Re: Firewall-1 and kernel memory

[youngk () ttc com]

> I have had to increase the Kernal memory for Firewall-1 on my Solaris
sparc
> station in order to handle increased NAT traffic.  My question is the
> following: does this memory refresh itself, or refresh after a reboot,

I assume that when you say that you are increasing kernel memory, you are
making the "fwmem" config changes in /etc/system.... Since it is a setting
for how much RAM the kernel module will use, it will get reallocated and
refreshed upon reboot.

> or is it constantly "eaten up"

Well, that is true also. The FW-1 installs that I have done for larger
sites tend to show some memory leaks which cause the firewall proxies and
kernel daemon to crash either rebooting the machine or leave the machine
running with IP routing enabled and no firewall protection (eeek!!!). The
smaller sites that I have seen don't tend to have this problem due to the
lower amount of traffic that FW-1 passes.

Make sure that you install at least FW-1 3.0b patch 3072. Latest patch is
service pack 8 for FW-1 3.0, although I haven't tried it outside of a
testing environment.

> and several months from now, I'll have to increase the hmem again?

Don't go too high. If you put the setting over 16MB, FW-1 becomes very
unstable when it tries to allocate memory over 16MB.

> Also, does this increase come from the RAM pool or from actual physical
> memory (hard drive)?

All of the memory that you have set for "fwmem" comes from RAM and not from
      any kind of swap file. Would you really want your firewall kernel
      daemon swapping out to disk?   :-)



--Keith Young

-youngk () ttc com