-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
Do adaptive timeouts apply to all states {globally, rule-based}, or
only to states created at the time?
For example, from "man pf.conf", if I have
set timeout { adaptive.start 6000, adaptive.end 12000 }
And I have 9000 state table entries:
A) *All* state table timeouts scaled down 50%
B) 9000-10000 scaled by 50%, 10000-11000 by 60%, etc.
http://www.openbsd.org/faq/pf/options.html implies to me A), which
means older expired states get dropped first. "man pf.conf" implies
to me B), which means the newest connections have lower timeout
values and get dropped first.
Thanks!
BTW, this topic came up rather suddenly since, due to UDP/DNS
flooding/misconfiguration, I have 70k states in my state table every
few hours (although the box is still running 99.5% idle!) I want to
be really sure I understand how this works.
***************************
* Adam Getchell [EMAIL PROTECTED]
* System Architect/Programmer (530) 752-1584
* Human Resources Information Systems http://www.hr.ucdavis.edu/
***************************
"Invincibility is in oneself, vulnerability in the opponent." -- Sun
Tzu
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPwNixI68FtGOL2f4EQLKlQCePelwmsqADUdiCMYb02bpkZxWn6cAoNZA
yhpIrarcJj+pXTyhQ4cdz68V
=osHu
-----END PGP SIGNATURE-----
