View Single Post
  #4   (View Single Post)  
Old 3rd December 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Hmmm... It appears that I've misinterpreted the syntax rules, then, as from pf.conf(5) it looks like the only dependency is is that flush requires overload.
Code:
     state-opt      = ( "max" number | "no-sync" | timeout | "sloppy" |
                      "pflow" | "source-track" [ ( "rule" | "global" ) ] |
                      "max-src-nodes" number | "max-src-states" number |
                      "max-src-conn" number |
                      "max-src-conn-rate" number "/" number |
                      "overload" "<" string ">" [ "flush" [ "global" ] ] |
                      "if-bound" | "floating" )
I've never had a desire to honeypot, so I've never tried something like setting max-src-nodes to 0 to see if that elimates state or if it sets no limit. Instead I've used overload or overload with flush where I wished to stop bad behavior.

To the best of my recollection, PF tables are manipulated only via pfctl(8) commands or stateful options.
Reply With Quote