* Ed White <[EMAIL PROTECTED]> [2004-08-24 17:48]: > On Tuesday 24 August 2004 15:27, Mike Frantzen wrote: > > There we'll agree to disagree. I prefer Amdahl's law which tells me to > > optimize for the common case instead of degrading everything to the > > pathological case. > I prefer to have a fixed limit for every IP instead of a firewall that changes > timeouts based on the number of active states.
you are missing the point completely. adaptive timeouts should actually be enabled on each and every pf installation. they should be seen as a last resort before hitting the state limit. they are a absolutely needed tool in fighting overload. limiting the # of states a single source node can create is also a good idea, but less so to protect the firewall, more to protect the internet from machines gone nuts, that got hit by a worm or whatever.
