bill.marquette at gmail.com
Wed Sep 5 17:41:47 PDT 2007
On 9/5/07, Rian Shelley <rians at cc.usu.edu> wrote:
> As far as I can tell, am having the same problem described by bill
> marquette. I have two firewalls using pfsync, where the secondary
> firewall just increases its state count steadily.
> I created a simple libpcap program to watch the pfsync headers flowing
> by, and i see types 8, 4, 2, which are PFSYNC_ACT_UREQ,
> PFSYNC_ACT_UPD_C, PFSYNC_ACT_UPD. I dont see any of type 3 or 5, which
> are the ones that delete state. As far as i can tell, states are
> pumped across the link, but never removed and are left to time out on
> their own.
I'll have to run our scripts again, but I'm pretty sure we were seeing
state deletions. But we certainly were not seeing 1 for 1
insert/deletion messages (one of our clusters frontends the web
servers so we have LOTS of short lived states).
> I'd like to add myself as another datapoint for this problem.
> Currently I am getting about 15k send errors per second, and im up to
> 1.8 million states on the secondary firewall :D
Nice. How much RAM is that eating? I'm happy to hear that FreeBSD
seems to be able to handle a state count this high. What's the state
limit in your config?
More information about the freebsd-pf