> > Once again I am awed by and indebted to this list. Thanks for the prompt > > response! > That will not help you to solve the problem. It will only cause some troubles > to valid connection states.
Nope. The point of the adaptive limits was to only start penalizing things when the firewall is overloaded. Read-on > You should use src-ip-tracking limiting the number of connections for each IP. > Then you could make a quick math to know the maximum number of states that > your ruleset could create and then install enough RAM. 3.5 and below still allocate PF state entries out of kmem_map which is limited to 64meg of ram; the adaptive limits are necessary. Tedu@ worked his mojo in -current so that the 64M limit no longer applies and it can take advantage of extra ram. IIRC the theoretical max states on 3.5 is only 250K entries. That is only 55 connections per host in his setup. Things like p2p and blasting worms leave tons of connections in the FIN_WAIT_2 or TIME_WAIT states which are only removed when they time out (a rule of thumb is ten closed states waiting to be expired for every one state still established). With gnutella running, my laptop has 208 PF states and 190 of which are in fin-wait or closed. The adaptive limits will penalize those states hanging around after the connection closed far more than it will penalize established connections. .mike
