On 2020-12-18, mabi <m...@protonmail.ch> wrote: > Hi, > > I see quite some syn flood packets on my OpenBSD firewall filling up the > state table for nothing. So I thought let's try the pf's adaptive syncookies. > I am just not quite sure what the percentage used by start and stop relate to. > > In the pf.conf man page the following is written: > > "pf will enable syncookie mode when a given percentage of the state table is > used up by half-open TCP connections..." > > That "given percentage" does it compare the "half-open tcp" value of the > state table (as seen in "pfctl -si") with the amount of "current entries" in > the state table? or does it compare it with the limit of maximum states I > have defined in my pf.conf (value of "set limit states") ? > > Thank you in advance for any precisions. > > Regards, > Mabi > >
It's something like "what % of max allowed states is half-open tcp". Watch out as there are some bugs in this area, definitely thewith accounting of half-open connections can be wildly off sometimes (triggering adaptive syncookies when they shouldn't really be triggered) and I think also with the behaviour when they're active, I have had it trigger spuriously and then a bunch of connections failing when triggered, so monitor it carefully if you enable this.
