On Wednesday 25 August 2004 00:53, Russell Fulton wrote:
> > limiting the # of states a single source node can create is also a good
> > idea, but less so to protect the firewall, more to protect the internet
> > from machines gone nuts, that got hit by a worm or whatever.
>
> I've looked though my copy of Jacek's fine book but could not find any
> reference to this. Is it new in 3.5 or have I simply missed it?
It's older.
> Would someone please drop me the key word that I can look things up by.
> (I've tried google with out any luck.)
man pf.conf
STATEFUL TRACKING OPTIONS
All three of keep state, modulate state and synproxy state support the
following options:
max _number_
Limits the number of concurrent states the rule may create. When
this limit is reached, further packets matching the rule that would
create state are dropped, until existing states time out.
Ed
