Date: Thu, 14 Jun 2018 15:02:57 -0400 From: Ian FREISLICH <ian.freislich@capeaugusta.com> To: Dave Horsfall <dave@horsfall.or>, FreeBSD PF List <freebsd-pf@freebsd.org> Subject: Re: Is there an upper limit to PF's tables? Message-ID: <62bf79b4-0c38-ec94-3bf6-d99ccbd45300@capeaugusta.com> In-Reply-To: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org> References: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/14/2018 01:40 PM, Dave Horsfall wrote:
> I can't get access to kernel sauce right now, but I'm hitting over
> 1,000 entries from woodpeckers[*] etc; is there some upper limit, or
> is it just purely dynamic?
>
> aneurin% freebsd-version
> 10.4-RELEASE-p9
You're ultimately physically bound by memory, however there are
configurable limits, see pf.conf(5):
set timeout { \
adaptive.start X, \
adaptive.end Y \
}
set limit states AA
set limit frags BB
set limit src-nodes CC
I've run pf with over 1.5M states, but the limits do have to be tuned.
Ian
> [*]
>
> A fairly loose definition in the anti-spammer community, but it
> includes attempts every few *seconds* when they encounter my
> RFC-compliant banner, when I make 'em wait a bit for my 220, and those
> who regard 5xx as a challenge.
>
> Perhaps I should consider an external firewall; at the moment the
> (consumer-grade) router allows only certain services to certain
> servers (and doesn't bother logging the rejects, much to my disgust)
> and its "IP blocking" simply doesn't work, so the mail server blocks
> the spammer IPs instead (entire countries where necessary).
>
> -- Dave, who has been accused of being an "anti-spam nazi"
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.or
--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62bf79b4-0c38-ec94-3bf6-d99ccbd45300>