Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 26 Jul 2009 13:22:38 +1000
From:      Emil Mikulic <emikulic@gmail.com>
To:        Mike Edenfield <kutulu@kutulu.org>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Torrent clients bring pf-based firewall to its knees...?
Message-ID:  <20090726032238.GA33220@dmr.ath.cx>
In-Reply-To: <4A6A1FEB.9030001@kutulu.org>
References:  <4A6A1FEB.9030001@kutulu.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 24, 2009 at 04:56:11PM -0400, Mike Edenfield wrote:
> However, after a short period of torrent activity, the machine running  
> the firewall becomes extremely slow and lagged for all network traffic,  
> but appears to be operating fine locally.  Remote connections via ssh  
> become extremely unresponsive, and eventually connections start timing  
> out, but when logged in at the console, there doesn't appear to be any  
> problem.

This sounds exactly like a problem I had with a server running out of
space in the state table.

> I've tried shutting down the torrent client, clearing out the state and  
> nat rules with pfctl, adding drop rules to reject the torrent traffic,  
> and even bringing the network adapter down completely, but only a  
> physical reboot (combined with not running the client ever again) seems  
> to solve anything.

States and rules are separate in pf.  Did you clear out the *states* or
just the rules?  Check how many states are currently allocated
using "pfctl -s info" (or install pftop, it's awesome)

If you are indeed running out of states, add to pf.conf something like:
	set limit states 60000

The default is 10000.

--Emil



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090726032238.GA33220>