occasional "Operation not permitted" on state-mismatch

Martin Horcicka martin at horcicka.eu
Wed Dec 19 01:55:47 PST 2007


On Dec 18, 2007 8:44 PM, Kian Mohageri <kian.mohageri at gmail.com> wrote:
> My guess is that you're re-using a source port and are mismatching an
> existing state on the source or destination host (or something in
> between) because the state hasn't expired before the new connection
> attempt takes place.

My guess is the same and this problem can be usually worked around by
setting net.inet.ip.portrange.randomized to 0 on the machine where the
connection is originated. It does not fix the bug in the FreeBSD's TCP
stack but it helps unless there is a very high outgoing connection
rate.

Martin


More information about the freebsd-pf mailing list