dumb question about state and pf

[pgmrdlm]

As I understand state, and I just looked this up again to refresh my understanding. State firewall rules keep track of the connection attributes in memory. So, if I have 100 connections and have coded my firewall rules correctly. The attributes for those 100 connections are held in memory.

With that said, if I limit the number of state entries that can be retained. Will that limit the number of connections? ie: max 100 would only allow 100 connections?????

I know, really dumb question.

What I am trying to do is limit the number of inbound connections to a specific number. Don't care what the ip is, I only want to allow a specific number of connections to that service.

 

[DutchDaemon]

See pf.conf(5) for stuff like max-src-nodes, max-src-conn, max-src-states, max-src-conn-rate, and the 'overload' table. Do not limit the overall state table.

 

[pgmrdlm]

Thank you

I did actually look at those rule lines, but did not completely understand them until I looked again after your sugestion.

max-src-nodes number
When the source-track option is used, max-src-nodes will limit the number of source IP addresses that can simultaneously create state. This option can only be used with source-track rule.

I was close in my understanding, just wasn't completely comfortable with my understanding of what I read. Again, thank you.