PF PF states limit reached

A

Alex159

Hello.


Someone attacked us today with over 1k different IPs which created tons of connections to our services. The PF blocked the IPs successfully but shows me this on the console:
Code: 
[zone: pf states] PF states limit reached.

I'm pretty sure this is a reason why users can't create new connections to the server or get kicked. Is there any way that I can raise this limit?

Also, how can I remove all IPs from a table?
 
As shown by pfctl -s memory, or pfctl -sm for short, the default limit is rather low for a busy server or router. You can bump the limit with a line like this in your pf.conf(5).
Code: 
set limit { states 40000, frags 20000, src-nodes 20000 }

As far as removing IPs from the state table, see the -F modifier in pfctl(8). pfctl -F states ( pfctl -Fs for short) will do this for you. If you are logged in over SSH, keep in mind that is a state as well and it will also drop your current connection.
 
junovitch said:
As shown by pfctl -s memory, or pfctl -sm for short, the default limit is rather low for a busy server or router. You can bump the limit with a line like this in your pf.conf(5).
Code: 
set limit { states 40000, frags 20000, src-nodes 20000 }

As far as removing IPs from the state table, see the -F modifier in pfctl(8). pfctl -F states ( pfctl -Fs for short) will do this for you. If you are logged in over SSH, keep in mind that is a state as well and it will also drop your current connection.
Click to expand...


I already found that set limit thing, but when I execute it I get this error:
Code: 
set: Variable name must begin with a letter.
 
Alex159 said:
I already found that set limit thing, but when I execute it I get this error:
Code: 
set: Variable name must begin with a letter.
Click to expand...

This must be in your /etc/pf.conf with a service pf reload to put it into effect. This is completely different from the set command that is part of the builtin(1) shell commands.
 
Alex159 said:
Hello.
Someone attacked us today with over 1k different IPs which created tons of connections to our services.
Also, how can I remove all IPs from a table?
Click to expand...

Were they real IP's or spoofed?

Could look into urpf-failed and antispoof in pf.conf(5)

Beyond just raising the max values there's a whole slew of state table timeout options. And if the attack was using 1000 IP's it would probably easily hit a max of 40000 states anyway.

As junovitch mentioned:
Code: 
set limit { states 40000, frags 20000, src-nodes 20000 }

Then for example:
Code: 
set timeout { adaptive.start 18000, adaptive.end 39000 }

For more search set timeout in pf.conf(5)

Word of caution. These settings are very hardware dependent and using crazy high max state settings will hurt more than help if the hardware can't deal with it. The key is to find out what works with your hardware/software environment. ;)
 
You must log in or register to reply here.
Back
Top