Re: PF states limit reached

Sun, 04 Oct 2020 13:08:17 -0700 

On 03/10/2020 12:11, l.m.v.br...@xs4all.nl wrote:

Miroslav,

I saw your mails. First thing I thought when I dis see your mails is "** What is 
going on, on that network!! **".

I can be wrong, but are you really sure that there is no malware of any kind, 
using your network, causing the problems !!
I can never be 100% sure but as far as I can tell there is no malware on this network. We have rented 19" rack in DC with /25 IP addresses and only this VM in question had this problem. No anomalies seen on the network (no unusual traffic, Apache workers and so on) 


I would never change my firewall, to cope with strange things !!
Just making things less secure!
I don't think PF without state tracking would be less secure. I am not an expert in this area but as I can see it the states can be target for DoS and I do not think the state tracking is useful if we already have policy "open for all outgoing traffic". Maybe I am wrong. I was thinking about "no state" for a long time regardless of this current issue.
I don't know what was causing this problem but it disappeared after VM reboot. So I think it was some issue on OS / kernel side. I hope it will not repeat again but if it will I will let you know. 

3 hours after reboot everything seems fine:

# pfctl -s states | wc -l
      55

# pfctl -s info
Status: Enabled for 0 days 03:06:21           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                       180884551                0
  Bytes Out                     1182768426                0
  Packets In
    Passed                          685980                0
    Blocked                           1471                0
  Packets Out
    Passed                         1008493                0
    Blocked                            124                0

State Table                          Total             Rate
  current entries                       63
  searches                         1696122          151.7/s
  inserts                            31427            2.8/s
  removals                           31364            2.8/s
Counters
  match                              33014            3.0/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         8            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

Kind regards
Miroslav Lachman
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to