Date: Thu, 8 Jun 2006 06:43:20 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Mark Morley <mark@islandnet.com> Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? Message-ID: <20060608044320.GC23685@insomnia.benzedrine.cx> In-Reply-To: <44876071-491e@helpdesk.islandnet.com> References: <44876071-491e@helpdesk.islandnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 07, 2006 at 04:25:37PM -0700, Mark Morley wrote: > Disabling pf with pfctl -d allows 100% of all connections to work, and > as soon as we enable it we see connection failures again. > > I've tried changing the pf rule set in different ways, with and without > scrubbing, with and without queues, even to the point where I have a single > rule that just allows everything. It doesn't seem to matter what the rules > actually are, just whether or not pf is enabled. Was that single pass rule using 'keep state'? There is a default limit of 10,000 state entries (configurable with 'set limit states' in pf.conf). A state entry persists for several seconds even after a connection is closed, so quickly establishing 10,000 connections could easily hit that limit. Enable pf and load an empty ruleset (pfctl -e -Fa). Note the output of pfctl -si . Then repeat the test. Then run pfctl -si again, and compare the output with the previous one. Are any counters increasing? Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060608044320.GC23685>