On Wednesday 25 August 2004 00:53, Russell Fulton wrote: > > limiting the # of states a single source node can create is also a good > > idea, but less so to protect the firewall, more to protect the internet > > from machines gone nuts, that got hit by a worm or whatever. > > I've looked though my copy of Jacek's fine book but could not find any > reference to this. Is it new in 3.5 or have I simply missed it?
It's older. > Would someone please drop me the key word that I can look things up by. > (I've tried google with out any luck.) man pf.conf STATEFUL TRACKING OPTIONS All three of keep state, modulate state and synproxy state support the following options: max _number_ Limits the number of concurrent states the rule may create. When this limit is reached, further packets matching the rule that would create state are dropped, until existing states time out. Ed