How many states can pf sanely handle
- From: krad <kraduk@xxxxxxxxxxxxxx>
- Date: Sat, 12 Jun 2010 09:40:23 +0100
Hi,
I have a dns server that receives a fair amount of traffic. I was
implementing a pf based firewall on it and ran into a few issues. Basically
there is a ridiculously high number of states generated. I just wondered
what are the upper limits of what pf can handle, and what the memory
requirements are?
to get an idea of the traffic levels (this is about 30% of peak time)
# pfctl -z ; sleep 60 ; pfctl -sr -v
pass in quick on bce0 proto udp from <dns> to any port = domain no state
[ Evaluations: 284852 Packets: 209701 Bytes: 13789905 States:
0 ]
[ Inserted: uid 0 pid 95645 ]
pass out quick on bce0 proto udp from any port = domain to <dns> no state
[ Evaluations: 309780 Packets: 207705 Bytes: 56264916 States:
0 ]
[ Inserted: uid 0 pid 95645 ]
pass out quick on bce0 proto udp from any to any port = domain no state
[ Evaluations: 50734 Packets: 50734 Bytes: 3933868 States:
0 ]
[ Inserted: uid 0 pid 95645 ]
pass in quick on bce0 proto udp from any port = domain to any no state
[ Evaluations: 51290 Packets: 48056 Bytes: 9106259 States:
0 ]
[ Inserted: uid 0 pid 95645 ]
These rules aren't exactly ideal but they do stop an insane amount of states
being generated, as every dns request generates one inbound rule, then
potentially multiple outbound ones depending on whether you get a cache hit.
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- Prev by Date: Re: freebsd - for the win
- Next by Date: RE:resize freebsd slice
- Previous by thread: freebsd - for the win
- Next by thread: php help, please....
- Index(es):
Relevant Pages
|
