> My first thought is to cron a job, once a minute, to monitor the number of > states in `pfctl -s info` ... if any single minute yields an increase of > more than 50,000 states, then I flush all states and reload the ruleset. > Is there a better way to contain disaster? With ipfilter, I tweaked > kernel settings such as NKMEMCLUSTERS and NMBCLUSTERS to obscenely high > numbers (such as 16K). Any other kernel tweaks? Or better yet, anything > within pf to directly contain such a state runaway scenario?
see adaptive.start and adaptive.end in the pf.conf man page .mike
