[Q] How to set adaptive syncookies

[Hackintosys]

Hello friends,

can someone please explain me the lower / higher percentage in the new firewall adaptive snycookies settings?
My state table size on the main opnsense page is usually at lower than 10%.

So if I set the adaptive setting to 90/90 would it mean that snycookies will be only enables if >=90% of the state table is used?


Thanks in advance!

[franco]

Hi,

From pf.conf manual:

Code: [Select]

           never     pf will never send syncookie SYNACKs (the default).
           always    pf will always send syncookie SYNACKs.
           adaptive  pf will enable syncookie mode when a given percentage of
                     the state table is used up by half-open TCP connections,
                     as in, those that saw the initial SYN but didn't finish
                     the three way handshake.  The thresholds for entering and
                     leaving syncookie mode can be specified using

                           set syncookies adaptive (start 25%, end 12%)
The wording is a bit more difficult than it should be, but generally the start percentage is the amount of state table entries where syncookies are enabled and the end percentage is when syncookie mode is disabled again.

I'm unsure about 25% and 12% as given in the example, probably something you want is more along 60% and 30% so you still have room to grow in syncookie mode but do not enable to too early.


Cheers,
Franco

[Hackintosys]

Thank you for your support.