You could turn on aggressive state control - that's in the System->Advanced screen. I'm assuming that you are memory limited or you would have just cranked the state table size. The 10K default is rather on the conservative side, we could probably scale the defaults based on system memory post 1.0 - in fact, I'll jot that down as a TODO. We do have low end machines (Soekris 4501 w/ 64M ram comes to mind), so limiting the number of states in those machines is crucial. Each state entry when allocated eats approx 1K of memory. FWIW, I run my machines at work with 128,000 states and occasionally bump up against that on my biggest box. During our next upgrade cycle I plan on bumping that limit to 256,000. But all these machines have 1-2G of ram in them and can easily handle the loss of a few hundred meg in states (ram is cheaper than a dropped connection anyway).
There are also per rule settings, but I don't think we expose the adaptive controls (if they even existed in OpenBSD 3.7?). I've personally found them to be more pain than they're worth, expiring potentially good states to keep from resource starvation. Again, it's cheaper for me to just throw hardware at it than spend any time tuning it or dropping connections (and having them get noticed). --Bill On 2/28/06, Lawrence Farr <[EMAIL PROTECTED]> wrote: > Hello All, > > I had a problem about a month or so ago with running > out of states, and upped the state table size to 20000 > along with setting a few rules to modulate state. > Yesterday I ran out of states again and decided to see > if there was any way I could control this a bit better > rather than just keep upping the table size. Reading > through the PF documentation there are what looks like > controls for timeouts when the tables are getting full. > (adaptive.start and adpative.end) Is there any way of > setting these in PFSense? Or have I got it wrong? > > Lawrence Farr > EPC Direct Limited > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
