From owner-freebsd-pf@FreeBSD.ORG Tue Dec 18 20:09:58 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76B2316A41B for ; Tue, 18 Dec 2007 20:09:58 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id 213DA13C458 for ; Tue, 18 Dec 2007 20:09:57 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so4501963pyb.3 for ; Tue, 18 Dec 2007 12:09:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=9qI8iAoVKWkZiAHDgxGIOI7od+3CgyaBzzyoA+kGMTw=; b=Rr5x6gQ2NaPZHJ7LRB98khZlJr/xgd5IEtmEAIIRPSLnwvuiC90RVmVr1AyOvc7DB0HI4GssFw5hmRSWsRyMSB7Q0vyBW/2m0gU8ByGuQGf+cm+QtT97X782CTE7RqZXyPrMJJ3Pgx+yuJdP7gqwEru8r5x7YYvs/zCb81l/drk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cLS/QjK9WwhrNCS478SOpaZ4hIso0AFWwHA6Z4T1058Crk7RRzMOqZQZMspCIqM4P8p6wkPQEnrIAFRcl+UqNpcCZOpiC0LnDYIJqzcCrVPojCoaQcARCITHpp+pO3sVAvwNndAX6zWcb61fOQbE9zVnWywqnMx4MMHdd4KcrGs= Received: by 10.65.213.4 with SMTP id p4mr7695587qbq.53.1198007062070; Tue, 18 Dec 2007 11:44:22 -0800 (PST) Received: by 10.65.116.4 with HTTP; Tue, 18 Dec 2007 11:44:21 -0800 (PST) Message-ID: Date: Tue, 18 Dec 2007 11:44:21 -0800 From: "Kian Mohageri" To: "Silver Salonen" In-Reply-To: <200712180934.58755.silver.salonen@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200712180934.58755.silver.salonen@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 20:09:58 -0000 On Dec 17, 2007 11:34 PM, Silver Salonen wrote: > Hello! > > I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec), > 1x6.2-RELEASE) with PF configured. They are connected with OpenVPN LAN-to-LAN > and the problem is that a few times per hour connection drops between > computers from one LAN to another. At first I blamed OpenVPN, then I blamed > bridge, but now I've realized that the problem is in PF. > So I've tried increasing TCP-timeouts and setting optimization > to "aggressive", but well, it's still the same. > > I monitor connections by sending TCP packets once per second to some other > host and wait for reply. I use Nagios-plugins' check_tcp for that. The script > looks like: > ===== > while [ 1 ]; do > pfctl -si |grep mismatch > /usr/local/libexec/nagios/check_tcp -H $host -p $port -t 2 > pfctl -si |grep mismatch > sleep 1 > done > ===== > My guess is that you're re-using a source port and are mismatching an existing state on the source or destination host (or something in between) because the state hasn't expired before the new connection attempt takes place. Can't be sure though... -Kian