Date: Sun, 26 Jul 2009 13:22:38 +1000 From: Emil Mikulic <emikulic@gmail.com> To: Mike Edenfield <kutulu@kutulu.org> Cc: freebsd-stable@freebsd.org Subject: Re: Torrent clients bring pf-based firewall to its knees...? Message-ID: <20090726032238.GA33220@dmr.ath.cx> In-Reply-To: <4A6A1FEB.9030001@kutulu.org> References: <4A6A1FEB.9030001@kutulu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 24, 2009 at 04:56:11PM -0400, Mike Edenfield wrote: > However, after a short period of torrent activity, the machine running > the firewall becomes extremely slow and lagged for all network traffic, > but appears to be operating fine locally. Remote connections via ssh > become extremely unresponsive, and eventually connections start timing > out, but when logged in at the console, there doesn't appear to be any > problem. This sounds exactly like a problem I had with a server running out of space in the state table. > I've tried shutting down the torrent client, clearing out the state and > nat rules with pfctl, adding drop rules to reject the torrent traffic, > and even bringing the network adapter down completely, but only a > physical reboot (combined with not running the client ever again) seems > to solve anything. States and rules are separate in pf. Did you clear out the *states* or just the rules? Check how many states are currently allocated using "pfctl -s info" (or install pftop, it's awesome) If you are indeed running out of states, add to pf.conf something like: set limit states 60000 The default is 10000. --Emil
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090726032238.GA33220>