From owner-freebsd-pf@FreeBSD.ORG Thu Dec 7 13:32:31 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1C1B816A403 for ; Thu, 7 Dec 2006 13:32:31 +0000 (UTC) (envelope-from roma.a.g@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD9DA43CB0 for ; Thu, 7 Dec 2006 13:31:04 +0000 (GMT) (envelope-from roma.a.g@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so416157uge for ; Thu, 07 Dec 2006 05:31:52 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:x-priority:message-id:to:subject:mime-version:content-type:content-transfer-encoding; b=iKEbPRBzox9f0QT58wZ54DJz3GN4kbVj7Uw0NK9y9QlEfVSIo7Sy1fdzi6n85JmqiEH0Zn2Gj+rVnt5q/8efM/4CCT9yCIl1aJqKGiGoZXbBf371GR4Kb8Ck0SmkUDfok/PE4qdV2Qk/qlPUhXPSxfW6L41/Zw/kjeZKVQ1Mk1w= Received: by 10.66.244.10 with SMTP id r10mr2919966ugh.1165498311897; Thu, 07 Dec 2006 05:31:51 -0800 (PST) Received: from pridep3.ad.office.acropolis.ru ( [81.211.90.3]) by mx.google.com with ESMTP id 55sm918336ugq.2006.12.07.05.31.51; Thu, 07 Dec 2006 05:31:51 -0800 (PST) Date: Thu, 7 Dec 2006 16:31:49 +0300 From: "Roman Gorohov. " X-Mailer: The Bat! (v3.62.14) Professional X-Priority: 3 (Normal) Message-ID: <546388630.20061207163149@gmail.com> To: freebsd-pf@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: ftp-proxy problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "roma.a.g" List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 13:32:31 -0000 Hello, all. We got a heavy load server with pf mostly doing nat and redirection. [root@fw]#uname -r 6.1-RELEASE [root@fw]#pfctl -sr | wc -l 546 [root@fw]#pfctl -ss | wc -l 9452 Traffic is about 8 Mb/s. /etc/inetd.conf: ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 /etc/pf.conf: rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 Traffic is about 8 megabit/s. All working ok until we turn on ftp-proxy. After that(and some time) server suddenly hang. Just hang, no kernel trap and clear console, didn't responding for any key(I don't know how might that be, never expect it from BSD). Meanwhile I can see one event relating to that - ftp-proxy. And its not hardware issue, we got two identical server(hp dl 380, afair) working in carp, and both hanging. Last messages: Dec 7 15:14:42 fw inetd[640]: ftp-proxy from 10.10.1.70 exceeded counts/min (limit 60/min) Dec 7 15:14:44 fw inetd[640]: ftp-proxy from 10.10.1.70 exceeded counts/min (limit 60/min) Dec 7 15:14:45 fw ftp-proxy[64195]: xfer_data (server to client): failed (Connection reset by peer) with flags 00 Dec 7 15:14:55 fw ftp-proxy[64196]: xfer_data (server to client): failed (Connection reset by peer) with flags 00 Dec 7 15:32:31 fw syslogd: kernel boot file is /boot/kernel/kernel Are there any known issue with ftp-proxy+pf? What should we do?