From owner-freebsd-pf@FreeBSD.ORG Tue Jan 27 07:49:41 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7118AB5A for ; Tue, 27 Jan 2015 07:49:41 +0000 (UTC) Received: from mail14.tpgi.com.au (mail14.tpgi.com.au [203.12.160.182]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F2866DD5 for ; Tue, 27 Jan 2015 07:49:40 +0000 (UTC) X-TPG-Junk-Status: Message not scanned X-TPG-Antivirus: Passed X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Tue, 27 Jan 2015 18:49:36 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail14.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id t0R7nYbl003839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 27 Jan 2015 18:49:36 +1100 Received: from ip-211.ish.com.au ([203.29.62.211]:25495 helo=ish.com.au) by fish.ish.com.au with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YG0tn-0006Ow-34; Tue, 27 Jan 2015 18:49:24 +1100 Received: from [203.29.62.182] (HELO Aristedess-MacBook-Pro.local) by ish.com.au (CommuniGate Pro SMTP 6.1c1) with ESMTPS id 17972958; Tue, 27 Jan 2015 18:49:23 +1100 Message-ID: <54C74303.1070601@ish.com.au> Date: Tue, 27 Jan 2015 18:49:23 +1100 From: Aristedes Maniatis User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: Dimitry Andric Subject: Re: meaning of State-mismatch References: <54C72F63.8040908@ish.com.au> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2015 07:49:41 -0000 On 27/01/2015 6:46pm, Dimitry Andric wrote: > On 27 Jan 2015, at 07:25, Aristedes Maniatis wrote: >> >> I have been unable to find much documentation about the counter called "state-mismatch". I notice it going up on my firewall (FreeBSD 10.1) but only at a slow rate (maybe at around 1 per minute). >> >> What is the significance of this value? Is it indicative of dropped states (and I should be increasing the state timeout)? > > It's not really documented in our pfctl(8) manpage, but the OpenBSD version does > mention it: > > state-mismatch > packet was associated with a state entry, but sequence numbers did not > match > > So maybe something is dropping packets, making holes in the sequence numbers? Or > maybe somebody is trying something sneaky? :) > > -Dimitry Ah, thanks for that. Maybe you could add that doc to the FreeBSD man page. Could it simply be a packet loss issue where a packet is lost and the next packet arrives out of order? Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A