From owner-freebsd-pf@FreeBSD.ORG Mon Aug 2 09:16:47 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51F071065674 for ; Mon, 2 Aug 2010 09:16:47 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 3EEC08FC1D for ; Mon, 2 Aug 2010 09:16:44 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id o729Gchv012612 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 2 Aug 2010 11:16:38 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id o729GbmZ031006; Mon, 2 Aug 2010 11:16:37 +0200 (MEST) Date: Mon, 2 Aug 2010 11:16:37 +0200 From: Daniel Hartmeier To: Maciej Milewski Message-ID: <20100802091637.GB16609@insomnia.benzedrine.cx> References: <201008010132.38555.milu@dat.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201008010132.38555.milu@dat.pl> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: pf filtering openvpn problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 09:16:47 -0000 The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in on tun0, matching > pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep and then passes out on sk0, but there is no matching rule. Since your default block rule > block drop in log all only applies to incoming (not outgoing) packets, it doesn't match, either. So the SYN packet passes by the implicit default pass rule, which doesn't keep state. That's why the returning SYN+ACK is blocked in on sk0, there is no state. Try adding pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep and maybe remove the 'in' from the default block rule. HTH, Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Aug 2 11:07:07 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D4881065670 for ; Mon, 2 Aug 2010 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4A61D8FC1D for ; Mon, 2 Aug 2010 11:07:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o72B77Be035180 for ; Mon, 2 Aug 2010 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o72B76eK035178 for freebsd-pf@FreeBSD.org; Mon, 2 Aug 2010 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Aug 2010 11:07:06 GMT Message-Id: <201008021107.o72B76eK035178@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 11:07:07 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 47 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Aug 2 13:54:47 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 024231065675 for ; Mon, 2 Aug 2010 13:54:47 +0000 (UTC) (envelope-from milu@dat.pl) Received: from jab.dat.pl (dat.pl [80.51.155.34]) by mx1.freebsd.org (Postfix) with ESMTP id B0F1D8FC1F for ; Mon, 2 Aug 2010 13:54:46 +0000 (UTC) Received: from jab.dat.pl (jsrv.dat.pl [127.0.0.1]) by jab.dat.pl (Postfix) with ESMTP id D29B05C71; Mon, 2 Aug 2010 15:54:44 +0200 (CEST) X-Virus-Scanned: amavisd-new at dat.pl Received: from jab.dat.pl ([127.0.0.1]) by jab.dat.pl (jab.dat.pl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id rYQindvgyOSt; Mon, 2 Aug 2010 15:54:41 +0200 (CEST) Received: from snifi.localnet (87-205-153-123.adsl.inetia.pl [87.205.153.123]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by jab.dat.pl (Postfix) with ESMTPSA id 2BCCB5C60; Mon, 2 Aug 2010 15:54:41 +0200 (CEST) From: Maciej Milewski To: Daniel Hartmeier Date: Mon, 2 Aug 2010 15:54:39 +0200 User-Agent: KMail/1.13.5 (Linux/2.6.34-ARCH; KDE/4.4.5; x86_64; ; ) References: <201008010132.38555.milu@dat.pl> <20100802091637.GB16609@insomnia.benzedrine.cx> In-Reply-To: <20100802091637.GB16609@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Message-Id: <201008021554.40116.milu@dat.pl> Cc: freebsd-pf@freebsd.org Subject: Re: pf filtering openvpn problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Aug 2010 13:54:47 -0000 Dnia poniedzia=B3ek 02 sierpie=F1 2010 o 11:16:37 Daniel Hartmeier napisa= =B3(a): > The connection is from 10.10.0.8 to 10.0.10.2:22, it comes in > on tun0, matching >=20 > > pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/= SA > > keep >=20 > and then passes out on sk0, but there is no matching rule. >=20 > Since your default block rule >=20 > > block drop in log all >=20 > only applies to incoming (not outgoing) packets, it doesn't match, > either. So the SYN packet passes by the implicit default pass rule, > which doesn't keep state. >=20 > That's why the returning SYN+ACK is blocked in on sk0, there is no > state. >=20 > Try adding >=20 > pass log on sk0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA > keep >=20 > and maybe remove the 'in' from the default block rule. >=20 > HTH, > Daniel Indeed it was it. This solution worked! Thanks Daniel. Regards, Maciej Milewski From owner-freebsd-pf@FreeBSD.ORG Wed Aug 4 02:54:37 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E83D41065672 for ; Wed, 4 Aug 2010 02:54:37 +0000 (UTC) (envelope-from rush@clink.ru) Received: from hosting.clink.ru (hosting.clink.ru [194.165.18.3]) by mx1.freebsd.org (Postfix) with ESMTP id 9C7ED8FC12 for ; Wed, 4 Aug 2010 02:54:37 +0000 (UTC) Received: from [192.168.50.225] (unknown [192.168.50.225]) by hosting.clink.ru (Postfix) with ESMTPA id C029311DE6 for ; Wed, 4 Aug 2010 08:34:51 +0600 (YEKST) Message-ID: <4C58D456.5010701@clink.ru> Date: Wed, 04 Aug 2010 08:45:42 +0600 From: "Rushan R. Shaymardanov" User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Keeping state of tcp connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 02:54:38 -0000 Hello. I have a freebsd router with freebsd and pf. In my pf.conf, I have block-by-default rule and after it, something like this: block all pass in on $if_int from $net_int to any pass out on $if_ext from $net_int to any When there is, for example some idle ssh connection, pf stops tracking it in its states table after some period of inactivity (I don't see it in pfctl -ss). So, packets are blocked my default block rule and my connection is closed by timeout. When I rewrite my rule like this: pass in on $if_int from $mynet to any flags any no state pass out on $if_ext from $mynet to any flags any no state pass in on $if_ext from any to $mynet flags any no state pass out on $if_int from any to $mynet flags any no state idle connections are not closing by timeout. How can I make pf not to delete tcp state entries from state table by timeout? Or maybe I should increase the value of timeout? It's not convenient for me to use no state rules in pf.conf. Sorry for my english. Shaymardanov Rushan From owner-freebsd-pf@FreeBSD.ORG Wed Aug 4 06:30:01 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 348871065675 for ; Wed, 4 Aug 2010 06:30:01 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id A5A888FC1D for ; Wed, 4 Aug 2010 06:30:00 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id o746T8Lr001030 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 4 Aug 2010 08:29:08 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id o746T7Nr031927; Wed, 4 Aug 2010 08:29:07 +0200 (MEST) Date: Wed, 4 Aug 2010 08:29:07 +0200 From: Daniel Hartmeier To: "Rushan R. Shaymardanov" Message-ID: <20100804062907.GA3834@insomnia.benzedrine.cx> References: <4C58D456.5010701@clink.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C58D456.5010701@clink.ru> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Keeping state of tcp connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 06:30:01 -0000 On Wed, Aug 04, 2010 at 08:45:42AM +0600, Rushan R. Shaymardanov wrote: > When there is, for example some idle ssh connection, pf stops tracking > it in its states table after some period of inactivity (I don't see it > in pfctl -ss). So, packets are blocked my default block rule and my > connection is closed by timeout. The default timeout for fully established TCP connections in pf is 24 hours: # pfctl -st tcp.established 86400s You can change this value in pf.conf with set timeout { tcp.established 86400 } When you establish an SSH connection, you should see a state like # pfctl -vvss | grep -A 3 ":22 " sis0 tcp 213.3.30.1:22 <- 83.77.96.2:57802 ESTABLISHED:ESTABLISHED [574539409 + 66576] wscale 0 [303632633 + 16656] wscale 3 age 00:04:03, expires in 23:57:10, 932:894 pkts, 73171:153576 bytes, rule 106 The last part of the first line should read "ESTABLISHED:ESTABLISHED", otherwise the connection is not considered fully established by pf for some reason, and the 24 hour timeout is not applied. The "expires in" part on the third line should equal 24 hours minus the current idle time. If it reaches zero, the state will be removed. Any activity of the connection should reset it to 24 hours. So, does your state vanish after less idle time? Did you change the timeout in pf? Are you sure neither side (server or client) is sending a TCP FIN or RST (have you captured an entire connection with tcpdump)? Did you manually remove the state (reboot the pf machine, pfctl -Fa or pfctl -Fs, or such)? Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Aug 4 07:30:08 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1A71106566C for ; Wed, 4 Aug 2010 07:30:08 +0000 (UTC) (envelope-from rush@clink.ru) Received: from hosting.clink.ru (hosting.clink.ru [194.165.18.3]) by mx1.freebsd.org (Postfix) with ESMTP id 5041B8FC18 for ; Wed, 4 Aug 2010 07:30:08 +0000 (UTC) Received: from [192.168.50.225] (unknown [192.168.50.225]) by hosting.clink.ru (Postfix) with ESMTPA id AEE4D11DE6; Wed, 4 Aug 2010 13:30:05 +0600 (YEKST) Message-ID: <4C59198A.1060206@clink.ru> Date: Wed, 04 Aug 2010 13:40:58 +0600 From: "Rushan R. Shaymardanov" User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706) MIME-Version: 1.0 To: Daniel Hartmeier References: <4C58D456.5010701@clink.ru> <20100804062907.GA3834@insomnia.benzedrine.cx> In-Reply-To: <20100804062907.GA3834@insomnia.benzedrine.cx> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: Keeping state of tcp connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 07:30:08 -0000 Daniel Hartmeier пишет: > The default timeout for fully established TCP connections in pf is > 24 hours: > > # pfctl -st > tcp.established 86400s > > You can change this value in pf.conf with > > set timeout { tcp.established 86400 } # pfctl -st | grep tcp.established tcp.established 86400s > > When you establish an SSH connection, you should see a state like > > # pfctl -vvss | grep -A 3 ":22 " > > sis0 tcp 213.3.30.1:22 <- 83.77.96.2:57802 ESTABLISHED:ESTABLISHED > [574539409 + 66576] wscale 0 [303632633 + 16656] wscale 3 > age 00:04:03, expires in 23:57:10, 932:894 pkts, 73171:153576 bytes, rule 106 > > The last part of the first line should read "ESTABLISHED:ESTABLISHED", > otherwise the connection is not considered fully established by pf > for some reason, and the 24 hour timeout is not applied. > > The "expires in" part on the third line should equal 24 hours minus > the current idle time. If it reaches zero, the state will be removed. > Any activity of the connection should reset it to 24 hours. # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22" all tcp 172.16.11.1:22 <- 192.168.50.225:49021 ESTABLISHED:ESTABLISHED [3592205748 + 333376] wscale 9 [2021010611 + 1049600] wscale 6 age 00:20:15, expires in 04:13:48, 2107:4297 pkts, 125912:2371908 bytes, rule 293 id: 4c46689c7daad5e7 creatorid: f74cdd39 I think, here's the problem. This connection - is that I using for executing pfctl -ss, so "expires in" must be about 24 hrs like in your example. But as you can see, the value is 4:13 here. When I execute command again, I get another value: gw ~ # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22" all tcp 172.16.11.1:22 <- 192.168.50.225:49021 ESTABLISHED:ESTABLISHED [3592206868 + 333376] wscale 9 [2021010803 + 1049600] wscale 6 age 00:21:58, expires in 02:35:27, 2119:4305 pkts, 126728:2373444 bytes, rule 293 id: 4c46689c7daad5e7 creatorid: f74cdd39 Every time I execute this command, the value changes from 1:xx to 4:xx. > > So, does your state vanish after less idle time? Yes. > Did you change the timeout in pf? No > Are you sure neither side (server or client) is sending a TCP FIN > or RST (have you captured an entire connection with tcpdump)? Yes, I sure > Did you manually remove the state (reboot the pf machine, pfctl -Fa > or pfctl -Fs, or such)? No > > Daniel Rushan From owner-freebsd-pf@FreeBSD.ORG Wed Aug 4 07:50:25 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A5951065680 for ; Wed, 4 Aug 2010 07:50:25 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 211568FC14 for ; Wed, 4 Aug 2010 07:50:23 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id o747oMkL011797 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Wed, 4 Aug 2010 09:50:22 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id o747oMMe000787 for freebsd-pf@freebsd.org; Wed, 4 Aug 2010 09:50:22 +0200 (MEST) Resent-From: dhartmei@benzedrine.cx Resent-Date: Wed, 4 Aug 2010 09:50:22 +0200 Resent-Message-ID: <20100804075022.GC3834@insomnia.benzedrine.cx> Resent-To: freebsd-pf@freebsd.org Date: Wed, 4 Aug 2010 09:49:15 +0200 From: Daniel Hartmeier To: "Rushan R. Shaymardanov" Message-ID: <20100804074915.GB3834@insomnia.benzedrine.cx> References: <4C58D456.5010701@clink.ru> <20100804062907.GA3834@insomnia.benzedrine.cx> <4C591915.7050807@clink.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C591915.7050807@clink.ru> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Keeping state of tcp connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 07:50:25 -0000 On Wed, Aug 04, 2010 at 01:39:01PM +0600, Rushan R. Shaymardanov wrote: > I think, here's the problem. This connection - is that I using for > executing pfctl -ss, so "expires in" must be about 24 hrs like in your > example. But as you can see, the value is 4:13 here. When I execute > command again, I get another value: > > gw ~ # pfctl -vvss | grep -A 3 "192.168.50.225" | grep -A 3 "172.16.11.1:22" > all tcp 172.16.11.1:22 <- 192.168.50.225:49021 ESTABLISHED:ESTABLISHED > [3592206868 + 333376] wscale 9 [2021010803 + 1049600] wscale 6 > age 00:21:58, expires in 02:35:27, 2119:4305 pkts, 126728:2373444 > bytes, rule 293 > id: 4c46689c7daad5e7 creatorid: f74cdd39 > > Every time I execute this command, the value changes from 1:xx to 4:xx. Are you using adaptive timeouts? # pfctl -st | grep adaptive What's your state limit? # pfctl -sm | grep states When the problem occurs, how many states do you have? # pfctl -si | grep current If this value is higher than the adaptive.start value, timeout values get scaled down, which could possibly explain what you see. If so, try increasing the state limit and/or the adaptive thresholds: set limit states 50000 set timeout { adaptive.start 50000 adaptive.end 60000 } Other causes: do you use pfsync to synchronize states between multiple pf machines? If so, are their clocks synchronized and accurate? Did you change any (kernel) settings related to time, like HZ or such? Is your time synchronized in a special way, i.e. not just by ntpd? Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Aug 4 07:59:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E4A2106566B for ; Wed, 4 Aug 2010 07:59:26 +0000 (UTC) (envelope-from rush@clink.ru) Received: from hosting.clink.ru (hosting.clink.ru [194.165.18.3]) by mx1.freebsd.org (Postfix) with ESMTP id 0FFDB8FC1E for ; Wed, 4 Aug 2010 07:59:25 +0000 (UTC) Received: from [192.168.50.225] (unknown [192.168.50.225]) by hosting.clink.ru (Postfix) with ESMTPA id B535211DE6; Wed, 4 Aug 2010 13:59:18 +0600 (YEKST) Message-ID: <4C592063.7090605@clink.ru> Date: Wed, 04 Aug 2010 14:10:11 +0600 From: "Rushan R. Shaymardanov" User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090706) MIME-Version: 1.0 To: Daniel Hartmeier References: <4C58D456.5010701@clink.ru> <20100804062907.GA3834@insomnia.benzedrine.cx> <4C591915.7050807@clink.ru> <20100804074915.GB3834@insomnia.benzedrine.cx> In-Reply-To: <20100804074915.GB3834@insomnia.benzedrine.cx> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Keeping state of tcp connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 07:59:26 -0000 > > Are you using adaptive timeouts? > > # pfctl -st | grep adaptive Yes (they are used by default): # pfctl -st | grep adaptive adaptive.start 6000 states adaptive.end 12000 states > > What's your state limit? > > # pfctl -sm | grep states # pfctl -sm | grep states states hard limit 131072 > > When the problem occurs, how many states do you have? > > # pfctl -si | grep current # pfctl -si | grep current current entries 120600 > > If this value is higher than the adaptive.start value, > timeout values get scaled down, which could possibly explain > what you see. If so, try increasing the state limit and/or > the adaptive thresholds: > > set limit states 50000 > set timeout { adaptive.start 50000 adaptive.end 60000 } > That was the problem. I increased states limit, but adaptive.start and adaptive end remained default. No I switched adaptive timeouts off by using set timeout { adaptive.start 0 adaptive.end 0 } Thank you very much! Shaymaradnov Rushan > Other causes: do you use pfsync to synchronize states between > multiple pf machines? If so, are their clocks synchronized and > accurate? > > Did you change any (kernel) settings related to time, like HZ > or such? Is your time synchronized in a special way, i.e. not > just by ntpd? > > Daniel