PF states limit reached

Miroslav Lachman 000.fbsd at quip.cz
Sun Oct 4 20:07:21 UTC 2020 

On 03/10/2020 12:11, l.m.v.breda at xs4all.nl wrote:
> Miroslav,
> 
> I saw your mails. First thing I thought when I dis see your mails is "** What is going on, on that network!! **".
> 
> I can be wrong, but are you really sure that there is no malware of any kind, using your network, causing the problems !!

I can never be 100% sure but as far as I can tell there is no malware on 
this network. We have rented 19" rack in DC with /25 IP addresses and 
only this VM in question had this problem. No anomalies seen on the 
network (no unusual traffic, Apache workers and so on)

> I would never change my firewall, to cope with strange things !!
> Just making things less secure!

I don't think PF without state tracking would be less secure. I am not 
an expert in this area but as I can see it the states can be target for 
DoS and I do not think the state tracking is useful if we already have 
policy "open for all outgoing traffic". Maybe I am wrong. I was thinking 
about "no state" for a long time regardless of this current issue.

I don't know what was causing this problem but it disappeared after VM 
reboot. So I think it was some issue on OS / kernel side. I hope it will 
not repeat again but if it will I will let you know.

3 hours after reboot everything seems fine:

# pfctl -s states | wc -l
       55

# pfctl -s info
Status: Enabled for 0 days 03:06:21           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
   Bytes In                       180884551                0
   Bytes Out                     1182768426                0
   Packets In
     Passed                          685980                0
     Blocked                           1471                0
   Packets Out
     Passed                         1008493                0
     Blocked                            124                0

State Table                          Total             Rate
   current entries                       63
   searches                         1696122          151.7/s
   inserts                            31427            2.8/s
   removals                           31364            2.8/s
Counters
   match                              33014            3.0/s
   bad-offset                             0            0.0/s
   fragment                               0            0.0/s
   short                                  0            0.0/s
   normalize                              0            0.0/s
   memory                                 0            0.0/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                              0            0.0/s
   proto-cksum                            0            0.0/s
   state-mismatch                         8            0.0/s
   state-insert                           0            0.0/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s
   map-failed                             0            0.0/s

Kind regards
Miroslav Lachman

More information about the freebsd-pf mailing list