State Type "none" not working as expected in 2.0RC1

  • Hello,

    I'm running 64bit 2.0 RC1 on a dual core machine with 4gig of RAM. Nightly we run a series of backups over secure FTP. Our setup has the command connection come in through 990 (implicit SSL) using PASV. The FTP server has the ability to use 1,000 TCP ports for PASV (PORT is completely disabled). I have the 1,000 TCP data ports forwarded to the FTP server and from a connections standpoint everything works correctly. We push several gigs per night using this method.

    SO, on to the question/issue. When backing up over FTP, each file uploaded requires a new data port (PASV), so uploading a 100 files from a machine would cycle through 100 data ports. On my pfsense box, the States continue to grow to the point where once it's time to recycle back to the beginning of the 1,000 port segment, there are stagnant states in the firewall state table. So I thought I'd try changing the pfsense firewall rules for the FTP Implicit (990) and the data port range changing the "State Type" from Keep State to "None".

    After testing it appears that pfsense is still keeping track in the state table as can be seen by Diagnostics->States. I see a bunch of the same "fin_wait" to close the old connections.

    Am I going about this wrong or is the setting for State Type "None" not working correctly? I really don't want to change the overall "Firewall Optimization Options" as this will impact the entire firewall.

    Thoughts, suggestions? Thanks!

  • Apparently no ideas here?

  • you can't use no state like that, or at all in this circumstance.

    As long as your source uses random source ports (which is generally always the case, you may need to fix something in your specific case) and a new one every time it opens a new connection, you won't have any issues with opening new connections to the same port.