hello....(test mail)
hello
set limit src-nodes
HI All, I am try to diagnose a problem that *may* be related to our pf based firewall. About the time we implemented our our new firewall people started to report problems with our CISCO based VPN where connections are dropped more or less randomly (often after more than an hours connection). I have reviewed all the setting of the firewall that I believe to be relevant and checked the pf.log file to make certain that packets to/from the vpn concentrator are not being dropped. While looking for possible things to tweak that might affect connections I found the 'set limit src-nodes' in the pf.conf man pages. Am I right in assuming that since I don't use any tag rules that I can safely ignore this option? The fw host machine is very lightly loaded (cpu in the order of 1%) and there is plenty of room in the state table (set at 50,000 -- I have never seen it over 35,000). Any other suggestions of things that I could/should check? Thanks, Russell. -- Russell Fulton/~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!
Re: set limit src-nodes
On Fri, Feb 20, 2004 at 01:51:46PM +1300, Russell Fulton wrote: While looking for possible things to tweak that might affect connections I found the 'set limit src-nodes' in the pf.conf man pages. Am I right in assuming that since I don't use any tag rules that I can safely ignore this option? This option is not related to rule tagging; rather, it is related to the source address tracking features: translation rules with 'sticky-address', or pass rules with 'source-tracking', 'max-src-nodes', and/or 'max-src-states' options. If you're not using any of these keywords in your pf.conf, you can ignore this. It's fairly easy to see if you're running into your limits, however. If you look at the statistics provided by 'pfctl -si', there's a counter labeled 'memory', which is incremented whenever a packet is dropped by pf due to insufficient memory - including hitting your state table or src-node table limit.
