Este limite está muito alto.
Já usei pf em redes com 400 maquinas, usando politica de bloquear tudo
e meu limite de estados era o default.
Não será algum vírus na sua rede?
Quantas maquinas passam por esse firewall?
Poste a quantidade de estados atuais usando
# pfctl -ss |wc -l
265
Em 19 de março de 2010 10:37, Renata Dias <renatchi...@gmail.com> escreveu:
> Caros,
>
> Encontrei varias discussões a respeito da minha dúvida, porém nenhuma
> com solução!
>
> Eu ativo o pf e a rede passa a responder com "No buffer space available".
> Testei algumas opções que encontrei na internet, como: set limit { states
> 1000000000, src-nodes 1000000000, frags 50000000 } , porém sem sucesso.
>
> Segue meu pf.conf
>
> if_wan_upload="em0"
> if_lan_download="em1"
>
> table <rede_interna> { 192.168.0.0/24, 10.0.10.0/24 }
>
> altq on $if_wan_upload hfsc bandwidth 100% queue total_out
> queue total_out bandwidth 34Mb hfsc(upperlimit 34Mb) { ping_out voip_out
> dns_out http-https_out pop_out smtp_out ssh_out outros_out p2p_out }
> queue ping_out bandwidth 6% priority 9 hfsc(upperlimit 100% realtime 6%
> ecn red)
> queue voip_out bandwidth 5% priority 8 hfsc(upperlimit 100% realtime 5%
> ecn red)
> queue dns_out bandwidth 2% priority 7 hfsc(upperlimit 100% realtime 2% ecn
> red)
> queue http-https_out bandwidth 60% priority 6 hfsc(upperlimit 100%
> realtime 60% ecn red)
> queue ssh_out bandwidth 2% priority 5 hfsc(upperlimit 100% realtime 2% ecn
> red)
> queue smtp_out bandwidth 5% priority 4 hfsc(upperlimit 100% realtime 5%
> ecn red)
> queue pop_out bandwidth 5% priority 3 hfsc(upperlimit 100% realtime 5% ecn
> red)
> queue outros_out bandwidth 10% priority 2 hfsc(upperlimit 95% realtime 10%
> ecn red default)
> queue p2p_out bandwidth 5% priority 1 hfsc(upperlimit 80% realtime 5% ecn
> red)
>
> altq on $if_lan_download hfsc bandwidth 100Mb queue total
> queue total bandwidth 34Mb hfsc(upperlimit 34Mb) { ping voip dns http-https
> ssh smtp pop outros p2p }
> queue ping bandwidth 6% priority 9 hfsc(upperlimit 100% realtime 6% ecn
> red)
> queue voip bandwidth 5% priority 8 hfsc(upperlimit 100% realtime 5% ecn
> red)
> queue dns bandwidth 2% priority 7 hfsc(upperlimit 100% realtime 2% ecn
> red)
> queue http-https bandwidth 60% priority 6 hfsc(upperlimit 100% realtime
> 60% ecn red)
> queue ssh bandwidth 2% priority 5 hfsc(upperlimit 100% realtime 2% ecn
> red)
> queue smtp bandwidth 5% priority 4 hfsc(upperlimit 100% realtime 5% ecn
> red)
> queue pop bandwidth 5% priority 3 hfsc(upperlimit 100% realtime 5% ecn
> red)
> queue outros bandwidth 10% priority 2 hfsc(upperlimit 95% realtime 10% ecn
> red default)
> queue p2p bandwidth 5% priority 1 hfsc(upperlimit 80% realtime 5% ecn red)
>
> pass in quick on $if_wan_upload proto icmp from <rede_interna> to any keep
> state queue ping_out
> pass in quick on $if_lan_download proto icmp from <rede_interna> to any keep
> state queue ping
>
> pass in quick on $if_wan_upload proto { tcp, udp } from <rede_interna> to
> any port 53 keep state queue dns_out
> pass in quick on $if_lan_download proto { tcp, udp } from <rede_interna> to
> any port 53 keep state queue dns
>
> pass in quick on $if_wan_upload proto tcp from <rede_interna> to any port {
> 80, 443 } keep state queue http-https_out
> pass in quick on $if_lan_download proto tcp from <rede_interna> to any port
> { 80, 443 } keep state queue http-https
>
> pass in quick on $if_wan_upload proto tcp from <rede_interna> to any port
> 110 keep state queue pop_out
> pass in quick on $if_lan_download proto tcp from <rede_interna> to any port
> 110 keep state queue pop
>
> pass in quick on $if_wan_upload proto tcp from <rede_interna> to any port 25
> keep state queue smtp_out
> pass in quick on $if_lan_download proto tcp from <rede_interna> to any port
> 25 keep state queue smtp
>
> pass in quick on $if_wan_upload proto tcp from <rede_interna> to any port 22
> keep state queue ssh_out
> pass in quick on $if_lan_download proto tcp from <rede_interna> to any port
> 22 keep state queue ssh
>
>
>
> --
> Renata Dias
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
--
Giancarlo Rubio
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
