From: Daniel Hamlin (hamlinrose-hulman.edu)
Date: Mon Feb 07 2005 - 12:52:52 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is there a way to generate a log when a connection is denied due to a
host exhausting it's max-src-states?

For example, this rule limits my computer to 10 connections:

pass out log quick on $ext_if from <my IP> to any keep state
(max-src-states 10)

During testing, I was limited to 10 connections, as expected. I would
like to be able to log when the subsequent connections are dropped, for
troubleshooting and tuning purposes. I am able to get general src-state
statistics, but nothing specific to indicate that a connection between
two hosts was dropped because the max-src-states had been exhausted.

pfctl -vsS is useful to see how many states are currenlty active per
host, but I hate to run this command periodically in a polling-type
fashion to figure out whether or not my max-src-states is high enough.

I've searched MARC (max-src-states) but didn't find anything applicable.

Thanks for any info/pointers.

Dan Hamlin

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]