Ok
I have PF running on a busy webserver, it uses 'synproxy state' with no limits other than a 170k limit on states.
There is 2 observations I have made when using 'synproxy state' instead of 'keep state'.
1 - The amount of ESTABLISHED connections shown in netstat go much higher than when using 'keep state'. At least 10x higher, my guess is, RST packets are not working properly.
2 - Currently I am seeing it hit some kind of limit around the 500 mark, it is not at exactly 500, it seems to stop going up at about 500-540 and then hovers between about 500-520. Of course some connections are not using the synproxy http rule, and I think the ones over 500 are non synproxy connections.
I have increased various sysctls already such as tcbhashsize, hostcashe.hashsize, and somaxconn, one I didnt raise is the syncache hashsize which is set at 512. Since that one is a boot only setting I did experiment with setting syncookiesonly to 1 but this had no affect on this limit so I am not sure if the syncache limit is to blame. For now I have reverted to 'keep state' as it is limiting web traffic.
Finally I am not hitting any limits that I know off inside PF.
I have PF running on a busy webserver, it uses 'synproxy state' with no limits other than a 170k limit on states.
There is 2 observations I have made when using 'synproxy state' instead of 'keep state'.
1 - The amount of ESTABLISHED connections shown in netstat go much higher than when using 'keep state'. At least 10x higher, my guess is, RST packets are not working properly.
2 - Currently I am seeing it hit some kind of limit around the 500 mark, it is not at exactly 500, it seems to stop going up at about 500-540 and then hovers between about 500-520. Of course some connections are not using the synproxy http rule, and I think the ones over 500 are non synproxy connections.
I have increased various sysctls already such as tcbhashsize, hostcashe.hashsize, and somaxconn, one I didnt raise is the syncache hashsize which is set at 512. Since that one is a boot only setting I did experiment with setting syncookiesonly to 1 but this had no affect on this limit so I am not sure if the syncache limit is to blame. For now I have reverted to 'keep state' as it is limiting web traffic.
Finally I am not hitting any limits that I know off inside PF.