Bei meiner Firewall tritt ein Problem im Zusammenhang mit auf max states per rule.
# pfctl -vvsi
Status: Enabled for 0 days 13:05:38 Debug: Urgent
Hostid: 0x6556c6a9
Checksum: 0xe80368af9b3c0a876218cd2af59fbed5
State Table Total Rate
current entries 7614
searches 323053106 6853.3/s
inserts 6650716 141.1/s
removals 6643102 140.9/s
Source Tracking Table
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 31988315 678.6/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 12 0.0/s
proto-cksum 0 0.0/s
state-mismatch 4702 0.1/s
state-insert 45381 1.0/s
state-limit 13837 0.3/s
src-limit 0 0.0/s
synproxy 0 0.0/s
Limit Counters
max states per rule 13837 0.3/s
max-src-states 0 0.0/s
max-src-nodes 0 0.0/s
max-src-conn 0 0.0/s
max-src-conn-rate 0 0.0/s
overload table insertion 0 0.0/s
overload flush states 0 0.0/s
Wie wir oben sehen können, treffen wir state-limitsaufgrundmax states per rule
Meine Maxima sind ziemlich groß:
# pfctl -sm
states hard limit 550000
src-nodes hard limit 50000
frags hard limit 5000
tables hard limit 5000
table-entries hard limit 400000
Aber wie kann ich das erhöhen max states per rule?
Antwort1
Haben Sie das probiert?
PF.CONF(5) File Formats Manual PF.CONF(5)
…
STATEFUL TRACKING OPTIONS
A number of options related to stateful tracking can be applied on a per-rule
basis. keep state, modulate state and synproxy state support these options, and
keep state must be specified explicitly to apply options to a rule.
max ⟨number⟩
Limits the number of concurrent states the rule may create. When this
limit is reached, further packets that would create state will not match
this rule until existing states time out.
…