From owner-freebsd-pf@FreeBSD.ORG Thu Oct 5 16:20:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2432A16A5A0 for ; Thu, 5 Oct 2006 16:20:54 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F4CD43E52 for ; Thu, 5 Oct 2006 16:20:30 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.13.4) with ESMTP id k95GKLaX023405 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 5 Oct 2006 18:20:21 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id k95GKL83010358; Thu, 5 Oct 2006 18:20:21 +0200 (MEST) Date: Thu, 5 Oct 2006 18:20:21 +0200 From: Daniel Hartmeier To: Adam McDougall Message-ID: <20061005162021.GD21693@insomnia.benzedrine.cx> References: <20061005160827.GB46920@egr.msu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20061005160827.GB46920@egr.msu.edu> User-Agent: Mutt/1.5.10i Cc: freebsd-pf@freebsd.org Subject: Re: pf: BAD state happens often with portsnap fetch update X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Oct 2006 16:20:54 -0000 On Thu, Oct 05, 2006 at 12:08:27PM -0400, Adam McDougall wrote: > (44.18 is the squid server (trident), 37.163 is the system running portsnap (ice)) > > Oct 5 11:22:03 jolly-fw1 kernel: pf: BAD state: TCP 35.9.44.18:3128 35.9.44.18:3128 35.9.37.163:55357 > [lo=646710754 high=646777361 win=33304 modulator=0 wscale=1] [lo=4033525074 high=4033590770 win=33304 > modulator=0 wscale=1] 9:9 S seq=650709460 ack=4033525074 len=0 ackskew=0 pkts=5:4 dir=in,fwd > Oct 5 11:22:03 jolly-fw1 kernel: pf: State failure on: 1 | 5 The client (37.163) is running out of random high source ports, and starts re-using ports from previous connections, violating 2MSL. pf keeps states of closed connections around for a while (default is 90s), so late packets related to the old connection can be associated with the state. Creating a second, concurrent state entry for the same source/destination address:port quadruple is not possible. You can a) lower pf's tcp.closed timeout, so states of closed connections get purged sooner. b) give the client more random high ports (sysctl net.inet.ip.portrange.*) or add aliases, if the client can make use of them concurrently. c) reduce the connection establishment rate of the client. if portsnap needs one connection for every single file, that's a poor protocol, if you expect a single client to fetch thousands of files in a few seconds. Daniel