Limiting Maximum state entries per host didnt work perfectly



  • i try limiting Maximum state entries per host to 13.
    it seems to works fine on my computer.

    but, when i see the states table,
    i still see one ip that have about 100 states and most of them established.
    it seems that computer is running some kind of p2p….

    how can that happen?

    how can i put a real limits that cannot be passed?

    tia
    rex



  • Is there a chance that this host had connections before you set the limit? Try resetting states and retest



  • resetting states have no effect.

    reboot the firewall get better result.
    still…
    that one client have at least twice as much states than what i limits.



  • @rexster:

    resetting states have no effect.

    that one client have at least twice as much states than what i limits.

    one state for passing the connection into the firewall another state for passing it out, if the firewall is nating its 2 different source ip. Or are you seeing all states on the lan side?



  • i'm not quite understand your question or how to answer it….
    so, just take a look at the screenshot:

    it's only about 25% of total states for that one single ip address!

    rgds,
    rex

    nb.
    192.168.18.35 > the problematic client
    10.0.0.11 > pfsense ip given by adsl router



  • Show us the custom rules from /tmp/rules.debug that have the max src connections and such.



  • everything seems OK from here.. The states with src -> wan ip -> dst are the pf nat mappings. If a connection passes through the nat'd firewall you will always see one of those for each connection. you will also see one of those for redirections.



  • my rules actually like this:

    • pass dest port 25, max 3 states per host
    • pass dest port 53, 80 & 443,  max 33 states
    • pass icmp max 18 states
    • pass any tcp/udp max 9 state

    rules.debug attached

    rules.debug.txt



  • Okay, think I located the issue.  If this is a full installation please run from a shell:

    cvs_sync.sh releng_1 & /etc/rc.filter_configure

    Otherwise this will show up in beta4.



  • ok i'll test it out.

    it'll be great if this feature working good.

    imho,
    it's good alternative way to limit unwanted connection (p2p/virus/worm/etc…) without slowing down browsing.



  • wow. it seems to work great!
    :o

    my traffic cuts to halves and my browsing seem to be faster than ever.
    i think this is better that traffic shaping itself

    tnx alot!

    rex


Log in to reply