Hello, Thank you for your help!
The first option is working but we don't want such a big state table. Another idea from us is: Is it possible running a ruleset for port 53 udp/tcp and in/out completely stateless? Must we set some special flags? Thank you SC)bastien Maerker -- SC)bastien Maerker Continum AG Bismarckallee 7b-d 79098 Freiburg i. Br. Tel. +49 761 217 111-77 Fax. +49 761 217 111-99 http://www.continum.net Sitz der Gesellschaft: Freiburg im Breisgau Registergericht: Amtsgericht Freiburg, HRB 6866 Vorstand: Rolf Mathis, Volker T. Mueller Vorsitzender d. Aufsichtsrats: Prof. Dr. Karl-F. Fischbach ----- UrsprC<ngliche Mail ----- Von: "Stuart Henderson" <[email protected]> An: "Sebastien Maerker, Continum" <[email protected]> CC: "Steven Chamberlain" <[email protected]>, [email protected] Gesendet: Mittwoch, 7. Dezember 2011 14:25:04 Betreff: Re: Problems with OpenBSD 5.0 and PF you are bumping into the default state limit; two options: - bump maximum state limits: set limit states 20000 - reduce the state expiry time, just for udp 53 is probably enough: pass proto udp to port 53 keep state (udp.first 20, udp.single 10, udp.multiple 20) see pfctl -st and pfctl -sm for defaults.
