Seems like pf skips some packets.
Edward Carrel
edward at carrel.org
Fri Jul 13 10:51:09 UTC 2007
On Jul 13, 2007, at 2:17 AM, Alexey Sopov wrote:
> While thinking about why it happens once in 5 seconds and has only
> ACK bit
> set, I tried to check some timeout variables and found interesting
> thing.
>
> These lines are in /etc/pf.conf:
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>
> And this I get from pfctl -s timeouts:
> TIMEOUTS:
> tcp.first 30s
> tcp.opening 5s
> tcp.established 18000s
> tcp.closing 60s
> tcp.finwait 30s
> tcp.closed 30s
> tcp.tsdiff 10s
> udp.first 60s
> udp.single 30s
> udp.multiple 60s
> icmp.first 20s
> icmp.error 10s
> other.first 60s
> other.single 30s
> other.multiple 60s
> frag 5s
> interval 2s
> adaptive.start 0 states
> adaptive.end 0 states
> src.track 0s
>
> Setting are loaded in pf via /etc/rc.d/pf start
>
> Why do these things differ?
These are the timeout settings for "set optimization aggressive". If
it appears after your set timeout lines, then it will take
precedence. If this doesn't appear within your pf.conf, then this
probably isn't the pf config file it's loading. If so, that may
explain your issue with the unblocked packets as well.
Best,
Ed
More information about the freebsd-stable
mailing list