pf buggy on 6.1-STABLE?

Daniel Hartmeier daniel at benzedrine.cx
Thu Jun 8 00:20:26 PDT 2006


On Wed, Jun 07, 2006 at 04:25:37PM -0700, Mark Morley wrote:

> Disabling pf with pfctl -d allows 100% of all connections to work, and
> as soon as we enable it we see connection failures again.
> 
> I've tried changing the pf rule set in different ways, with and without
> scrubbing, with and without queues, even to the point where I have a single
> rule that just allows everything.  It doesn't seem to matter what the rules
> actually are, just whether or not pf is enabled.

Was that single pass rule using 'keep state'? There is a default limit
of 10,000 state entries (configurable with 'set limit states' in
pf.conf). A state entry persists for several seconds even after a
connection is closed, so quickly establishing 10,000 connections could
easily hit that limit.

Enable pf and load an empty ruleset (pfctl -e -Fa). Note the output of
pfctl -si . Then repeat the test. Then run pfctl -si again, and compare
the output with the previous one. Are any counters increasing?

Daniel


More information about the freebsd-pf mailing list