From owner-freebsd-pf@freebsd.org Fri Oct 2 12:59:55 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4350242C61E for ; Fri, 2 Oct 2020 12:59:55 +0000 (UTC) (envelope-from SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C2qpL21hZz43l0 for ; Fri, 2 Oct 2020 12:59:54 +0000 (UTC) (envelope-from SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id D9FF728434 for ; Fri, 2 Oct 2020 14:59:45 +0200 (CEST) Received: from illbsd.quip.test (ip-94-112-144-235.net.upcbroadband.cz [94.112.144.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 064AE2842E for ; Fri, 2 Oct 2020 14:59:45 +0200 (CEST) To: The Doctor via freebsd-pf From: Miroslav Lachman <000.fbsd@quip.cz> Subject: PF states limit reached Message-ID: Date: Fri, 2 Oct 2020 14:59:44 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4C2qpL21hZz43l0 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [2.60 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.14)[0.136]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; ARC_NA(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[quip.cz]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_MEDIUM(0.63)[0.626]; NEURAL_SPAM_LONG(0.64)[0.640]; R_SPF_NA(0.00)[no SPF record]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[94.112.144.235:received]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=YstE=DJ=quip.cz=000.fbsd@elsa.codelab.cz]; MAILMAN_DEST(0.00)[freebsd-pf] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2020 12:59:55 -0000 I have many machines (physical and virtual) with PF running for years. Few days back I started observing problem on one machine running in headless VirtualBox (if it matters) kernel: [zone: pf states] PF states limit reached The problem is there are states inserts but states are never removed (pfctl -s info shows 0 removals) If I run "pfctl -s state | wc -l" the count is the same as shown by "pfctl -s info | grep inserts". There are thousands of states after 30 minutes. "netstat -an" show only about 90 connections in WAIT or CLOSED or ESTABLISHED state. Why PF does not remove all states? What can be wrong on this machine in question? My current workaround is to restart PF many times a day (or use pfctl -F states) pf.conf if relatively simple, just a basic rules to allow incomming traffic for TCP services, allowing all outgoing traffic and some "set" options: set limit { states 200000, frags 5000 } set limit table-entries 900000 set optimization aggressive set block-policy drop set loginterface $ext_if set skip on $unfiltered scrub in on $ext_if scrub out on $ext_if no-df random-id And the last question - is there any way to use PF as stateless firewall? PF automatically add "keep state" to all rules, how can I change this behavior to not add "keep state" on all or some rules? Kind regards Miroslav Lachman