Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Maximum state entries per host

    Firewalling
    2
    3
    4795
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fabifri last edited by

      dear forum users,

      i have the following problem with my new pfsense 1.2.3 box:
      i am using the "pop3 connector" from microsoft's "small business server", to check approx. 50 pop3 mailboxes each minute. so my "small business server" makes 50 connections for dns quieries and another 50 connections for the pop3-traffic.
      the problem is, that i got regularly some error messages in my server's event log. with my previous firewall (Zyxel ZyWall 10) i did not got the error messages after i set the "maximum connections per host" to 1024.

      in pfsense, i have set 20000 as the "maximum state table size" in "advanced options" in the main menu.
      now i am looking for an option to increase the "maximum connections per host"-value in pfsense.

      i thought i just can increase it in the "Default LAN -> Any"-Rule the option "Maximum state entries per host" but i am not sure if it works? and if it's on the right place to set? and what about the other 3 options, how do i have to set these?

      thanks for your answers,

      regards
      fabian

      PS: the router hardware is an "OPNsense pfSense Appliance HD Rack Edition"

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        By default there is no limit, so unless you set one, that won't be limited by the router.

        It's possible that the connections are happening so fast now that your ISP is limiting the number of concurrent POP connections. Is there a way you can instruct the POP3 connector to throttle its connections a bit instead of trying all 50 at once? and checking that many every minute seems a bit excessive to me, having run mail servers for years, I cringe at hearing people check mail every minute. E-mail isn't meant to be an IM, it's not supposed to be "instant". You're really just wasting a lot of resources on the upstream ISP mail server :-)

        1 Reply Last reply Reply Quote 0
        • F
          fabifri last edited by

          Hi jimp,

          thanks for your answer. i have not set up that POP3-Connector - but i think i will have a talk to my collegue, to set the interval higher than 1 minute. (3 minutes or so).
          the problem: at the microsoft pop3-connector i can not set up that the e-mail mailboxes were checked once by another - it will always do the check on all mailboxes the same time.

          i have set up now some values at the "Default LAN->Any"-Rule:

          Simultaneous client connection limit: 4096
          Maximum state entries per host: 1024
          Maximum new connections / per second: 512/1
          State Timeout in seconds: 180

          Global Settings:

          Firewall Mode: conservative
          Max. State Table Size: 20000

          I still get the POP3-Errors. I set up the POP3-Connector to 2 minute interval - in a few weeks i will set up a direct SMTP MX record to our exchange server.

          I also had this errors in the windows event log while we had the ZyWall 10 - but as i said, i set up the maximum connections per client to 1024 - and the errors didn't came back again - till i installed pfsense last week. i was looking for a secure firewall and gateway - whoch pfsense is. but these errors, i'm sure, are triggered by pfsense…

          thanks + regards
          fabian

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense Plus
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy