nat / rdr timeouts?
Stephane Raimbault
segr at hotmail.com
Sat Mar 5 19:00:01 GMT 2005
I have a box running FreeBSD 5.3-RELEASE-p5 and I'm running at nat and
redirecting port 80 traffic to a couple internal servers.
I was running some benchmarks with the apache ab tool and discovered a
couple problems popping up.
I could run the ab benchmark with the following options no problem:
ab -c 5 -n 50 http://<ext ip of nat box>/host.html
however as soon as I put the concurrency to 1...
ab -c 1 -n 50 http://<ext ip of nat box>/host.html
It would inconsistently start blocking and timing out with this error:
apr_poll: The timeout specified has expired (70007)
Total of 46 requests completed
When I noctice that ab gets' hung up... running this pfctl -F state on the
nat box seems to fix the problem and ab completes it's test
this leads me to guess that something in pf is causing this block to occur
based on the states? Possibly to prevent a DoS? Does anyone know what is
causing this and if it's a tunable value.
here is the pf rules I have for this test.
------------------------
ext_if="em1"
int_net="10.0.11.0/27"
web_servers = "{ 10.0.11.16,10.0.11.17 }"
nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to any port 80 -> $web_servers round-robin
------------------------
The problem is also there when I only have one web_servers set instead of 2.
Any thougths/ideas are welcome.
Thank you,
Stephane.
_________________________________________________________________
Powerful Parental Controls Let your child discover the best the Internet has
to offer.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.
More information about the freebsd-pf
mailing list