Limiting Maximum state entries per host didnt work perfectly

rexster · Apr 29, 2006, 3:54 AM

i try limiting Maximum state entries per host to 13.
it seems to works fine on my computer.

but, when i see the states table,
i still see one ip that have about 100 states and most of them established.
it seems that computer is running some kind of p2p….

how can that happen?

how can i put a real limits that cannot be passed?

tia
rex

hoba · Apr 29, 2006, 8:40 AM

Is there a chance that this host had connections before you set the limit? Try resetting states and retest

rexster · May 1, 2006, 8:45 AM

resetting states have no effect.

reboot the firewall get better result.
still…
that one client have at least twice as much states than what i limits.

Leoandru · May 1, 2006, 10:34 PM

@rexster:

resetting states have no effect.

that one client have at least twice as much states than what i limits.

one state for passing the connection into the firewall another state for passing it out, if the firewall is nating its 2 different source ip. Or are you seeing all states on the lan side?

rexster · May 2, 2006, 6:53 AM

i'm not quite understand your question or how to answer it….
so, just take a look at the screenshot:

it's only about 25% of total states for that one single ip address!

rgds,
rex

nb.
192.168.18.35 > the problematic client
10.0.0.11 > pfsense ip given by adsl router

sullrich · May 2, 2006, 2:56 PM

Show us the custom rules from /tmp/rules.debug that have the max src connections and such.

Leoandru · May 2, 2006, 3:37 PM

everything seems OK from here.. The states with src -> wan ip -> dst are the pf nat mappings. If a connection passes through the nat'd firewall you will always see one of those for each connection. you will also see one of those for redirections.

rexster · May 3, 2006, 3:00 AM

my rules actually like this:

pass dest port 25, max 3 states per host
pass dest port 53, 80 & 443, max 33 states
pass icmp max 18 states
pass any tcp/udp max 9 state

rules.debug attached

rules.debug.txt

sullrich · May 3, 2006, 3:17 AM

Okay, think I located the issue. If this is a full installation please run from a shell:

cvs_sync.sh releng_1 & /etc/rc.filter_configure

Otherwise this will show up in beta4.

rexster · May 3, 2006, 4:16 AM

ok i'll test it out.

it'll be great if this feature working good.

imho,
it's good alternative way to limit unwanted connection (p2p/virus/worm/etc…) without slowing down browsing.

rexster · May 4, 2006, 4:01 AM

wow. it seems to work great!
:o

my traffic cuts to halves and my browsing seem to be faster than ever.
i think this is better that traffic shaping itself

tnx alot!

rex