Suppose, hypothetically, that you have some DNS servers that are exposed to the Internet behind an OpenBSD PF-based firewall. Since you’re a sensible person, you have various rate limits set in your DNS servers to prevent or at least mitigate various forms of denial of service attacks. One day, your DNS servers become extremely popular for whatever reason, your rate limits kick in, and your firewall abruptly stops allowing new connections in or out. What on earth happened?
It’s a quirk of PF in OpenBSD, and this post provides more details and possible mitigations.
The “scrub” in pf seems to be omnipresent in rulesets I’ve seen, why do they not scrub by default and then make the rule writer add ‘do-not-scrub-I-really-do-not-want-to-scrub’ if/when scrub is not desired for some reason.
Some applications don’t like nicely sanitized packets.
You managed to be Captain Obvious and simultaneously miss the question (I note I missed the question mark at the end).
This has long been a problem with stateful routers, including linux.
It is often the cause for routers that appear to be hung and needing to be rebooted. I think I remember having netgear routers with two hour UDP timeouts, once they ran out of memory, no new connections would go threw. This was easily be triggered with a very active P2P session. Hundreds of connections from strangers every minute could add up faster than the router clears them.
My routers have a lot more ram these days, so I don’t see it anymore, but beyond reducing the number of connections, shortening timeouts and provisioning more ram, there isn’t really a good answer, And shortening timeouts will break long idle sessions unless you tune your software/tcp stack to send keep alive packets more aggressively. For example, if idle ssh sessions are disconnecting, that’s likely a timeout issue somewhere in the network. Meanwhile both endpoints still hold their session open and can only discover the problem when they try to use it again.