How many states can pf sanely handle

[krad]

Hi,

I have a dns server that receives a fair amount of traffic. I was
implementing a pf based firewall on it and ran into a few issues. Basically
there is a ridiculously high number of states generated. I just wondered
what are the upper limits of what pf can handle, and what the memory
requirements are?

to get an idea of the traffic levels (this is about 30% of peak time)

# pfctl -z ; sleep 60 ; pfctl -sr -v

pass in quick on bce0 proto udp from <dns> to any port = domain no state
  [ Evaluations: 284852    Packets: 209701    Bytes: 13789905    States:
0     ]
  [ Inserted: uid 0 pid 95645 ]
pass out quick on bce0 proto udp from any port = domain to <dns> no state
  [ Evaluations: 309780    Packets: 207705    Bytes: 56264916    States:
0     ]
  [ Inserted: uid 0 pid 95645 ]
pass out quick on bce0 proto udp from any to any port = domain no state
  [ Evaluations: 50734     Packets: 50734     Bytes: 3933868     States:
0     ]
  [ Inserted: uid 0 pid 95645 ]
pass in quick on bce0 proto udp from any port = domain to any no state
  [ Evaluations: 51290     Packets: 48056     Bytes: 9106259     States:
0     ]
  [ Inserted: uid 0 pid 95645 ]

These rules aren't exactly ideal but they do stop an insane amount of states
being generated, as every dns request generates one inbound rule, then
potentially multiple outbound ones depending on whether you get a cache hit.