From owner-freebsd-pf@FreeBSD.ORG Mon Jan 2 16:18:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C56416A41F for ; Mon, 2 Jan 2006 16:18:35 +0000 (GMT) (envelope-from eric.tyberghien@francetelecom.com) Received: from relais-inet.francetelecom.com (relais-inet.francetelecom.com [212.234.67.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0817243D58 for ; Mon, 2 Jan 2006 16:18:34 +0000 (GMT) (envelope-from eric.tyberghien@francetelecom.com) Received: from prive-Rline2.com ([192.168.1.22] [192.168.1.22]) by Rline2.francetelecom.com with ESMTP for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 17:18:32 +0100 Received: from Pico2.francetelecom.com ([10.160.49.250] [10.160.49.250]) by Rline2.francetelecom.com with ESMTP for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 17:18:31 +0100 Received: from localhost.localdomain ([10.160.49.5] [10.160.49.5]) by RPico2.francetelecom.com with ESMTP for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 17:18:31 +0100 Received: from ginnbc099.ftgin.com ([10.238.11.103] [10.238.11.103]) by RPico2.francetelecom.com with ESMTP for freebsd-pf@freebsd.org; Mon, 2 Jan 2006 17:18:31 +0100 To: freebsd-pf@freebsd.org X-Mailer: Lotus Notes Edition France 5.0.2c 8 =?iso-8859-1?Q?f=E9vrier_2000?= Message-Id: From: TYBERGHIEN Eric TRANSPAC Date: Mon, 2 Jan 2006 17:18:30 +0100 X-MIMETrack: Serialize by Router on TPC005GRW/TRANSPAC-SRD/F-T(Release 5.0.12 |February 13, 2003) at 02/01/2006 17:18:34, Serialize complete at 02/01/2006 17:18:34 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF/FreeBSD 6 and FIN_WAIT2 TCP exhaustion X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2006 16:18:35 -0000 Hi and Happy new year I have some problems with FreeBSD 6 et PF. This is my test config : set limit ( states 600000, frags 5000 ) pass quick on { $internal_if $external_if } proto tcp keep state pass quick on { $internal_if $external_if } proto udp keep state nat on $ext_if from $internal_net to $external_net -> $external_nat The UDP's performances are excellent (more than 500 000 contexts without=0D packet loss). In TCP, using a simple test with ab ( apache bench ) failed very quickly : - loosing between 2 and 3 sessions/1000 (serial number mode) After analysing tcpdump traces; it seems that the problem is the=0D non-releasing of TCP contexts after the end of the TCP session. These contexts remained in PF during 90 secs after the end of the TCP=0D session with the FIN_WAIT2 state. Can you help me to solve this feature. Is it a bug, a mechanism of DOS=0D auto-protection or a mis-understood of the PF features ? Best Regards=0D Eric Tyberghien FT/TPC/DO/DIT/S=E9curite Tel : 02 23 28 31 00 Port : 06 82 81 51 85=0D Fax : 02 23 28 45 81 Email : eric.tyberghien@francetelecom.com ***************************************************************************= ***************************************************************************= ************************** Ce message et toutes les pieces jointes (ci-apres le "message") sont=0D confidentiels et etablis a l'intention exclusive de ses=0D destinataires.Toute utilisation ou diffusion non autorisee est=0D interdite.Tout message electronique est susceptible d'alteration. Le=0D Groupe France Telecom decline toute responsabilite au titre de ce message=0D s'il a ete altere, deforme ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire=0D immediatement et d'avertir l'expediteur. ***************************************************************************= ***************************************************************************= ************************** This message and any attachments (the "message") are confidential and=0D intended solely for the addressees. Any unauthorised use or dissemination=0D is prohibited.Messages are susceptible to alteration. France Telecom Group= =0D shall not be liable for the message if altered, changed or falsified. If you are not receiver of this message, please cancel it immediately and=0D inform the sender. ***************************************************************************= ***************************************************************************= ************************** ******************************** Ce message et toutes les pieces jointes (ci-apres le "message") sont= confidentiels et etablis a l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisee est interdite. Tout message electronique est susceptible d'alteration. Le Groupe France= Telecom decline toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie. Si vous n'etes pas destinataire de ce message, merci de le detruire= immediatement et d'avertir l'expediteur. ********************************* This message and any attachments (the "message") are confidential and= intended solely for the addressees. Any unauthorised use or dissemination is prohibited. Messages are susceptible to alteration. France Telecom Group shall not be= liable for the message if altered, changed or falsified. If you are not the intended addressee of this message, please cancel it= immediately and inform the sender. ********************************