From owner-freebsd-pf@FreeBSD.ORG Thu May 15 00:09:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDB101065671 for ; Thu, 15 May 2008 00:09:36 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (larry.its.auckland.ac.nz [130.216.12.34]) by mx1.freebsd.org (Postfix) with ESMTP id 8FA968FC20 for ; Thu, 15 May 2008 00:09:35 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 66C97187B7; Thu, 15 May 2008 12:09:34 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (larry.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KY6P3WNeySnj; Thu, 15 May 2008 12:09:33 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id EF6C3187E7; Thu, 15 May 2008 12:09:32 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 May 2008 12:08:29 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 15 May 2008 12:08:28 +1200 Message-ID: In-Reply-To: <482B7BE6.9080608@uffner.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Thread-Index: Aci2HgPtOUYLH1snQFm3l8iPYPEb+AAASCgg References: <482B7BE6.9080608@uffner.com> From: "Mark Pagulayan" To: "Tom Uffner" , "Kian Mohageri" X-OriginalArrivalTime: 15 May 2008 00:08:29.0739 (UTC) FILETIME=[CE0EFFB0:01C8B61F] Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 00:09:37 -0000 Hi Tom,=20 I have just zeroed in the statistics and yes the state-mismatch is still increasing.=20 If I do enable logging, how would I know that packet is mismatched?=20 Cheers,=20 Mark -----Original Message----- From: Tom Uffner [mailto:tom@uffner.com]=20 Sent: Thursday, 15 May 2008 11:55 a.m. To: Kian Mohageri Cc: Mark Pagulayan; freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Kian Mohageri wrote: > On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan >> The way I see this is that this rule would be applied to udp traffic as >> well which will be dropped/blocked because flags only work for tcp and >> this might be the cause of state-mismatches that I see in the table - >=20 > 'flags S/SA keep state' will work OK for UDP too. Only the 'keep > state' part will be applied to UDP, since no flags are involved. >=20 >> state-mismatch 11577272 48.7/s >=20 > Could be caused by reloading your ruleset to include 'keep state' > mid-connections, I think. PF won't be aware of where the state is > (especially true if you're using TCP window scaling), so it will fail > after a while and you'll see state mismatches. even if reloading the ruleset to include "keep state" and/or "flags s/sa" didn't sever pre-existing connections, it shouldn't cause that large a number of mismatches. when was the last time you zeroed the statistics? is the mismatch count still increasing w/ the 7.0 stateful rules? you may need to add "log (all)" to find out where the state mismatches are coming from.