occasional "Operation not permitted" on state-mismatch
Kian Mohageri
kian.mohageri at gmail.com
Tue Dec 18 12:09:58 PST 2007
On Dec 17, 2007 11:34 PM, Silver Salonen <silver.salonen at gmail.com> wrote:
> Hello!
>
> I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec),
> 1x6.2-RELEASE) with PF configured. They are connected with OpenVPN LAN-to-LAN
> and the problem is that a few times per hour connection drops between
> computers from one LAN to another. At first I blamed OpenVPN, then I blamed
> bridge, but now I've realized that the problem is in PF.
> So I've tried increasing TCP-timeouts and setting optimization
> to "aggressive", but well, it's still the same.
>
> I monitor connections by sending TCP packets once per second to some other
> host and wait for reply. I use Nagios-plugins' check_tcp for that. The script
> looks like:
> =====
> while [ 1 ]; do
> pfctl -si |grep mismatch
> /usr/local/libexec/nagios/check_tcp -H $host -p $port -t 2
> pfctl -si |grep mismatch
> sleep 1
> done
> =====
>
My guess is that you're re-using a source port and are mismatching an
existing state on the source or destination host (or something in
between) because the state hasn't expired before the new connection
attempt takes place.
Can't be sure though...
-Kian
More information about the freebsd-pf
mailing list