On 08/23, Jeff Wilson wrote: > Summer is over. School is back in session. The 4,500 students behind my > OpenBSD 3.5 pf firewall > ... > My first thought is to cron a job, once a minute, to monitor the number of > states in `pfctl -s info` ... if any single minute yields an increase of > more than 50,000 states, then I flush all states and reload the ruleset. > > Is there a better way to contain disaster? With ipfilter, I tweaked > kernel settings such as NKMEMCLUSTERS and NMBCLUSTERS to obscenely high > numbers (such as 16K). Any other kernel tweaks? Or better yet, anything > within pf to directly contain such a state runaway scenario? > AFAIK Openbsd 3.5 only use 64Mb memory for pf ruleset and state table someone posted here a link to the (unofficial?) patch, that changes that. Search in the archives for: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.47&r2=1.48 and Re: pf firewall loses connectivity at 50,000 state table entries
PS: the described behaviour is true for 3.6 too? Correct me if I was mistaken. -- cstamas
