[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: [unisog] High speed firewalls - Connections per second not bits per second]



On Tue, 22 Feb 2005 09:02:56 +1300, Russell Fulton
<[email protected]> wrote:
> Hmmm... what is the 'pf' response to this problem?   I seem to remember
> that 3.6 has per IP limits that can be set that perhaps could mitigate
> this sort of problem.
I use on my network:
set timeout { adaptive.start 10000, adaptive.end 51000 }
set limit states 50000
pass in  on vlan101 from vlan101:network to any keep state (max 5000,
source-track rule, max-src-states 20, tcp.established 60, tcp.closing
5)
Adding in the syn proxy would also cut down on traffic and completed
connections, but this config keeps traffic and virus traffic bursts
down to a reasonable level.
-- 
Jon Simola
Systems Administrator
ABC Communications