# PF limiting nat table states per ip



## kulawymoe (Jun 11, 2010)

Hello,
After reading pf documentation i know its possible to limit maximum number of states created per source ip in filter rules. Is it possible also for nat? Some of my lan users are flooding pf nat state table (like 20k+ connections) and i want to prohibit that. Thanks in advance for suggestions.


----------



## Carpetsmoker (Jun 11, 2010)

Yes, this is possible, from pf.conf(5):


```
When the source-track keyword is specified, the number of states per
     source IP is tracked.

     source-track rule
	   The maximum number of states created by this rule is limited by the
	   rule's max-src-nodes and max-src-states options.  Only state
	   entries created by this particular rule count toward the rule's
	   limits.
     source-track global
	   The number of states created by all rules that use this option is
	   limited.  Each rule can specify different max-src-nodes and
	   max-src-states options, however state entries created by any par-
	   ticipating rule count towards each individual rule's limits.

     The following limits can be set:

     max-src-nodes <number>
	   Limits the maximum number of source addresses which can simultane-
	   ously have state table entries.
     max-src-states <number>
	   Limits the maximum number of simultaneous state entries that a sin-
	   gle source address can create with this rule.

     For stateful TCP connections, limits on established connections (connec-
     tions which have completed the TCP 3-way handshake) can also be enforced
     per source IP.

     max-src-conn <number>
	   Limits the maximum number of simultaneous TCP connections which
	   have completed the 3-way handshake that a single host can make.
     max-src-conn-rate <number> / <seconds>
	   Limit the rate of new connections over a time interval.  The con-
	   nection rate is an approximation calculated as a moving average.
```

However, perhaps it is better to look at why your client are creating 20k+ states and fix that instead. This does not seem normal traffic and _may_ suggest malicious behavior (i.e. botnet/malware) and/or a misconfiguration.


----------



## kulawymoe (Jun 12, 2010)

Yes i know, and i will try to fix this issue with clients. But before it will be done it would be nice to limit the max number of nat states so such client will not disrupt operation of the whole network. This part of manual You mentioned is about filter rules options, and i asked how to do such limitation considering nat rule:

```
nat on $ext_if from $local_net to any -> ext_if
```
Thanks for help.


----------



## Carpetsmoker (Jun 12, 2010)

It is indeed always a good thing to set some outgoing permissions (instead of the "my network can do no harm"-attitude).

What's wrong with something like:


```
pass in on $int_if proto tcp from $local_net to any port http keep state \
  (max-src-conn 200 max-src-conn-rate 100/1 max-src-states 200)
```

NAT is exactly that: Network Address translation. Which is not filtering.


----------

