Whatif you don't adjust the states?

  • Hi!

    Before pfsense, we would just use a linux distribution (Debian or Ubuntu) with iptables and masq.  We do a lot of heavy vulnerability scanning, and with pfsense, we've had to adjust our state table sizes.  Is the game with the state table size to try not to let it reach the maximum?  At this point, do you start dropping packets?

    I'm curious to know how Linux handles this.  Does it do it automatically?  We didn't even touch the table size on linux, does that mean that we may have received lots of dropped connections during our scans?


  • Rebel Alliance Developer Netgate

    If you run out of states, no new connections can be made. Nothing more to it than that.

    You don't want to hit the max.

    I'm not sure how Linux handles it, but if it is a stateful firewall, there has to be a state table size somewhere… But they may default to a much larger value.

    On 2.0 the default size is based off of the RAM size, not just the old 10,000 number from 1.2.x. You may need to go up to a couple hundred thousand. One state takes 1k of RAM, so 1,000,000 states would be 1GB of RAM. If you have the extra ram, turn it way up.

  • Thanks for the response.  That makes perfect sense now.

Log in to reply