AIX 5.3TL05
If you do "ipf -V" successively, do you see the value for "fr_ticks"
increase?
Darren
|