Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    State Type "none" not working as expected in 2.0RC1

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrmitchell83
      last edited by

      Hello,

      I'm running 64bit 2.0 RC1 on a dual core machine with 4gig of RAM. Nightly we run a series of backups over secure FTP. Our setup has the command connection come in through 990 (implicit SSL) using PASV. The FTP server has the ability to use 1,000 TCP ports for PASV (PORT is completely disabled). I have the 1,000 TCP data ports forwarded to the FTP server and from a connections standpoint everything works correctly. We push several gigs per night using this method.

      SO, on to the question/issue. When backing up over FTP, each file uploaded requires a new data port (PASV), so uploading a 100 files from a machine would cycle through 100 data ports. On my pfsense box, the States continue to grow to the point where once it's time to recycle back to the beginning of the 1,000 port segment, there are stagnant states in the firewall state table. So I thought I'd try changing the pfsense firewall rules for the FTP Implicit (990) and the data port range changing the "State Type" from Keep State to "None".

      After testing it appears that pfsense is still keeping track in the state table as can be seen by Diagnostics->States. I see a bunch of the same "fin_wait" to close the old connections.

      Am I going about this wrong or is the setting for State Type "None" not working correctly? I really don't want to change the overall "Firewall Optimization Options" as this will impact the entire firewall.

      Thoughts, suggestions? Thanks!

      1 Reply Last reply Reply Quote 0
      • J
        jrmitchell83
        last edited by

        Apparently no ideas here?

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          you can't use no state like that, or at all in this circumstance.

          As long as your source uses random source ports (which is generally always the case, you may need to fix something in your specific case) and a new one every time it opens a new connection, you won't have any issues with opening new connections to the same port.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.