On Fri, Feb 20, 2004 at 01:51:46PM +1300, Russell Fulton wrote: > While looking for possible things to tweak that might affect connections > I found the 'set limit src-nodes' in the pf.conf man pages. > > Am I right in assuming that since I don't use any tag rules that I can > safely ignore this option?
This option is not related to rule tagging; rather, it is related to the source address tracking features: translation rules with 'sticky-address', or pass rules with 'source-tracking', 'max-src-nodes', and/or 'max-src-states' options. If you're not using any of these keywords in your pf.conf, you can ignore this. It's fairly easy to see if you're running into your limits, however. If you look at the statistics provided by 'pfctl -si', there's a counter labeled 'memory', which is incremented whenever a packet is dropped by pf due to insufficient memory - including hitting your state table or src-node table limit.
