# dumb question about state and pf



## pgmrdlm (Oct 14, 2010)

As I understand state, and I just looked this up again to refresh my understanding. State firewall rules keep track of the connection attributes in memory. So, if I have 100 connections and have coded my firewall rules correctly. The attributes for those 100 connections are held in memory.

With that said, if I limit the number of state entries that can be retained. Will that limit the number of connections? ie: max 100 would only allow 100 connections?????

I know, really dumb question.

What I am trying to do is limit the number of inbound connections to a specific number. Don't care what the ip is, I only want to allow a specific number of connections to that service.


----------



## DutchDaemon (Oct 15, 2010)

See pf.conf(5) for stuff like max-src-nodes, max-src-conn, max-src-states, max-src-conn-rate, and the 'overload' table. Do _not_ limit the overall state table.


----------



## pgmrdlm (Oct 15, 2010)

*Thank you*

I did actually look at those rule lines, but did not completely understand them until I looked again after your sugestion.


> max-src-nodes number
> When the source-track option is used, *max-src-nodes will limit the number of source IP addresses that can simultaneously create state*. This option can only be used with source-track rule.



I was close in my understanding, just wasn't completely comfortable with my understanding of what I read. Again, thank you.


----------

