pf randomly blocks specific packets?
Nejc Škoberne
nejc at skoberne.net
Tue Jul 29 12:53:53 UTC 2008
Hello,
> Note: You can remove "keep state". This is implicit for newer version of
> pf.
> Note: These keep state, see above. You might want to add "no state" here,
> to decrease state table usage.
But if it is "no state" it means it eats more CPU? Or not?
> From the frequency of the logs, it looks like that there is heavy load
> on the server
> (or a high connection latency). If so, this may be a problem of state
> table exhaustion
> or timeouts. pf may drop a "dangling, almost finished" connection before
> the final "FIN"
> packet arrives and thus create such log entries as the final packet gets
> blocked, when the
> corresponding state table entry is not present any more.
Actually the server was just deployed and there shouldn't be much traffic
going through. I checked with pfctl:
State Table Total Rate
current entries 79
searches 9652489 16.2/s
inserts 486382 0.8/s
removals 486303 0.8/s
These seem pretty low, huh?
> To eliminate this possibility, you should monitor the size of your state
> table and possible increase the limits, if so.
> Or insert some "no state" statements into your ruleset.
So, what would be the next idea to try? For now I did "set skip on $int_Jails"
and it seems to help.
Thanks,
Nejc
More information about the freebsd-pf
mailing list