Hi, I see quite some syn flood packets on my OpenBSD firewall filling up the state table for nothing. So I thought let's try the pf's adaptive syncookies. I am just not quite sure what the percentage used by start and stop relate to.
In the pf.conf man page the following is written: "pf will enable syncookie mode when a given percentage of the state table is used up by half-open TCP connections..." That "given percentage" does it compare the "half-open tcp" value of the state table (as seen in "pfctl -si") with the amount of "current entries" in the state table? or does it compare it with the limit of maximum states I have defined in my pf.conf (value of "set limit states") ? Thank you in advance for any precisions. Regards, Mabi