From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 09:40:54 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C05816B9A2; Thu, 8 Jun 2006 07:42:08 +0000 (UTC) (envelope-from dimas@dataart.com) Received: from relay1.dataart.com (fobos.marketsite.ru [62.152.84.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC24243D48; Thu, 8 Jun 2006 07:42:07 +0000 (GMT) (envelope-from dimas@dataart.com) Received: from e1.universe.dart.spb ([192.168.10.44]) by relay1.dataart.com with esmtp (Exim 4.62) (envelope-from ) id 1FoF9Y-000NuX-Ts; Thu, 08 Jun 2006 11:42:04 +0400 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Thu, 8 Jun 2006 11:40:03 +0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: pf buggy on 6.1-STABLE? Thread-Index: AcaKrotDnhhRHNJfRkO9YIF7uqGNrgAHolEA From: "Dmitry Andrianov" To: "Mark Morley" , , Cc: Subject: RE: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:40:59 -0000 Hi. I'm not sure it is related to your case but... I have seen a situation when application used for load-testing web server running on MS Windows box failed establishing HTTP connections to the server . Investigation identified that this is due to the fact that Windows relatively quickly reuses source TCP port numbers for these outbound connections. I'm not sure if Microsoft violates TCP standard with that or not. The fact is that pf keeps "closed" entries in the state table for 90 second and it still remembers old source port when Windows send SYN from it trying to establish new connection. As result, pf considers that packet invalid and drops it. You can check pfctl -s info . In my case the state-mismatch counter was increasing with for every falied connection. In any case, output of that tool can be very useful to you - if you see one of counters for dropped packet increasing, you will have an idea why. Regards, Dmitry Andrianov PS: my problem was solved adding following lines to pf.conf: # set short timeout for TCP closed state because Windows tends to reuse # the same outgoing port very quickly and pf starts refusing new connections # because of invalid state # (This occurs when load testing DMZ server from LAN) set timeout { tcp.closed 15 } -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Mark Morley Sent: Thursday, June 08, 2006 3:26 AM To: freebsd-pf@freebsd.org; freebsd-stable@freebsd.org Subject: pf buggy on 6.1-STABLE? Hi folks, Wondering if this rings any bells for anyone: After upgrading a handful of web servers from FreeBSD 4.11 with ipfw to 6.1-STABLE with pf, customers started reporting that occasionally their server side scripts would fail to connect to the SQL servers (which are still 4.11 and are attached via a separate dedicated gigabit network). A test page that makes 10,000 rapid SQL connections which connected 100% of the time before, now will usually see anywhere from one or two failed connections to a dozen or so (per 10,000) After trying many other things first, we finally found that 'pf' seems to be the culprit. Disabling pf with pfctl -d allows 100% of all connections to work, and as soon as we enable it we see connection failures again. I've tried changing the pf rule set in different ways, with and without scrubbing, with and without queues, even to the point where I have a single rule that just allows everything. It doesn't seem to matter what the rules actually are, just whether or not pf is enabled. I recompiled the kernel with pf disabled and ipfw enabled, and it works fine with 100% successful connections. We have no funky compiler options or anything like that. Any thoughts? Mark -- Mark Morley Owner / Administrator Islandnet.com _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"