nat / rdr timeouts?
Daniel Hartmeier
daniel at benzedrine.cx
Sat Mar 5 22:20:03 GMT 2005
On Sat, Mar 05, 2005 at 02:57:56PM -0700, Stephane Raimbault wrote:
> I cvsup'd RELENG_5 and recompiled the kernel and I'm seeing the same
> results. Do I need to recompile any other parts of the system?
No, that's it.
> Do we believe I've stumbled onto a bug of pf... or is this some sort of
> anti-DoS feature?
The default limit on number of states is 10,000. If further packets try
to create state, they are dropped. But it doesn't look like you're
hitting that.
Enable debug loggin (pfctl -xm), reproduce the problem, then check
/var/log/messages for anything from pf.
Also quote pfctl -vvss output after the problem, as well as pfctl -si,
please.
Daniel
More information about the freebsd-pf
mailing list