BAD state/State failure with large number of requests

Greg Hennessy Greg.Hennessy at
Fri Sep 29 00:32:23 PDT 2006


> The part that confused me was that the connections failed 
> immediately -- it turns out that PF sends a RST upon state 
> mismatch during the intial handshake, as opposed to dropping 
> the packets and letting the connection time out.

As a matter of policy, I would never black hole internally sourced traffic
traversing packet filtering infrastructure under my control. 

There are few things worse from a management/debugging perspective than to
have packets disappear into the wild blue yonder with no indication of why. 


More information about the freebsd-pf mailing list