Is there an upper limit to PF's tables?
Ian FREISLICH
ian.freislich at capeaugusta.com
Thu Jun 14 19:03:00 UTC 2018
On 06/14/2018 01:40 PM, Dave Horsfall wrote:
> I can't get access to kernel sauce right now, but I'm hitting over
> 1,000 entries from woodpeckers[*] etc; is there some upper limit, or
> is it just purely dynamic?
>
> aneurin% freebsd-version
> 10.4-RELEASE-p9
You're ultimately physically bound by memory, however there are
configurable limits, see pf.conf(5):
set timeout { \
adaptive.start X, \
adaptive.end Y \
}
set limit states AA
set limit frags BB
set limit src-nodes CC
I've run pf with over 1.5M states, but the limits do have to be tuned.
Ian
> [*]
>
> A fairly loose definition in the anti-spammer community, but it
> includes attempts every few *seconds* when they encounter my
> RFC-compliant banner, when I make 'em wait a bit for my 220, and those
> who regard 5xx as a challenge.
>
> Perhaps I should consider an external firewall; at the moment the
> (consumer-grade) router allows only certain services to certain
> servers (and doesn't bother logging the rejects, much to my disgust)
> and its "IP blocking" simply doesn't work, so the mail server blocks
> the spammer IPs instead (entire countries where necessary).
>
> -- Dave, who has been accused of being an "anti-spam nazi"
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.or
--
More information about the freebsd-pf
mailing list