Date: Sat, 12 Jun 2010 09:40:23 +0100 From: krad <kraduk@googlemail.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: How many states can pf sanely handle Message-ID: <AANLkTilt4nQDRHaGcsrHDDLpOWBwR1QV9_eRkHCzb2x_@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I have a dns server that receives a fair amount of traffic. I was implementing a pf based firewall on it and ran into a few issues. Basically there is a ridiculously high number of states generated. I just wondered what are the upper limits of what pf can handle, and what the memory requirements are? to get an idea of the traffic levels (this is about 30% of peak time) # pfctl -z ; sleep 60 ; pfctl -sr -v pass in quick on bce0 proto udp from <dns> to any port = domain no state [ Evaluations: 284852 Packets: 209701 Bytes: 13789905 States: 0 ] [ Inserted: uid 0 pid 95645 ] pass out quick on bce0 proto udp from any port = domain to <dns> no state [ Evaluations: 309780 Packets: 207705 Bytes: 56264916 States: 0 ] [ Inserted: uid 0 pid 95645 ] pass out quick on bce0 proto udp from any to any port = domain no state [ Evaluations: 50734 Packets: 50734 Bytes: 3933868 States: 0 ] [ Inserted: uid 0 pid 95645 ] pass in quick on bce0 proto udp from any port = domain to any no state [ Evaluations: 51290 Packets: 48056 Bytes: 9106259 States: 0 ] [ Inserted: uid 0 pid 95645 ] These rules aren't exactly ideal but they do stop an insane amount of states being generated, as every dns request generates one inbound rule, then potentially multiple outbound ones depending on whether you get a cache hit.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTilt4nQDRHaGcsrHDDLpOWBwR1QV9_eRkHCzb2x_>