Date: Sun, 4 Oct 2020 22:07:09 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: l.m.v.breda@xs4all.nl, freebsd-pf <freebsd-pf@freebsd.org> Subject: Re: PF states limit reached Message-ID: <e79311cd-cfca-8356-1915-8db190a69f24@quip.cz> In-Reply-To: <000801d6996d$81b5ab20$85210160$@xs4all.nl> References: <c7911e9d-eb9f-dde2-dcd4-518d98299954@quip.cz> <VE1PR03MB56297DCDECE8D7514E6907E1A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> <489adbd3-4400-0cf8-31f1-45509af31925@quip.cz> <VE1PR03MB5629E1B9AA2C625F59AD03F2A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> <9c2bc3f6-0420-fe79-ae36-8a62511f71b2@quip.cz> <000801d6996d$81b5ab20$85210160$@xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/10/2020 12:11, l.m.v.breda@xs4all.nl wrote:
> Miroslav,
>
> I saw your mails. First thing I thought when I dis see your mails is "** What is going on, on that network!! **".
>
> I can be wrong, but are you really sure that there is no malware of any kind, using your network, causing the problems !!
I can never be 100% sure but as far as I can tell there is no malware on
this network. We have rented 19" rack in DC with /25 IP addresses and
only this VM in question had this problem. No anomalies seen on the
network (no unusual traffic, Apache workers and so on)
> I would never change my firewall, to cope with strange things !!
> Just making things less secure!
I don't think PF without state tracking would be less secure. I am not
an expert in this area but as I can see it the states can be target for
DoS and I do not think the state tracking is useful if we already have
policy "open for all outgoing traffic". Maybe I am wrong. I was thinking
about "no state" for a long time regardless of this current issue.
I don't know what was causing this problem but it disappeared after VM
reboot. So I think it was some issue on OS / kernel side. I hope it will
not repeat again but if it will I will let you know.
3 hours after reboot everything seems fine:
# pfctl -s states | wc -l
55
# pfctl -s info
Status: Enabled for 0 days 03:06:21 Debug: Urgent
Interface Stats for em0 IPv4 IPv6
Bytes In 180884551 0
Bytes Out 1182768426 0
Packets In
Passed 685980 0
Blocked 1471 0
Packets Out
Passed 1008493 0
Blocked 124 0
State Table Total Rate
current entries 63
searches 1696122 151.7/s
inserts 31427 2.8/s
removals 31364 2.8/s
Counters
match 33014 3.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 8 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
map-failed 0 0.0/s
Kind regards
Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e79311cd-cfca-8356-1915-8db190a69f24>