I run an NTP on a pfsense server and while it works well, the state table fills up with unneeded cruft. I know that on Linux one can use iptables to bypass the conntrack and not fill up the Linux equivalent table.
Any idea what the FreeBSD equivalent of that is? I’m not even certain what to search for.
Thanks for all the help!
I have only experience using opnsense (a fork of pfsense and also built on FreeBSD).
I can set “State Type” for each firewall rule to “None”, thereby disabling connection tracking.
This is done through GUI, dont know the CLI command.
Maybe more information is available on the FreeBSD website: pf.conf(5)
Thanks. That seems like it should be the right setting, but when I apply the change and restart the firewall there’s no subsequent decrease in the size of the state table.
I’m serving up several thousand NTP requests per second, which leaves my state tables with around 200,000 - 300,000 entries. It’s not hurting anything that I can see, but I’d rather the CPU didn’t spend energy doing something so fruitless.
The pfsense box is serving NTP clients, and not merely routing NTP traffic?
Not to imply I have any idea what I’m talking about so pardon the wild speculation, but if that’s the case, then perhaps it actually needs to keep track of UPD connections when it itself is the final destination of it?