preventing state runaway

[Jeff Wilson]

Summer is over.  School is back in session.  The 4,500 students behind my 
OpenBSD 3.5 pf firewall are mostly settled into their dorm rooms.  My 
nightmare begins.  A single Blaster infection can spray out thousands of 
connections in seconds.  One sad day, I had to reboot my firewall three or 
four times before we could identify and disconnect the offending 
student(s).

My first thought is to cron a job, once a minute, to monitor the number of 
states in `pfctl -s info` ... if any single minute yields an increase of 
more than 50,000 states, then I flush all states and reload the ruleset.

Is there a better way to contain disaster?  With ipfilter, I tweaked 
kernel settings such as NKMEMCLUSTERS and NMBCLUSTERS to obscenely high 
numbers (such as 16K).  Any other kernel tweaks?  Or better yet, anything 
within pf to directly contain such a state runaway scenario?

Thanks for your time,
          jw