PF states limit reached
Miroslav Lachman
000.fbsd at quip.cz
Fri Oct 2 15:54:19 UTC 2020
On 02/10/2020 16:44, kaycee gb wrote:
> Le Fri, 2 Oct 2020 14:59:44 +0200,
> Miroslav Lachman <000.fbsd at quip.cz> a écrit :
>
>> I have many machines (physical and virtual) with PF running for years.
>> Few days back I started observing problem on one machine running in
>> headless VirtualBox (if it matters)
>>
>> kernel: [zone: pf states] PF states limit reached
>>
>> The problem is there are states inserts but states are never removed
>> (pfctl -s info shows 0 removals)
>>
>> If I run "pfctl -s state | wc -l" the count is the same as shown by
>> "pfctl -s info | grep inserts". There are thousands of states after 30
>> minutes.
>>
>> "netstat -an" show only about 90 connections in WAIT or CLOSED or
>> ESTABLISHED state.
>>
>> Why PF does not remove all states? What can be wrong on this machine in
>> question?
>>
>> My current workaround is to restart PF many times a day (or use pfctl -F
>> states)
>>
>> pf.conf if relatively simple, just a basic rules to allow incomming
>> traffic for TCP services, allowing all outgoing traffic and some "set"
>> options:
>>
[...]
>>
>>
>> And the last question - is there any way to use PF as stateless
>> firewall? PF automatically add "keep state" to all rules, how can I
>> change this behavior to not add "keep state" on all or some rules?
>>
> If you have a little set of rules, you can add a "no state" or "no-state" to
> the rule, check in man page, I am not sure about the syntax right now.
>
> There may be also an option to change the default behaviour to not add "keep
> state" automatically. Once again looking in man page may help.
>
> And that is strange, I agree, maybe some optimisation/option is the culprit.
> But I don't know where to look. What version of FreeBSD are you using ? That
> may help others
I am sorry, it is on FreeBSD 11.4-p4 amd64.
I tried to read man page, maybe not so carefully, but didn't found how
to turn automatic keep state off. I also tried to search on the net
without any luck.
Thank you
Miroslav Lachman
More information about the freebsd-pf
mailing list