From owner-freebsd-pf@freebsd.org Fri Oct 2 14:42:42 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D5DB042EE39 for ; Fri, 2 Oct 2020 14:42:42 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01olkn0801.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::801]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C2t4x66Kjz4HV7 for ; Fri, 2 Oct 2020 14:42:41 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N0kXipCu50bNt/IoKfblwEdTjyIILmgcpIX6wzinR5rVYhY8p+vTtDJCT6KC1W/NEeYPH2Pd2g42DgDDPUveME+8fjYI55IO6AeI1kEw8uFGuWGkU9t93hdJbDc9ZpFkRCyaQoXJjTeTAc91I9KmOlHjPMsLqtz+mjGXFh5PiI5rnkeLL07/zoYZ28t4hNitYLEzIfD2eIuRjTVUBwyEIEnZ7pwY7hNIzdw6l7rcC9jqRYjlfe5P2VG0tGoqBaHLK7wXfiKVMSRUpIeqiojpAMKsT+cisuPj5HV6q5jhHjlokSL4/JqSL+WnkWyMJzo+DD/7lBeKT9i8CwYJzY0rmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1bEUSxul+6WEW1XLgvsj01WusPxasBilMWgbIybolFY=; b=HLOcJQXt4r9WU/GghWQI5/MaBODx1Iq8WwpNb6SIkSJ8vBt52i38/Z3Nz3nhoWAY/pE5rKIpOhAuy5vm2zC0VVrT7xJEYNUBVBZPKZQNT4oxPWROqtLMHglcKwrKGoJJBNa7z8gW89AsiOeIS4Zfgac0XLM323Z387YEK+YlL418wVWDoLsdmEyrxFKA7N4SpAJqzHuQBN0mI+6JHIHY1cmdQVFArO7OG1NFhB/ezlZu0PYSG7o2JTkNkFO2QNJZNiPBs0RAbR5RJGqhQikDoQp8d9edUC3cZD+cxrxed4zdqSk5+nLGx7xzKwE0+f5U3G678p3XRwgYiE8OW0U60Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from VE1EUR01FT016.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e19::4a) by VE1EUR01HT136.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e19::357) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.21; Fri, 2 Oct 2020 14:42:39 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com (2a01:111:e400:7e19::50) by VE1EUR01FT016.mail.protection.outlook.com (2a01:111:e400:7e19::227) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.34 via Frontend Transport; Fri, 2 Oct 2020 14:42:39 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:828F0D250E95AA5CF1A642AD40F58411A11F0C059411995FECE320A35C30699C; UpperCasedChecksum:4772FEF82098FF3367C4FCD9ADD3CE965B8257CB107CA5B09ED4607BB578868B; SizeAsReceived:7898; Count:47 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::3440:3970:7a3a:b48f]) by VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::3440:3970:7a3a:b48f%7]) with mapi id 15.20.3433.038; Fri, 2 Oct 2020 14:42:39 +0000 Date: Fri, 2 Oct 2020 16:44:03 +0200 From: kaycee gb To: freebsd-pf@freebsd.org Subject: Re: PF states limit reached Message-ID: In-Reply-To: References: X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.31; x86_64-slackware-linux-gnu) Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-TMN: [EGcX97AUN8CIZpdRB6c4LQsMtPrPOzw6] X-ClientProxiedBy: AM4PR0902CA0008.eurprd09.prod.outlook.com (2603:10a6:200:9b::18) To VE1PR03MB5629.eurprd03.prod.outlook.com (2603:10a6:803:11e::30) X-Microsoft-Original-Message-ID: <20201002164403.2c8ad5dd@slackstro.home.lan> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from mail.lacabanedeladmin.trickip.net (93.1.37.139) by AM4PR0902CA0008.eurprd09.prod.outlook.com (2603:10a6:200:9b::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.35 via Frontend Transport; Fri, 2 Oct 2020 14:42:38 +0000 Received: from slackstro.home.lan ([172.16.93.19]) (authenticated bits=0) by mail.lacabanedeladmin.trickip.net (8.15.2/8.15.2) with ESMTPSA id 092EgZFZ010949 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 2 Oct 2020 16:42:36 +0200 (CEST) (envelope-from kisscoolandthegangbang@hotmail.fr) X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: d2a53c51-ac84-40cf-eb47-08d866e16917 X-MS-TrafficTypeDiagnostic: VE1EUR01HT136: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 3kh/9rhpO3HIzlIkSuRnLkbhJSP9yDuKdRIYYuDYiIiPoW+1gYaSYXiJc4lenhADJA3U4uvx/ew7ysfKDrwSwg40G+rPuuAfzU/xoDcUQ++0sOuBfRU56OzrwTJZxS+XJeKL/mPQOOzY0XqE/P1de8eMA5woY7iAwFQjt+zL8OsTcTcbfMM3BDpSSREeosT7FzA/wQZcVPndKpXl9KethSn/HwgbeHN6vQI+PKgqbnWgk6i2SGPaqcR2bzNmUmwo X-MS-Exchange-AntiSpam-MessageData: VGBYEc5EasAVJfLiMabgmzfOGpH2P94VPhcUS9A85SH+3KI3Uroau7rzaVZ6bUst+fA62e3Wq9uvDMS8LFXwtwC43PVm9En+N31x3+VnVWK5JhBRWVR+98I1jM0REuXFHirwu96ndMSXHk6KtRhQsw== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: d2a53c51-ac84-40cf-eb47-08d866e16917 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Oct 2020 14:42:39.6161 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: VE1EUR01FT016.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1EUR01HT136 X-Rspamd-Queue-Id: 4C2t4x66Kjz4HV7 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 2a01:111:f400:fe1f::801 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-4.45 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6]; RECEIVED_SPAMHAUS_PBL(0.00)[93.1.37.139:received]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[hotmail.fr]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.97)[-0.969]; NEURAL_HAM_MEDIUM(-0.97)[-0.969]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; NEURAL_HAM_SHORT(-0.71)[-0.711]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; MIME_TRACE(0.00)[0:+]; MAILMAN_DEST(0.00)[freebsd-pf]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Oct 2020 14:42:42 -0000 Le Fri, 2 Oct 2020 14:59:44 +0200, Miroslav Lachman <000.fbsd@quip.cz> a =E9crit : > I have many machines (physical and virtual) with PF running for years.=20 > Few days back I started observing problem on one machine running in=20 > headless VirtualBox (if it matters) >=20 > kernel: [zone: pf states] PF states limit reached >=20 > The problem is there are states inserts but states are never removed=20 > (pfctl -s info shows 0 removals) >=20 > If I run "pfctl -s state | wc -l" the count is the same as shown by=20 > "pfctl -s info | grep inserts". There are thousands of states after 30=20 > minutes. >=20 > "netstat -an" show only about 90 connections in WAIT or CLOSED or=20 > ESTABLISHED state. >=20 > Why PF does not remove all states? What can be wrong on this machine in=20 > question? >=20 > My current workaround is to restart PF many times a day (or use pfctl -F= =20 > states) >=20 > pf.conf if relatively simple, just a basic rules to allow incomming=20 > traffic for TCP services, allowing all outgoing traffic and some "set"=20 > options: >=20 > set limit { states 200000, frags 5000 } > set limit table-entries 900000 > set optimization aggressive > set block-policy drop > set loginterface $ext_if > set skip on $unfiltered >=20 > scrub in on $ext_if > scrub out on $ext_if no-df random-id >=20 >=20 > And the last question - is there any way to use PF as stateless=20 > firewall? PF automatically add "keep state" to all rules, how can I=20 > change this behavior to not add "keep state" on all or some rules? >=20 If you have a little set of rules, you can add a "no state" or "no-state" t= o the rule, check in man page, I am not sure about the syntax right now.=20 There may be also an option to change the default behaviour to not add "kee= p state" automatically. Once again looking in man page may help.=20 And that is strange, I agree, maybe some optimisation/option is the culprit= . But I don't know where to look. What version of FreeBSD are you using ? Tha= t may help others =20 > Kind regards > Miroslav Lachman > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" K.