Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Jun 2018 15:02:57 -0400
From:      Ian FREISLICH <ian.freislich@capeaugusta.com>
To:        Dave Horsfall <dave@horsfall.or>, FreeBSD PF List <freebsd-pf@freebsd.org>
Subject:   Re: Is there an upper limit to PF's tables?
Message-ID:  <62bf79b4-0c38-ec94-3bf6-d99ccbd45300@capeaugusta.com>
In-Reply-To: <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org>
References:  <alpine.BSF.2.21.999.1806150310370.68981@aneurin.horsfall.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 06/14/2018 01:40 PM, Dave Horsfall wrote:
> I can't get access to kernel sauce right now, but I'm hitting over=20
> 1,000 entries from woodpeckers[*] etc; is there some upper limit, or=20
> is it just purely dynamic?
>
> =C2=A0 aneurin% freebsd-version
> =C2=A0 10.4-RELEASE-p9

You're ultimately physically bound by memory, however there are=20
configurable limits, see pf.conf(5):

set timeout { \
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 adaptive.start=C2=A0 X, \
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 adaptive.end=C2=A0=C2=A0=C2=A0 =
Y \
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }

set limit states AA
set limit frags BB
set limit src-nodes CC

I've run pf with over 1.5M states, but the limits do have to be tuned.

Ian


> [*]
>
> A fairly loose definition in the anti-spammer community, but it=20
> includes attempts every few *seconds* when they encounter my=20
> RFC-compliant banner, when I make 'em wait a bit for my 220, and those=20
> who regard 5xx as a challenge.
>
> Perhaps I should consider an external firewall; at the moment the=20
> (consumer-grade) router allows only certain services to certain=20
> servers (and doesn't bother logging the rejects, much to my disgust)=20
> and its "IP blocking" simply doesn't work, so the mail server blocks=20
> the spammer IPs instead (entire countries where necessary).
>
> -- Dave, who has been accused of being an "anti-spam nazi"
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.or=20

--=20

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62bf79b4-0c38-ec94-3bf6-d99ccbd45300>