Date: Fri, 2 Oct 2020 17:54:13 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-pf@freebsd.org Subject: Re: PF states limit reached Message-ID: <489adbd3-4400-0cf8-31f1-45509af31925@quip.cz> In-Reply-To: <VE1PR03MB56297DCDECE8D7514E6907E1A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> References: <c7911e9d-eb9f-dde2-dcd4-518d98299954@quip.cz> <VE1PR03MB56297DCDECE8D7514E6907E1A0310@VE1PR03MB5629.eurprd03.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/10/2020 16:44, kaycee gb wrote: > Le Fri, 2 Oct 2020 14:59:44 +0200, > Miroslav Lachman <000.fbsd@quip.cz> a écrit : > >> I have many machines (physical and virtual) with PF running for years. >> Few days back I started observing problem on one machine running in >> headless VirtualBox (if it matters) >> >> kernel: [zone: pf states] PF states limit reached >> >> The problem is there are states inserts but states are never removed >> (pfctl -s info shows 0 removals) >> >> If I run "pfctl -s state | wc -l" the count is the same as shown by >> "pfctl -s info | grep inserts". There are thousands of states after 30 >> minutes. >> >> "netstat -an" show only about 90 connections in WAIT or CLOSED or >> ESTABLISHED state. >> >> Why PF does not remove all states? What can be wrong on this machine in >> question? >> >> My current workaround is to restart PF many times a day (or use pfctl -F >> states) >> >> pf.conf if relatively simple, just a basic rules to allow incomming >> traffic for TCP services, allowing all outgoing traffic and some "set" >> options: >> [...] >> >> >> And the last question - is there any way to use PF as stateless >> firewall? PF automatically add "keep state" to all rules, how can I >> change this behavior to not add "keep state" on all or some rules? >> > If you have a little set of rules, you can add a "no state" or "no-state" to > the rule, check in man page, I am not sure about the syntax right now. > > There may be also an option to change the default behaviour to not add "keep > state" automatically. Once again looking in man page may help. > > And that is strange, I agree, maybe some optimisation/option is the culprit. > But I don't know where to look. What version of FreeBSD are you using ? That > may help others I am sorry, it is on FreeBSD 11.4-p4 amd64. I tried to read man page, maybe not so carefully, but didn't found how to turn automatic keep state off. I also tried to search on the net without any luck. Thank you Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?489adbd3-4400-0cf8-31f1-45509af31925>