知道问题所在,pf的确有默认设置,man 过pf.conf后查到了原因。
#pfctl -a
***************************************
TIMEOUTS:
tcp.first 30s
tcp.opening 5s
tcp.established 18000s
tcp.closing 60s
tcp.finwait 30s
tcp.closed 30s
tcp.tsdiff 10s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 20000
frags hard limit 5000
tables hard limit 10000
table-entries hard limit 100000
OS FINGERPRINTS:
696 fingerprints loaded
***************************************
其中 frags hard limit 5000 设置了单个node(IP)最大连接数为 5000
#pfctl -a
***************************************
TIMEOUTS:
tcp.first 30s
tcp.opening 5s
tcp.established 18000s
tcp.closing 60s
tcp.finwait 30s
tcp.closed 30s
tcp.tsdiff 10s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 20000
frags hard limit 5000
tables hard limit 10000
table-entries hard limit 100000
OS FINGERPRINTS:
696 fingerprints loaded
***************************************
其中 frags hard limit 5000 设置了单个node(IP)最大连接数为 5000
于是 我在pf.conf中加入如下设置,优化pf的默认设置
set limit states 200000
set limit frags 200000
set limit src-nodes 20000
set limit tables 100000
set limit table-entries 100000
set optimization aggressive
***************************************
LIMITS:
states hard limit 200000
src-nodes hard limit 20000
frags hard limit 200000
tables hard limit 100000
table-entries hard limit 100000
***************************************
这样就没问题了,顺利压到了10000连接,其他新手,或者像我这样笨的,以后引以为戒