Hi So, some background... I raised my concerns to phessler@ about the low default configuration values. This was about a year ago when I noticed how quick I could fill all states and stop the machine from accepting new connections.
He kindly explained that the defaults are set low to accommodate for machines with little memory and that an admin needs to adjust the states table if they run a busy server, which makes sense. I'm also aware that henning@ is working on a neat solution for this. Though, I was a bit surprised to see that neither pf(4) or pf.conf(5) is mentioned in afterboot(8), when things like lpd(8), smtpd(8) and packages are. The patch below adds a small section, pointing the admin to the pf(4) and pf.conf(5) man pages. Jesper Wallin Index: afterboot.8 =================================================================== RCS file: /cvs/src/share/man/man8/afterboot.8,v retrieving revision 1.160 diff -u -p -r1.160 afterboot.8 --- afterboot.8 7 Sep 2017 13:08:39 -0000 1.160 +++ afterboot.8 14 Oct 2017 08:16:35 -0000 @@ -425,6 +425,14 @@ To do this, change the value of .Va xenodm_flags in .Pa /etc/rc.conf.local . +.Ss Firewall +Edit +.Pa /etc/pf.conf +to configure the packet filter. +For more information on what features +.Xr pf 4 +has to offer and how to configure them properly, see +.Xr pf.conf 5 . .Ss Set keyboard type Some architectures permit keyboard type control. Use the
