Limiting Maximum state entries per host didnt work perfectly
-
Is there a chance that this host had connections before you set the limit? Try resetting states and retest
-
resetting states have no effect.
reboot the firewall get better result.
still…
that one client have at least twice as much states than what i limits. -
resetting states have no effect.
that one client have at least twice as much states than what i limits.
one state for passing the connection into the firewall another state for passing it out, if the firewall is nating its 2 different source ip. Or are you seeing all states on the lan side?
-
i'm not quite understand your question or how to answer it….
so, just take a look at the screenshot:
it's only about 25% of total states for that one single ip address!
rgds,
rexnb.
192.168.18.35 > the problematic client
10.0.0.11 > pfsense ip given by adsl router -
Show us the custom rules from /tmp/rules.debug that have the max src connections and such.
-
everything seems OK from here.. The states with src -> wan ip -> dst are the pf nat mappings. If a connection passes through the nat'd firewall you will always see one of those for each connection. you will also see one of those for redirections.
-
my rules actually like this:
- pass dest port 25, max 3 states per host
- pass dest port 53, 80 & 443, max 33 states
- pass icmp max 18 states
- pass any tcp/udp max 9 state
rules.debug attached
-
Okay, think I located the issue. If this is a full installation please run from a shell:
cvs_sync.sh releng_1 & /etc/rc.filter_configure
Otherwise this will show up in beta4.
-
ok i'll test it out.
it'll be great if this feature working good.
imho,
it's good alternative way to limit unwanted connection (p2p/virus/worm/etc…) without slowing down browsing. -
wow. it seems to work great!
:omy traffic cuts to halves and my browsing seem to be faster than ever.
i think this is better that traffic shaping itselftnx alot!
rex
