Date: Fri, 2 Oct 2020 16:44:03 +0200 From: kaycee gb <kisscoolandthegangbang@hotmail.fr> To: freebsd-pf@freebsd.org Subject: Re: PF states limit reached Message-ID: <VE1PR03MB56297DCDECE8D7514E6907E1A0310@VE1PR03MB5629.eurprd03.prod.outlook.com> In-Reply-To: <c7911e9d-eb9f-dde2-dcd4-518d98299954@quip.cz> References: <c7911e9d-eb9f-dde2-dcd4-518d98299954@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Fri, 2 Oct 2020 14:59:44 +0200,
Miroslav Lachman <000.fbsd@quip.cz> a =E9crit :
> I have many machines (physical and virtual) with PF running for years.=20
> Few days back I started observing problem on one machine running in=20
> headless VirtualBox (if it matters)
>=20
> kernel: [zone: pf states] PF states limit reached
>=20
> The problem is there are states inserts but states are never removed=20
> (pfctl -s info shows 0 removals)
>=20
> If I run "pfctl -s state | wc -l" the count is the same as shown by=20
> "pfctl -s info | grep inserts". There are thousands of states after 30=20
> minutes.
>=20
> "netstat -an" show only about 90 connections in WAIT or CLOSED or=20
> ESTABLISHED state.
>=20
> Why PF does not remove all states? What can be wrong on this machine in=20
> question?
>=20
> My current workaround is to restart PF many times a day (or use pfctl -F=
=20
> states)
>=20
> pf.conf if relatively simple, just a basic rules to allow incomming=20
> traffic for TCP services, allowing all outgoing traffic and some "set"=20
> options:
>=20
> set limit { states 200000, frags 5000 }
> set limit table-entries 900000
> set optimization aggressive
> set block-policy drop
> set loginterface $ext_if
> set skip on $unfiltered
>=20
> scrub in on $ext_if
> scrub out on $ext_if no-df random-id
>=20
>=20
> And the last question - is there any way to use PF as stateless=20
> firewall? PF automatically add "keep state" to all rules, how can I=20
> change this behavior to not add "keep state" on all or some rules?
>=20
If you have a little set of rules, you can add a "no state" or "no-state" t=
o
the rule, check in man page, I am not sure about the syntax right now.=20
There may be also an option to change the default behaviour to not add "kee=
p
state" automatically. Once again looking in man page may help.=20
And that is strange, I agree, maybe some optimisation/option is the culprit=
.
But I don't know where to look. What version of FreeBSD are you using ? Tha=
t
may help others
=20
> Kind regards
> Miroslav Lachman
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
K.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?VE1PR03MB56297DCDECE8D7514E6907E1A0310>