PF OpenBSD states

openbsdpf

We have an OpenBSD server used as firewall using the famous pf. The firewall is connected to the Internet form one side and to a local network form the other.
we are experiencing a connection outage due to the fact that the pf is attaining its maximum number of states (which is 20000), this happens for less than hour then thinks goes back to normal.
Is there anyway of determining the hosts that are opening these states.
Does increasing the number of states in pf.conf helps?

Thanks a lot

Best Answer

There are a number of things you can do here.

To see which hosts are responsible for the large number of state table entries you can do pfctl -vs state.

To add more state table entries you can do what you suggested (set limit states to a bigger number), but if there is an underlying issue you probably don't want to do that.

You can also consider adjusting the state timeout values (set timeout), possibly using adaptive timeouts, in order to get rid of old/stale states more quickly.

See the manpage for pf.conf and the manpage for pfctl for more information

Related Solutions

Help me upgrade the pf.conf for OpenBSD 4.7

Seems nobody could or was willing to help me... :(

But I managed to get it working myself. Here's the working pf.conf (works with OpenBSD 4.8)

#       $OpenBSD: pf.conf,v 1.38 2009/02/23 01:18:36 deraadt Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="pppoe0"
int_if="nfe0"
int_net="192.168.0.0/24"

polemon="192.168.0.10"
poletopw="192.168.0.12"
segatop="192.168.0.20"

table <leechers> persist

set loginterface $ext_if
set skip on lo

match on $ext_if all scrub (no-df max-mss 1440)

altq on $ext_if priq bandwidth 950Kb queue {q_pri, q_hi, q_std, q_low}
queue q_pri priority 15
queue q_hi priority 10
queue q_std priority 7 priq(default)
queue q_low priority 0

block

match out on $ext_if from !($ext_if) nat-to ($ext_if)
pass in on $int_if proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in on $ext_if proto tcp to port 2080 rdr-to $segatop port 80
pass in on $ext_if proto tcp to port 2022 rdr-to $segatop port 22
pass in on $ext_if proto tcp to port 4000 rdr-to $polemon port 4000
pass in on $ext_if proto tcp to port 6600 rdr-to $polemon port 6600

anchor "ftp-proxy/*"

pass on $int_if queue(q_hi, q_pri)

pass out on $ext_if queue(q_std, q_pri)
pass out on $ext_if proto icmp queue q_pri
pass out on $ext_if proto {tcp, udp} to any port ssh queue(q_hi, q_pri)
pass out on $ext_if proto {tcp, udp} to any port http queue(q_std, q_pri)
#pass out on $ext_if proto {tcp, udp} all queue(q_low, q_hi)

pass out on $ext_if proto {tcp, udp} from <leechers> queue(q_low, q_std)

pass in on $ext_if proto tcp to ($ext_if) port ident queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port ssh queue(q_hi, q_pri)
pass in on $ext_if proto tcp to ($ext_if) port http queue(q_hi, q_pri)
pass in on $ext_if inet proto icmp all icmp-type echoreq queue q_pri

I had it working for over six months now. Since no one was posting an answer and this is basically working now, I decided to post my own solution. Given that this thread has over 1k views, this might help someone...

Firewall – Provide IPv6 to network from OpenBSD firewall

First, you should configure the LAN NIC to an address from the routed(!) /64; the ::1 is an ideal candidate. Then, fire up radvd on the LAN interface---it should not need any configuration.

PF doesn't play any role in it, or rather, make sure that it doesn't get in the way.

Best Answer

Related Solutions

Help me upgrade the pf.conf for OpenBSD 4.7

Firewall – Provide IPv6 to network from OpenBSD firewall

Related Topic