From owner-freebsd-pf@FreeBSD.ORG  Thu Jun  8 15:18:57 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B3FDD16CBFD
	for <freebsd-pf@freebsd.org>; Thu,  8 Jun 2006 13:34:22 +0000 (UTC)
	(envelope-from cbuechler@gmail.com)
Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.203])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E214143D4C
	for <freebsd-pf@freebsd.org>; Thu,  8 Jun 2006 13:34:21 +0000 (GMT)
	(envelope-from cbuechler@gmail.com)
Received: by wx-out-0102.google.com with SMTP id i31so322099wxd
	for <freebsd-pf@freebsd.org>; Thu, 08 Jun 2006 06:34:21 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=UeSy4E3SuRQK+XMwMh3vpzddQ2E9JIDXURR4ngEzfoUZBAHRGj41Sdhw0y47WIGUdU4ux5mLwPWE1eB05RNIJEQBXFUipYgZuojBD9ewAPuDYGHXesLIpKIL5eT+0Vpfz+3KChFpYIW39qB+r8uNtXLQLSlg4GNXwi2JVGdYA+0=
Received: by 10.70.87.8 with SMTP id k8mr2077696wxb;
	Thu, 08 Jun 2006 06:34:16 -0700 (PDT)
Received: by 10.70.12.16 with HTTP; Thu, 8 Jun 2006 06:34:16 -0700 (PDT)
Message-ID: <d64aa1760606080634q2136fd4eqc6aa790fd3cad33c@mail.gmail.com>
Date: Thu, 8 Jun 2006 09:34:16 -0400
From: "Chris Buechler" <cbuechler@gmail.com>
To: "Dominic Marks" <dom@helenmarks.co.uk>
In-Reply-To: <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <44876071-491e@helpdesk.islandnet.com>
	<4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk>
Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: pf buggy on 6.1-STABLE?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2006 15:19:04 -0000

On 6/8/06, Dominic Marks <dom@helenmarks.co.uk> wrote:
>
> I've experienced the same. If you have a lot of concurrent connections
> going on it seems that every so often an connection will be blocked,
> even if it doesnt match any rule. In my case I experienced this with
> apache22 acting as a reverse proxy/virtual host.
>

This sounds a lot like the port randomization problems discussed by
Michael Silbersack in his BSDCan presentation.  specifically, pages
12-14.  http://www.silby.com/bsdcan06/silbersack_bsdcan06.pdf

That shouldn't be an issue anymore, but I don't know when that was resolved.

cheers,
-Chris