state table filled up?
Dan Langille
dan at langille.org
Thu Nov 16 17:08:33 UTC 2006
On 15 Nov 2006 at 17:14, Greg Hennessy wrote:
> > I suspect this may have been my state table filling up.
> >
>
> For a high traffic'd internet facing service such as Freshports, running
> pfstat, symon or even the pf snmp mibs loaded into something such as Cacti
> is not optional.
>
> They would have kept track of firewall state table utilisation over time.
I have symon and catci installed and running. symon is happily
updating my .rrd files:
[dan at nyi:/var/db/symon] $ ls -l
total 53168
-rw-r--r-- 1 root wheel 4379264 Nov 16 12:07 cpu0.rrd
-rw-r--r-- 1 root wheel 8757064 Nov 16 12:07 if_fxp0.rrd
-rw-r--r-- 1 root wheel 4379264 Nov 16 12:07 io_ad0.rrd
-rw-r--r-- 1 root wheel 13134864 Nov 16 12:07 mbuf.rrd
-rw-r--r-- 1 root wheel 4379264 Nov 16 12:07 mem.rrd
-rw-r--r-- 1 root wheel 19263784 Nov 16 12:07 pf.rrd
[dan at nyi:/var/db/symon] $
I have no idea how to get Cacti to graph this data. Clues please?
> As a short term measure.
>
> pfctl -si
>
> will tell you how many entries are in the state table.
Seems pretty good. Opinions?
$ sudo pfctl -si
Password:
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 1 days 04:20:53 Debug: Urgent
Hostid: 0xd61d30d4
State Table Total Rate
current entries 168
searches 7301670 71.5/s
inserts 175525 1.7/s
removals 175357 1.7/s
Counters
match 221650 2.2/s
bad-offset 0 0.0/s
fragment 1 0.0/s
short 0 0.0/s
normalize 12 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 4792 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 477115 4.7/s
--
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php
More information about the freebsd-pf
mailing list