Date: Fri, 2 Oct 2020 14:59:44 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: The Doctor via freebsd-pf <freebsd-pf@freebsd.org> Subject: PF states limit reached Message-ID: <c7911e9d-eb9f-dde2-dcd4-518d98299954@quip.cz>
next in thread | raw e-mail | index | archive | help
I have many machines (physical and virtual) with PF running for years.
Few days back I started observing problem on one machine running in
headless VirtualBox (if it matters)
kernel: [zone: pf states] PF states limit reached
The problem is there are states inserts but states are never removed
(pfctl -s info shows 0 removals)
If I run "pfctl -s state | wc -l" the count is the same as shown by
"pfctl -s info | grep inserts". There are thousands of states after 30
minutes.
"netstat -an" show only about 90 connections in WAIT or CLOSED or
ESTABLISHED state.
Why PF does not remove all states? What can be wrong on this machine in
question?
My current workaround is to restart PF many times a day (or use pfctl -F
states)
pf.conf if relatively simple, just a basic rules to allow incomming
traffic for TCP services, allowing all outgoing traffic and some "set"
options:
set limit { states 200000, frags 5000 }
set limit table-entries 900000
set optimization aggressive
set block-policy drop
set loginterface $ext_if
set skip on $unfiltered
scrub in on $ext_if
scrub out on $ext_if no-df random-id
And the last question - is there any way to use PF as stateless
firewall? PF automatically add "keep state" to all rules, how can I
change this behavior to not add "keep state" on all or some rules?
Kind regards
Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c7911e9d-eb9f-dde2-dcd4-518d98299954>