From owner-freebsd-pf@FreeBSD.ORG Thu Jun 8 15:27:24 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05C1B16CECD for ; Thu, 8 Jun 2006 14:06:03 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD7F843D49 for ; Thu, 8 Jun 2006 14:06:01 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id l24so333769nfc for ; Thu, 08 Jun 2006 07:06:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=Kj+g6kdk5mngEjGmQW8CQYDy41+uzYl8hXQZYnFIZPSundBrY9RcaU5kv4tjGKFSUP0vuXGElNed1/sLY+Uj5p52fTWYfeEzFnzsHKTmZJ6mSInvj0pCE0IncOb5jxZdPXLAD6x1/IIub4JguBBilWLCttozIufabJItX7vO9m0= Received: by 10.49.29.19 with SMTP id g19mr1491024nfj; Thu, 08 Jun 2006 07:06:00 -0700 (PDT) Received: by 10.48.108.17 with HTTP; Thu, 8 Jun 2006 07:06:00 -0700 (PDT) Message-ID: Date: Thu, 8 Jun 2006 07:06:00 -0700 From: "Kian Mohageri" To: "Dominic Marks" In-Reply-To: <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> MIME-Version: 1.0 References: <44876071-491e@helpdesk.islandnet.com> <4459.195.12.22.194.1149757864.squirrel@mail.helenmarks.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 15:27:31 -0000 Same issue here when using keep state. Specifically, it happened with PHP scripts accessing a remote MySQL database. I think it also happened with Qmail LDAP lookups. This happened even when I did not specify 'flags S/SA' 'pass quick' (non-stateful) fixed the problems but I wasn't satisfied with that for obvious reasons. Client reusing source port before state expired seems like a good explanation for this. I should test that. Kian On 6/8/06, Dominic Marks wrote: > > Mark Morley wrote: > > Hi folks, > > > > Wondering if this rings any bells for anyone: > > > > After upgrading a handful of web servers from FreeBSD 4.11 with ipfw > > to 6.1-STABLE with pf, customers started reporting that occasionally > > their server side scripts would fail to connect to the SQL servers > > (which are still 4.11 and are attached via a separate dedicated > > gigabit network). > > > > A test page that makes 10,000 rapid SQL connections which connected > > 100% > > of the time before, now will usually see anywhere from one or two > > failed > > connections to a dozen or so (per 10,000) > > > > After trying many other things first, we finally found that 'pf' seems > > to be the culprit. > > I've experienced the same. If you have a lot of concurrent connections > going on it seems that every so often an connection will be blocked, > even if it doesnt match any rule. In my case I experienced this with > apache22 acting as a reverse proxy/virtual host. > > Symptoms: > > 1. Sudden burst of traffic to a specific virtual host. > 2. After some time, normally <30 seconds one of the connection > attempts is reset. > 3. Apache immediately stops proxying for any subsequent connections > and returning a 'too busy message'. > > The project this was related to got shelved so it hasn't bothered me > again yet, but I didn't find any workaround. > > > Disabling pf with pfctl -d allows 100% of all connections to work, and > > as soon as we enable it we see connection failures again. > > Snap. > > > I've tried changing the pf rule set in different ways, with and > > without > > scrubbing, with and without queues, even to the point where I have a > > single > > rule that just allows everything. It doesn't seem to matter what the > > rules > > actually are, just whether or not pf is enabled. > > Same as me. > > > I recompiled the kernel with pf disabled and ipfw enabled, and it > > works > > fine with 100% successful connections. We have no funky compiler > > options > > or anything like that. > > > > Any thoughts? > > > > Mark > > > > -- > > Mark Morley > > Owner / Administrator > > Islandnet.com > > > > > > _______________________________________________ > > freebsd-stable@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to > > "freebsd-stable-unsubscribe@freebsd.org" > > > > Cheers, > Dom > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >