pf Limits and Explanation of pfSense Advanced Firewall Rule Options

August 18th, 2009

Last night I finally took the time to learn what the "advanced" options are in the pfsense firewall rule form. You know the ones, these guys:

I finally got fed up after one too many misbehaving bot caused one of my Apache servers to spawn way too many instances.

Basically, all I learned is thanks to: and a little from

To make the connection between the calomel explanations and the pfsense descriptions, I ran pfctl -sr and gathered this information:

max-src-states 120, max-src-conn-rate 30/100, max-src-nodes 10000 overload <virusprot> flush global, tcp.established 5, src.track 100

The following is a rough idea of the settings I'm using, with additional notes of mine in bold to remind me of why I set the numbers the way I did. Also, based on the recommendation of calomel, I'm using synproxy state. I should also mention that this is just an HTTP rule!

Advanced Options

Simultaneous client connection limit 10000 number of ip addresses which can connect

Maximum state entries per host 120 40 established states at a time (3 per established roughly)

Maximum new connections / per second 30 / 100 seconds this is per ip!?!

State Timeout in seconds 5 (Varnish default timeout)


Yearly Indexes: 2003 2004 2006 2007 2008 2009 2010 2011 2012 2013 2015 2019 2020 2022