Solved state-mismatch issue?

[Mayhem30]

I've been running the PF firewall for 10 days now, and noticed a fair amount of state-mismatches.

Is this normal? This server runs my website and postfix/dovecot.

Status: Enabled for 9 days 23:14:44           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                     31977957140      14402015528
  Bytes Out                   102840028384       8534599695
  Packets In
    Passed                        85540987          7032814
    Blocked                        2283643            61200
  Packets Out
    Passed                       117563529          9873904
    Blocked                          12292                2

State Table                          Total             Rate
  current entries                      359
  searches                       222366118          258.2/s
  inserts                          7720388            9.0/s
  removals                         7720030            9.0/s
Counters
  match                           10067718           11.7/s
  bad-offset                             0            0.0/s
  fragment                               1            0.0/s
  short                                 23            0.0/s
  normalize                           2231            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                     21080            0.0/s
  state-insert                           1            0.0/s
  state-limit                            0            0.0/s
  src-limit                              2            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

Here is my config :

Am I making any mistakes and/or do you have any optimization tips?

EXT_IF="em0"

set loginterface $EXT_IF
set ruleset-optimization none
set block-policy drop
set state-policy if-bounde
set fingerprints "/dev/null"
set skip on lo0
set optimization aggressive
set timeout { tcp.established 600 }
set limit frags 10000


# ipv4 = echoreq, echorep, unreach, timex, paramprob
# ipv6 = echoreq, echorep, unreach, toobig, timex, paramprob, neighbrsol, neighbradv
ipv4_icmp_types = "{ 8, 0, 3, 11, 12 }"
ipv6_icmp_types = "{ 128, 129, 1, 2, 3, 4, 135, 136 }"

tcp_state = "flags S/SA keep state"
udp_state = "keep state"

table <blacklist> persist
table <fail2ban> persist
table <postfix> persist

table <googleips> persist file "/home/me/pf-mail-whitelist.txt"


# Allow all outgoing traffic
pass out quick all $tcp_state


# allow our IP address + proxy IP access to the server
# this needs to be here, as the antispoof blocks our proxy IP addres
pass in quick on $EXT_IF inet proto tcp from $SSH_WHITELIST to $SERVER port $SSH $tcp_state


antispoof quick for $EXT_IF
block in quick on $EXT_IF from no-route to any
block in quick on $EXT_IF from urpf-failed to any
block in quick on $EXT_IF from any to 255.255.255.255
block in quick on $EXT_IF from <blacklist> to any
block in quick on $EXT_IF from <postfix> to any
block in quick on $EXT_IF proto { tcp, udp } from <fail2ban> to any port 25



# deny all incoming traffic
block in all



# allow select ICMP for IPv4 and IPv6
pass in quick on $EXT_IF inet proto icmp icmp-type $ipv4_icmp_types
pass in quick on $EXT_IF inet6 proto ipv6-icmp icmp6-type $ipv6_icmp_types


### WEBSERVER RULES ###

pass in quick on $EXT_IF proto tcp from any to any port { 80, 443 } $tcp_state
pass in quick on $EXT_IF proto udp from any to any port 443 $udp_state


### MAIL RULES ###

# allow my ip address and Google to send mail
pass in quick on $EXT_IF inet proto tcp from { $WHITELIST, <googleips> } to $SERVER port 587 $tcp_state

# allow my ip address to access pop3 (dovecot)
pass in quick on $EXT_IF inet proto tcp from $WHITELIST to $SERVER port 995 $tcp_state

# allow my ip to connect to port 25 (testing purposes) + don't rate limit google ips
pass in quick on $EXT_IF inet proto tcp from { $WHITELIST, <googleips> } to $SERVER port 25 $tcp_state


### RATE LIMIT RULES ###

# allow access to Postfix, but rate limit abusers (excluding us)
pass in quick on $EXT_IF inet proto tcp from !$WHITELIST to $SERVER port 25 \
        $tcp_state \
        (max-src-conn-rate 4/12, overload <postfix> flush global)

 

[VladiBG]

Nothing to worry. It's normal when some web site clients are trying to send data (late data) after connection is closed or state expire timeout.

 

[Mayhem30]

Ok, thank you.