Hi,
Can someone clarify something in pfctl -si
State Table Total Rate
current entries 46488
searches 14245201429 43941.2/s
inserts 54808703 169.1/s
removals 54806243 169.1/s
I'm interested in inserts/removals.
Would a new UDP/TCP connection that is blocked by pf make that list?
I've seen recently in a ddos attack which got to pf, that both of these
counters were increasing.
10Gbps attack, 2.3 Mpps
pf was blocking at a rate of 1Mpps in/2.3Mpps out, and inserts/removals
were at 2.3M/s
Is it normal to create an entry in the state table for a
not-yet-established connection and then remove it as soon as it's blocked?
Isn't this a way to explode it's state table limits? On the other hand
the connection details should go in a table... so it's probably normal.
How big can the state table be? How much memory is it needed?
regards,
G
