On 2012-02-21, Hassan Monfared <hmonfa...@gmail.com> wrote: > Hi, > have you tried to set some tuning options in pf.conf & sysctl.conf ? > eg: > for sysctl.conf: > net.inet.ip.ifq.maxlen=512 # Maximum allowed input queue length > (256*number of physical interfaces) > kern.bufcachepercent=90 # Allow the kernel to use up to 90% of the > RAM for cache (default 10%) > net.inet.udp.recvspace=131072 # Increase based on your memory > net.inet.udp.sendspace=131072 # Increase based on your memory > ddb.panic=0 # do not enter ddb console on kernel panic, > reboot if possible , this reduces headache
These have nothing to do with state overflow (except raising bufcachepercent will leave less space for states..) > for pf.conf : > set optimization aggressive May possibly help (or you can set state limits per-rule; *very* tight ones might be appropriate for the attack traffic).
