From owner-freebsd-stable@FreeBSD.ORG Sun Jul 26 03:22:42 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65998106566C for ; Sun, 26 Jul 2009 03:22:42 +0000 (UTC) (envelope-from emikulic@gmail.com) Received: from ipmail03.adl6.internode.on.net (ipmail03.adl6.internode.on.net [203.16.214.141]) by mx1.freebsd.org (Postfix) with ESMTP id DE5778FC16 for ; Sun, 26 Jul 2009 03:22:41 +0000 (UTC) (envelope-from emikulic@gmail.com) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAE9na0qWZZrw/2dsb2JhbAC+I49ygieBZgU X-IronPort-AV: E=Sophos;i="4.43,270,1246804200"; d="scan'208";a="9706286" Received: from ppp154-240.static.internode.on.net ([150.101.154.240]) by ipmail03.adl6.internode.on.net with ESMTP; 26 Jul 2009 12:52:39 +0930 Received: by ppp154-240.static.internode.on.net (Poo-fix, from userid 1001) id C8E335C45; Sun, 26 Jul 2009 13:22:38 +1000 (EST) Date: Sun, 26 Jul 2009 13:22:38 +1000 From: Emil Mikulic To: Mike Edenfield Message-ID: <20090726032238.GA33220@dmr.ath.cx> References: <4A6A1FEB.9030001@kutulu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A6A1FEB.9030001@kutulu.org> User-Agent: Mutt/1.5.19 (2009-01-05) Cc: freebsd-stable@freebsd.org Subject: Re: Torrent clients bring pf-based firewall to its knees...? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jul 2009 03:22:42 -0000 On Fri, Jul 24, 2009 at 04:56:11PM -0400, Mike Edenfield wrote: > However, after a short period of torrent activity, the machine running > the firewall becomes extremely slow and lagged for all network traffic, > but appears to be operating fine locally. Remote connections via ssh > become extremely unresponsive, and eventually connections start timing > out, but when logged in at the console, there doesn't appear to be any > problem. This sounds exactly like a problem I had with a server running out of space in the state table. > I've tried shutting down the torrent client, clearing out the state and > nat rules with pfctl, adding drop rules to reject the torrent traffic, > and even bringing the network adapter down completely, but only a > physical reboot (combined with not running the client ever again) seems > to solve anything. States and rules are separate in pf. Did you clear out the *states* or just the rules? Check how many states are currently allocated using "pfctl -s info" (or install pftop, it's awesome) If you are indeed running out of states, add to pf.conf something like: set limit states 60000 The default is 10000. --Emil