How many states can pf sanely handle
krad
kraduk at googlemail.com
Sat Jun 12 08:40:26 UTC 2010
Hi,
I have a dns server that receives a fair amount of traffic. I was
implementing a pf based firewall on it and ran into a few issues. Basically
there is a ridiculously high number of states generated. I just wondered
what are the upper limits of what pf can handle, and what the memory
requirements are?
to get an idea of the traffic levels (this is about 30% of peak time)
# pfctl -z ; sleep 60 ; pfctl -sr -v
pass in quick on bce0 proto udp from <dns> to any port = domain no state
[ Evaluations: 284852 Packets: 209701 Bytes: 13789905 States:
0 ]
[ Inserted: uid 0 pid 95645 ]
pass out quick on bce0 proto udp from any port = domain to <dns> no state
[ Evaluations: 309780 Packets: 207705 Bytes: 56264916 States:
0 ]
[ Inserted: uid 0 pid 95645 ]
pass out quick on bce0 proto udp from any to any port = domain no state
[ Evaluations: 50734 Packets: 50734 Bytes: 3933868 States:
0 ]
[ Inserted: uid 0 pid 95645 ]
pass in quick on bce0 proto udp from any port = domain to any no state
[ Evaluations: 51290 Packets: 48056 Bytes: 9106259 States:
0 ]
[ Inserted: uid 0 pid 95645 ]
These rules aren't exactly ideal but they do stop an insane amount of states
being generated, as every dns request generates one inbound rule, then
potentially multiple outbound ones depending on whether you get a cache hit.
More information about the freebsd-questions
mailing list