Re: PF states limit reached

Fri, 02 Oct 2020 08:55:08 -0700 

On 02/10/2020 16:44, kaycee gb wrote:

Le Fri, 2 Oct 2020 14:59:44 +0200,
Miroslav Lachman <000.f...@quip.cz> a écrit :


I have many machines (physical and virtual) with PF running for years.
Few days back I started observing problem on one machine running in
headless VirtualBox (if it matters)

kernel: [zone: pf states] PF states limit reached

The problem is there are states inserts but states are never removed
(pfctl -s info shows 0 removals)

If I run "pfctl -s state | wc -l" the count is the same as shown by
"pfctl -s info | grep inserts". There are thousands of states after 30
minutes.

"netstat -an" show only about 90 connections in WAIT or CLOSED or
ESTABLISHED state.

Why PF does not remove all states? What can be wrong on this machine in
question?

My current workaround is to restart PF many times a day (or use pfctl -F
states)

pf.conf if relatively simple, just a basic rules to allow incomming
traffic for TCP services, allowing all outgoing traffic and some "set"
options:



[...]




And the last question - is there any way to use PF as stateless
firewall? PF automatically add "keep state" to all rules, how can I
change this behavior to not add "keep state" on all or some rules?


If you have a little set of rules, you can add a "no state" or "no-state" to
the rule, check in man page, I am not sure about the syntax right now.

There may be also an option to change the default behaviour to not add "keep
state" automatically. Once again looking in man page may help.

And that is strange, I agree, maybe some optimisation/option is the culprit.
But I don't know where to look. What version of FreeBSD are you using ? That
may help others


I am sorry, it is on FreeBSD 11.4-p4 amd64.
I tried to read man page, maybe not so carefully, but didn't found how to turn automatic keep state off. I also tried to search on the net without any luck. 

Thank you

Miroslav Lachman
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to