Torrent clients bring pf-based firewall to its knees...?
Emil Mikulic
emikulic at gmail.com
Sun Jul 26 03:22:42 UTC 2009
On Fri, Jul 24, 2009 at 04:56:11PM -0400, Mike Edenfield wrote:
> However, after a short period of torrent activity, the machine running
> the firewall becomes extremely slow and lagged for all network traffic,
> but appears to be operating fine locally. Remote connections via ssh
> become extremely unresponsive, and eventually connections start timing
> out, but when logged in at the console, there doesn't appear to be any
> problem.
This sounds exactly like a problem I had with a server running out of
space in the state table.
> I've tried shutting down the torrent client, clearing out the state and
> nat rules with pfctl, adding drop rules to reject the torrent traffic,
> and even bringing the network adapter down completely, but only a
> physical reboot (combined with not running the client ever again) seems
> to solve anything.
States and rules are separate in pf. Did you clear out the *states* or
just the rules? Check how many states are currently allocated
using "pfctl -s info" (or install pftop, it's awesome)
If you are indeed running out of states, add to pf.conf something like:
set limit states 60000
The default is 10000.
--Emil
More information about the freebsd-stable
mailing list