On 06/14/2018 01:40 PM, Dave Horsfall wrote:
I can't get access to kernel sauce right now, but I'm hitting over 1,000 entries from woodpeckers[*] etc; is there some upper limit, or is it just purely dynamic?

  aneurin% freebsd-version
  10.4-RELEASE-p9

You're ultimately physically bound by memory, however there are configurable limits, see pf.conf(5):

set timeout { \
        adaptive.start  X, \
        adaptive.end    Y \
        }

set limit states AA
set limit frags BB
set limit src-nodes CC

I've run pf with over 1.5M states, but the limits do have to be tuned.

Ian


[*]

A fairly loose definition in the anti-spammer community, but it includes attempts every few *seconds* when they encounter my RFC-compliant banner, when I make 'em wait a bit for my 220, and those who regard 5xx as a challenge.

Perhaps I should consider an external firewall; at the moment the (consumer-grade) router allows only certain services to certain servers (and doesn't bother logging the rejects, much to my disgust) and its "IP blocking" simply doesn't work, so the mail server blocks the spammer IPs instead (entire countries where necessary).

-- Dave, who has been accused of being an "anti-spam nazi"
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.or

--

_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to