• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Limiting Maximum state entries per host didnt work perfectly

Scheduled Pinned Locked Moved Firewalling
11 Posts 4 Posters 8.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rexster
    last edited by Apr 29, 2006, 3:54 AM

    i try limiting Maximum state entries per host to 13.
    it seems to works fine on my computer.

    but, when i see the states table,
    i still see one ip that have about 100 states and most of them established.
    it seems that computer is running some kind of p2p….

    how can that happen?

    how can i put a real limits that cannot be passed?

    tia
    rex

    http://www.GoBlogLah.com

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Apr 29, 2006, 8:40 AM

      Is there a chance that this host had connections before you set the limit? Try resetting states and retest

      1 Reply Last reply Reply Quote 0
      • R
        rexster
        last edited by May 1, 2006, 8:45 AM

        resetting states have no effect.

        reboot the firewall get better result.
        still…
        that one client have at least twice as much states than what i limits.

        http://www.GoBlogLah.com

        1 Reply Last reply Reply Quote 0
        • L
          Leoandru
          last edited by May 1, 2006, 10:34 PM

          @rexster:

          resetting states have no effect.

          that one client have at least twice as much states than what i limits.

          one state for passing the connection into the firewall another state for passing it out, if the firewall is nating its 2 different source ip. Or are you seeing all states on the lan side?

          1 Reply Last reply Reply Quote 0
          • R
            rexster
            last edited by May 2, 2006, 6:53 AM May 2, 2006, 6:50 AM

            i'm not quite understand your question or how to answer it….
            so, just take a look at the screenshot:

            it's only about 25% of total states for that one single ip address!

            rgds,
            rex

            nb.
            192.168.18.35 > the problematic client
            10.0.0.11 > pfsense ip given by adsl router

            http://www.GoBlogLah.com

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by May 2, 2006, 2:56 PM

              Show us the custom rules from /tmp/rules.debug that have the max src connections and such.

              1 Reply Last reply Reply Quote 0
              • L
                Leoandru
                last edited by May 2, 2006, 3:37 PM

                everything seems OK from here.. The states with src -> wan ip -> dst are the pf nat mappings. If a connection passes through the nat'd firewall you will always see one of those for each connection. you will also see one of those for redirections.

                1 Reply Last reply Reply Quote 0
                • R
                  rexster
                  last edited by May 3, 2006, 3:00 AM May 3, 2006, 2:53 AM

                  my rules actually like this:

                  • pass dest port 25, max 3 states per host
                  • pass dest port 53, 80 & 443,  max 33 states
                  • pass icmp max 18 states
                  • pass any tcp/udp max 9 state

                  rules.debug attached

                  rules.debug.txt

                  http://www.GoBlogLah.com

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by May 3, 2006, 3:17 AM

                    Okay, think I located the issue.  If this is a full installation please run from a shell:

                    cvs_sync.sh releng_1 & /etc/rc.filter_configure

                    Otherwise this will show up in beta4.

                    1 Reply Last reply Reply Quote 0
                    • R
                      rexster
                      last edited by May 3, 2006, 4:16 AM

                      ok i'll test it out.

                      it'll be great if this feature working good.

                      imho,
                      it's good alternative way to limit unwanted connection (p2p/virus/worm/etc…) without slowing down browsing.

                      http://www.GoBlogLah.com

                      1 Reply Last reply Reply Quote 0
                      • R
                        rexster
                        last edited by May 4, 2006, 4:01 AM

                        wow. it seems to work great!
                        :o

                        my traffic cuts to halves and my browsing seem to be faster than ever.
                        i think this is better that traffic shaping itself

                        tnx alot!

                        rex

                        http://www.GoBlogLah.com

                        1 Reply Last reply Reply Quote 0
                        7 out of 11
                        • First post
                          7/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received