HELP:Limit maximum number of firewall states for one source IP? Advanced Options

Nachtfalke · Feb 8, 2013, 11:37 AM

Hi,

we have some school environment here and different VLANs. Yesterday there was a class which did some portscans and something else. This let the firewall states increase so much that they hit the limit I set in pfsense. (100.000 states)

I want to make sure that a host/source-IP can only establish maximum of eg. 100 states. If the limit is reached than this host cannot establish new connections.
But this limit should be independent from other source-IPs.

My firewall rule looks like this:

Action: allow
Proto: all
Source-IP: LAN Subnet
Source-Port: Any
Destination-IP: Any
Destination Port: any

In advanced options I set the "Maximum state entries per host" - this seemed to work (The source-IP-host had 100 states outgoing and 100 states incoming) and the global states didn't increase until they hit the pfsense limit. But I got some complaints from colleagues that browsing the web works sometimes and sometimes not. But for me it doesn't look like they hit the 100 states per host limit.

So my questions:
Did I understand the option "Maximum state entries per host" wrong ?
Or is the limit of 100 states to less for just browsing and emailing ?
Do I have to set other/better limits?
For which protocol is this working - or does it only make sense on TCP ?

jimp · Feb 8, 2013, 12:59 PM

100 is way too low. Some browsers make a ton of connections, and someone with many tabs can have way more than that.

No way to guess what is "normal" for your network. You may have to capture the state table at various times and run it through various permutations of awk/cut/sort/uniq to find out how many states per IP is "best".

Also, are you really low on RAM? Or why is your state table set to only 100,000? Seems rather low for a busy environment like that. 100,000 states is about 100MB of RAM. If you have enough RAM, crank that way up.

marcelloc · Feb 8, 2013, 2:26 PM

You can also try to limit connections on lan rules.

If a student reach this limit, firewall will block his IP.

50 connections in 2 seconds IMHO is a good value For normal use.

Nachtfalke · Feb 8, 2013, 2:33 PM

@jimp:

100 is way too low. Some browsers make a ton of connections, and someone with many tabs can have way more than that.

No way to guess what is "normal" for your network. You may have to capture the state table at various times and run it through various permutations of awk/cut/sort/uniq to find out how many states per IP is "best".

Also, are you really low on RAM? Or why is your state table set to only 100,000? Seems rather low for a busy environment like that. 100,000 states is about 100MB of RAM. If you have enough RAM, crank that way up.

Probably you will laugh - but the avarage state table for avarage ~120 clients online is just 2.000 states. So I reduced that from the default 798.000 to 100.000.

The people on the class (9) did some port scans with NMAP. I attach you a small .pcap file from one host which created ~60 TCP SYN packets per second. But I did get much less than this number of "RST" from the destination server….perhaps you could explain my why this is happening and why this did increase the state table so much.

The file is called:
172.17.64.60.cap.zip and must be unzipped. I renamed it to .jpg

172.17.64.80.cap.zip.jpg

Nachtfalke · Feb 8, 2013, 2:38 PM

@marcelloc:

You can also try to limit connections on lan rules.

If a student reach this limit, firewall will block his IP.

50 connections in 2 seconds IMHO is a good value For normal use.

Yes, that's what I did or wanted to do. But I set the total limit of all connections per IP to 100 which seems to be to less as jimp said.
But perhaps setting a limit of 50 per second would be better.

But this doesn't explain why my states increased so much.
PS: I am using pfsense 2.0.1 AMD64 with squid and before this firewall another pfsense i386. On both the state limit is 100.000.

Nachtfalke · Feb 18, 2013, 11:04 AM

Hi again,

sorry for a probably stupid question:

Will a connections to a "block" rule create a firewall state entry ? Probably not I think.

I setup a limit of 5.000 states per host for all my allow rules and that seem to fix my problem with an NMAP portscan but does not stop my users from working - only the one who is doing a portscan ;)
But I am not sure if this is also neccessary for rules which block traffic…

chpalmer · Mar 25, 2013, 4:02 AM

Will a connections to a "block" rule create a firewall state entry ? Probably not I think.

As I found out yesterday- no.

Nachtfalke · Mar 25, 2013, 12:37 PM

@chpalmer:

Will a connections to a "block" rule create a firewall state entry ? Probably not I think.

As I found out yesterday- no.

Thank you!