pf randomly blocks specific packets?

Nejc Škoberne nejc at skoberne.net
Tue Jul 29 12:53:53 UTC 2008


Hello,

> Note: You can remove "keep state". This is implicit for newer version of 
> pf.
> Note: These keep state, see above. You might want to add "no state" here,
> to decrease state table usage.

But if it is "no state" it means it eats more CPU? Or not?

>  From the frequency of the logs, it looks like that there is heavy load 
> on the server
> (or a high connection latency).  If so, this may be a problem of state 
> table exhaustion
> or timeouts. pf may drop a "dangling, almost finished" connection before 
> the final "FIN"
> packet arrives and thus create such log entries as the final packet gets 
> blocked, when the
> corresponding state table entry is not present any more.

Actually the server was just deployed and there shouldn't be much traffic
going through. I checked with pfctl:

State Table                          Total             Rate
   current entries                       79
   searches                         9652489           16.2/s
   inserts                           486382            0.8/s
   removals                          486303            0.8/s

These seem pretty low, huh?

> To eliminate this possibility, you should monitor the size of your state 
> table and possible increase the limits, if so.
> Or insert some "no state" statements into your ruleset.

So, what would be the next idea to try? For now I did "set skip on $int_Jails"
and it seems to help.

Thanks,
Nejc


More information about the freebsd-pf mailing list