View Single Post
  #4   (View Single Post)  
Old 2nd November 2011
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,506

How many computers are in the network? If the network is big and busy you may hit the maximum nr of states that pf can track.
$ sudo pfctl -s info

Status: Enabled for 0 days 00:14:43              Debug: err

Interface Stats for egress            IPv4             IPv6
  Bytes In                         1289347                0
  Bytes Out                         372112               64
  Packets In
    Passed                            1661                0
    Blocked                              0                0
  Packets Out
    Passed                            1596                1
    Blocked                              0                0

State Table                          Total             Rate
  current entries                        3               
  searches                            3258            3.7/s
  inserts                              157            0.2/s
  removals                             154            0.2/s
  match                                157            0.2/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
Here, on my desktop machine I only have 3 states. The maximum states pf can track is:
$ sudo pfctl -s memory

states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000
pf has still space/root for another 10000-3=9997 states. However, in a large and busy network you may have to increase the states hard limit See the man pf.conf man page
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote