From owner-freebsd-pf@FreeBSD.ORG Thu Jun 28 13:21:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1A5016A469 for ; Thu, 28 Jun 2007 13:21:56 +0000 (UTC) (envelope-from linux@giboia.org) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 1852413C44C for ; Thu, 28 Jun 2007 13:21:53 +0000 (UTC) (envelope-from linux@giboia.org) Received: by ug-out-1314.google.com with SMTP id o4so104281uge for ; Thu, 28 Jun 2007 06:21:52 -0700 (PDT) Received: by 10.82.175.17 with SMTP id x17mr3783076bue.1183036911771; Thu, 28 Jun 2007 06:21:51 -0700 (PDT) Received: by 10.82.134.16 with HTTP; Thu, 28 Jun 2007 06:21:51 -0700 (PDT) Message-ID: <6e6841490706280621l1ffb48edw437b97fb54b85368@mail.gmail.com> Date: Thu, 28 Jun 2007 10:21:51 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Logs. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jun 2007 13:21:56 -0000 Hi, I have a firewall using PF, passing more than 20 mbps, but with more than 1500 ips making nat. In my logs I can find: .... Jun 28 07:00:09 teste2 pf: BAD state: TCP 190.84.94.146:3954 190.84.94.146:3954 200.250.23.90:59791 [lo=907875297 high=907940832 win=65535 modulator=0] [lo=600059029 high=600124564 win=65535 modulator=0] 10:10 SA seq=600733653 ack=907875297 len=0 ackskew=0 pkts=4:2 dir=in,rev Jun 28 07:00:09 teste2 pf: State failure on: 1 | 5 Jun 28 07:00:12 teste2 pf: BAD state: TCP 61.228.148.232:21588 61.228.148.232:21588 10.52.15.2:3859 [lo=2649072363 high=2649072365 win=64240 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 S seq=3741585167 ack=0 len=0 ackskew=0 pkts=1:0 dir=in,fwd Jun 28 07:00:12 teste2 pf: State failure on: 1 | 5 Jun 28 07:00:12 teste2 pf: BAD state: TCP 190.84.94.146:3954 190.84.94.146:3954 200.250.23.90:59791 [lo=907875297 high=907940832 win=65535 modulator=0] [lo=600059029 high=600124564 win=65535 modulator=0] 10:10 SA seq=600733653 ack=907875297 len=0 ackskew=0 pkts=4:2 dir=in,rev Jun 28 07:00:12 teste2 pf: State failure on: 1 | 5 .... And my options in PF: set debug misc set timeout { interval 10, frag 30 ,src.track 0 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 1000000, src-nodes 1000000, frags 50000 } set loginterface em0 set optimization conservative set block-policy drop set require-order yes set state-policy floating Some times it breaks all connections for a fill minutes. I couldn't find any solution about this in internet. Maybe can be some thing in sysctl on my BSD, but what line??? Some body knows what can I do??? -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com