On 06/14/2018 01:40 PM, Dave Horsfall wrote:
I can't get access to kernel sauce right now, but I'm hitting over
1,000 entries from woodpeckers[*] etc; is there some upper limit, or
is it just purely dynamic?
aneurin% freebsd-version
10.4-RELEASE-p9
You're ultimately physically bound by memory, however there are
configurable limits, see pf.conf(5):
set timeout { \
adaptive.start X, \
adaptive.end Y \
}
set limit states AA
set limit frags BB
set limit src-nodes CC
I've run pf with over 1.5M states, but the limits do have to be tuned.
Ian
[*]
A fairly loose definition in the anti-spammer community, but it
includes attempts every few *seconds* when they encounter my
RFC-compliant banner, when I make 'em wait a bit for my 220, and those
who regard 5xx as a challenge.
Perhaps I should consider an external firewall; at the moment the
(consumer-grade) router allows only certain services to certain
servers (and doesn't bother logging the rejects, much to my disgust)
and its "IP blocking" simply doesn't work, so the mail server blocks
the spammer IPs instead (entire countries where necessary).
-- Dave, who has been accused of being an "anti-spam nazi"
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.or
--
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"