10.3 pfsync large difference between number of states on two firewalls

Patrick Lamaiziere patfbsd at davenulle.org
Fri Oct 21 13:57:48 UTC 2016


I have a pair of firewalls with carp, pf and pfsync and I see a large
difference between the number of states (pfctl -si, current entries) on
the firewalls.

pf1 is the master with 807598 states,
pf2 is the backup with 1696258 states 

There is only small traffic from / to the firewalls that can explain
this difference.

I'm looking on the states (but it's not easy on real traffic) and I've
found some states not present in pf1, but still present in pf2.

One states was in state tcp ESTABLISHED:ESTABLISHED with a expire age
around  23:55:00 (the default of a tcp timeout) and I can confirm that
the tcp session was ended (with netflow traces) and started 5 minutes

So it looks like sometimes pf2 misses (or pf1 does not send) some state

I say "sometimes" because with the rates of states inserts here, I think
that if this is always the case, the states table on pf2 would have
already exploded.

I would like to know if someone is seeing this kind of difference. Even
an "it works for me" will be helpful.

Thanks, regards.

More information about the freebsd-questions mailing list