Join Log in
Score:0
avatar Server

PF firewall how to increase `max states per rule`

us flag
Luman75

My firewall is hitting a problem related to max states per rule.

#  pfctl -vvsi
Status: Enabled for 0 days 13:05:38           Debug: Urgent

Hostid:   0x6556c6a9
Checksum: 0xe80368af9b3c0a876218cd2af59fbed5

State Table                          Total             Rate
  current entries                     7614
  searches                       323053106         6853.3/s
  inserts                          6650716          141.1/s
  removals                         6643102          140.9/s
Source Tracking Table
  current entries                        0
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                           31988315          678.6/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                             12            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                      4702            0.1/s
  state-insert                       45381            1.0/s
  state-limit                        13837            0.3/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
Limit Counters
  max states per rule                13837            0.3/s
  max-src-states                         0            0.0/s
  max-src-nodes                          0            0.0/s
  max-src-conn                           0            0.0/s
  max-src-conn-rate                      0            0.0/s
  overload table insertion               0            0.0/s
  overload flush states                  0            0.0/s

As we can see above we are hitting state-limits due to max states per rule

My maxes are quite large:

# pfctl -sm
states        hard limit   550000
src-nodes     hard limit    50000
frags         hard limit     5000
tables        hard limit     5000
table-entries hard limit   400000

But how I can increase the max states per rule?

383
1 + 0
pf
Score:1
poige avatar Server
ke flag
poige

Have you tried this?

PF.CONF(5)                       File Formats Manual                       PF.CONF(5)

…
STATEFUL TRACKING OPTIONS
     A number of options related to stateful tracking can be applied on a per-rule
     basis.  keep state, modulate state and synproxy state support these options, and
     keep state must be specified explicitly to apply options to a rule.

     max ⟨number⟩
           Limits the number of concurrent states the rule may create.  When this
           limit is reached, further packets that would create state will not match
           this rule until existing states time out.
…
+ 2
us flag
Luman75
That's a good point. I forgot about maxes per rule settings. Wandering if there are known defaults pf applies when max is not specified in the rule?
0
Reply
poige avatar
ke flag
poige
Guess gotta check the sources…
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.