[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: [unisog] High speed firewalls - Connections per second not bits per second]

On Tue, 22 Feb 2005 09:02:56 +1300, Russell Fulton
<[email protected]> wrote:
> Hmmm... what is the 'pf' response to this problem?   I seem to remember
> that 3.6 has per IP limits that can be set that perhaps could mitigate
> this sort of problem.
I use on my network:
set timeout { adaptive.start 10000, adaptive.end 51000 }
set limit states 50000
pass in  on vlan101 from vlan101:network to any keep state (max 5000,
source-track rule, max-src-states 20, tcp.established 60, tcp.closing
Adding in the syn proxy would also cut down on traffic and completed
connections, but this config keeps traffic and virus traffic bursts
down to a reasonable level.
Jon Simola
Systems Administrator
ABC Communications