Limiting Maximum state entries per host didnt work perfectly
-
i try limiting Maximum state entries per host to 13.
it seems to works fine on my computer.but, when i see the states table,
i still see one ip that have about 100 states and most of them established.
it seems that computer is running some kind of p2p….how can that happen?
how can i put a real limits that cannot be passed?
tia
rex -
Is there a chance that this host had connections before you set the limit? Try resetting states and retest
-
resetting states have no effect.
reboot the firewall get better result.
still…
that one client have at least twice as much states than what i limits. -
resetting states have no effect.
that one client have at least twice as much states than what i limits.
one state for passing the connection into the firewall another state for passing it out, if the firewall is nating its 2 different source ip. Or are you seeing all states on the lan side?
-
-
Show us the custom rules from /tmp/rules.debug that have the max src connections and such.
-
everything seems OK from here.. The states with src -> wan ip -> dst are the pf nat mappings. If a connection passes through the nat'd firewall you will always see one of those for each connection. you will also see one of those for redirections.
-
my rules actually like this:
- pass dest port 25, max 3 states per host
- pass dest port 53, 80 & 443, max 33 states
- pass icmp max 18 states
- pass any tcp/udp max 9 state
rules.debug attached
-
Okay, think I located the issue. If this is a full installation please run from a shell:
cvs_sync.sh releng_1 & /etc/rc.filter_configure
Otherwise this will show up in beta4.
-
ok i'll test it out.
it'll be great if this feature working good.
imho,
it's good alternative way to limit unwanted connection (p2p/virus/worm/etc…) without slowing down browsing. -
wow. it seems to work great!
:omy traffic cuts to halves and my browsing seem to be faster than ever.
i think this is better that traffic shaping itselftnx alot!
rex