On 2016-10-22, Federico Giannici <giann...@neomedia.it> wrote: > We have a firewall with OpenBSD 6.0 amd64 that handles about 1.5 Gbps of > traffic. > > I noticed that from a few weeks the number of states is increased from > around 250.000 to almost 2 millions (no change in PF config)! > > At the same time the firewall started loosing a few packets (around > 1-2%, with peeks of 4%). Maybe this is due to too many states to handle? > > How can we find what's happening and creates all these states? > How can we analyse almost 2 millions states to find the culprit? > > Here it is the current output of "pfctl -s info":
I think I would start by monitoring "tcpdump -nipfsync0 -s9000" (maybe writing to a file and reading on another machine). My first guess would be some udp ddos-related traffic (dns, snmp, sip, ntp) or possibly synflood. Depending on what it is, reducing state timeouts on that traffic might be reasonable.