[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Logging dropped states (max-src-states)



Jeff Wilson wrote:

One of my networks is behind an OpenBSD 3.5-stable firewall, and
another network is behind a OpenBSD 3.7-stable firewall.  Between the
two networks, I am serving over 4,000 clients.  Both firewalls limit
source IP state with "max-src-states".  Once a client hits this state
limit, no new state is allowed -- which is what I want, of course.

My objective is to more efficiently troubleshoot connectivity
problems, after the fact.  When I get the call from a colleague,
asking "Can you tell me if Joe Bob was at his limit yesterday at 5pm?"
Right now, I just shrug and say, "Nope!"

Is there a straightforward way to log these "disallowed" states?  Or
perhaps a way to log which IPs have hit this ceiling, and when, and
for how long?

   thanks,
    jw



I think set debug records that the limits were hit with 3.7 but not with 3.5