Limiting Maximum state entries per host didnt work perfectly

  • i try limiting Maximum state entries per host to 13.
    it seems to works fine on my computer.

    but, when i see the states table,
    i still see one ip that have about 100 states and most of them established.
    it seems that computer is running some kind of p2p….

    how can that happen?

    how can i put a real limits that cannot be passed?


  • Is there a chance that this host had connections before you set the limit? Try resetting states and retest

  • resetting states have no effect.

    reboot the firewall get better result.
    that one client have at least twice as much states than what i limits.

  • @rexster:

    resetting states have no effect.

    that one client have at least twice as much states than what i limits.

    one state for passing the connection into the firewall another state for passing it out, if the firewall is nating its 2 different source ip. Or are you seeing all states on the lan side?

  • i'm not quite understand your question or how to answer it….
    so, just take a look at the screenshot:

    it's only about 25% of total states for that one single ip address!


    nb. > the problematic client > pfsense ip given by adsl router

  • Show us the custom rules from /tmp/rules.debug that have the max src connections and such.

  • everything seems OK from here.. The states with src -> wan ip -> dst are the pf nat mappings. If a connection passes through the nat'd firewall you will always see one of those for each connection. you will also see one of those for redirections.

  • my rules actually like this:

    • pass dest port 25, max 3 states per host
    • pass dest port 53, 80 & 443,  max 33 states
    • pass icmp max 18 states
    • pass any tcp/udp max 9 state

    rules.debug attached


  • Okay, think I located the issue.  If this is a full installation please run from a shell: releng_1 & /etc/rc.filter_configure

    Otherwise this will show up in beta4.

  • ok i'll test it out.

    it'll be great if this feature working good.

    it's good alternative way to limit unwanted connection (p2p/virus/worm/etc…) without slowing down browsing.

  • wow. it seems to work great!

    my traffic cuts to halves and my browsing seem to be faster than ever.
    i think this is better that traffic shaping itself

    tnx alot!


Log in to reply