Limiting Maximum state entries per host didnt work perfectly

rexster

i try limiting Maximum state entries per host to 13.
it seems to works fine on my computer.

but, when i see the states table,
i still see one ip that have about 100 states and most of them established.
it seems that computer is running some kind of p2p….

how can that happen?

how can i put a real limits that cannot be passed?

tia
rex

hoba

Is there a chance that this host had connections before you set the limit? Try resetting states and retest

rexster

resetting states have no effect.

reboot the firewall get better result.
still…
that one client have at least twice as much states than what i limits.

Leoandru

@rexster:

resetting states have no effect.

that one client have at least twice as much states than what i limits.

one state for passing the connection into the firewall another state for passing it out, if the firewall is nating its 2 different source ip. Or are you seeing all states on the lan side?

rexster

i'm not quite understand your question or how to answer it….
so, just take a look at the screenshot:

it's only about 25% of total states for that one single ip address!

rgds,
rex

nb.
192.168.18.35 > the problematic client
10.0.0.11 > pfsense ip given by adsl router

sullrich

Show us the custom rules from /tmp/rules.debug that have the max src connections and such.

Leoandru

everything seems OK from here.. The states with src -> wan ip -> dst are the pf nat mappings. If a connection passes through the nat'd firewall you will always see one of those for each connection. you will also see one of those for redirections.

rexster

my rules actually like this:

• pass dest port 25, max 3 states per host
• pass dest port 53, 80 & 443,  max 33 states
• pass icmp max 18 states
• pass any tcp/udp max 9 state

rules.debug attached

rules.debug.txt

sullrich

Okay, think I located the issue.  If this is a full installation please run from a shell:

cvs_sync.sh releng_1 & /etc/rc.filter_configure

Otherwise this will show up in beta4.

rexster

ok i'll test it out.

it'll be great if this feature working good.

imho,
it's good alternative way to limit unwanted connection (p2p/virus/worm/etc…) without slowing down browsing.

rexster

wow. it seems to work great!
:o

my traffic cuts to halves and my browsing seem to be faster than ever.
i think this is better that traffic shaping itself

tnx alot!

rex