Date: Tue, 29 Jul 2008 14:53:47 +0200 From: =?ISO-8859-2?Q?Nejc_=A9koberne?= <nejc@skoberne.net> To: Peter Wullinger <peter.wullinger@googlemail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf randomly blocks specific packets? Message-ID: <488F12DB.8090908@skoberne.net> In-Reply-To: <488EE858.9010708@googlemail.com> References: <488EE046.4010602@skoberne.net> <488EE858.9010708@googlemail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, > Note: You can remove "keep state". This is implicit for newer version of > pf. > Note: These keep state, see above. You might want to add "no state" here, > to decrease state table usage. But if it is "no state" it means it eats more CPU? Or not? > From the frequency of the logs, it looks like that there is heavy load > on the server > (or a high connection latency). If so, this may be a problem of state > table exhaustion > or timeouts. pf may drop a "dangling, almost finished" connection before > the final "FIN" > packet arrives and thus create such log entries as the final packet gets > blocked, when the > corresponding state table entry is not present any more. Actually the server was just deployed and there shouldn't be much traffic going through. I checked with pfctl: State Table Total Rate current entries 79 searches 9652489 16.2/s inserts 486382 0.8/s removals 486303 0.8/s These seem pretty low, huh? > To eliminate this possibility, you should monitor the size of your state > table and possible increase the limits, if so. > Or insert some "no state" statements into your ruleset. So, what would be the next idea to try? For now I did "set skip on $int_Jails" and it seems to help. Thanks, Nejc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488F12DB.8090908>