From owner-freebsd-pf@FreeBSD.ORG Wed Dec 19 09:55:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46A2D16A420 for ; Wed, 19 Dec 2007 09:55:47 +0000 (UTC) (envelope-from horcicka@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.186]) by mx1.freebsd.org (Postfix) with ESMTP id CC9A713C458 for ; Wed, 19 Dec 2007 09:55:46 +0000 (UTC) (envelope-from horcicka@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so2901271rvb.43 for ; Wed, 19 Dec 2007 01:55:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=SejR5KXIy1b8WBGKqzyZVlPaE7EcmCR1r1tXIgqMzmg=; b=CE5rmAohj/bzBvbL4KQ0lREBAN74ZbhFiXG68Z8seh2CQCUQ4QwQNAiqFX7eFX0i5DrenfvwwBswOpBYHfwk3xpug4xyp4xoS8ZPCKtw3rAWnVv9r1qei3qKCM7qP41uIcbqvZ3jlxnQYnBxab4jKrFpExKdha0xkerQ9gUnNe8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=e0xhc9l6DSoDLWCNX0OV1ltysxePFD2dTFU9IJvXsnwRQhRsBIEM/Qks74iXNkqdtEDKesPChJnMEgkaJHjbyzfjpZuVhNRykkqRVz/z9UmrC2zzQ3aZcRpD/NWeWxrh4ldjc9IBfsFiyIDpzCJqi530PwWKUYnlHd0UBAdH1JI= Received: by 10.141.42.10 with SMTP id u10mr4022841rvj.256.1198056654844; Wed, 19 Dec 2007 01:30:54 -0800 (PST) Received: by 10.141.197.3 with HTTP; Wed, 19 Dec 2007 01:30:54 -0800 (PST) Message-ID: <437bc1590712190130l31bdc573jc95f8c385962bfd2@mail.gmail.com> Date: Wed, 19 Dec 2007 10:30:54 +0100 From: "Martin Horcicka" Sender: horcicka@gmail.com To: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200712180934.58755.silver.salonen@gmail.com> X-Google-Sender-Auth: 72499b35fd2f0ea7 Cc: freebsd-pf@freebsd.org Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Dec 2007 09:55:47 -0000 On Dec 18, 2007 8:44 PM, Kian Mohageri wrote: > My guess is that you're re-using a source port and are mismatching an > existing state on the source or destination host (or something in > between) because the state hasn't expired before the new connection > attempt takes place. My guess is the same and this problem can be usually worked around by setting net.inet.ip.portrange.randomized to 0 on the machine where the connection is originated. It does not fix the bug in the FreeBSD's TCP stack but it helps unless there is a very high outgoing connection rate. Martin