Date: Sat, 17 May 2008 16:19:23 +0100 From: Alex Trull <alex@trull.org> To: Johan =?ISO-8859-1?Q?Str=F6m?= <johan@stromnet.se>, freebsd-net@freebsd.org, freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: connect(): Operation not permitted Message-ID: <1211037564.6326.27.camel@porksoda> In-Reply-To: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se> References: <678A03F5-5E8A-4CF6-90DF-AA9A4F30FBE1@stromnet.se>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-4WU6AqCfRhU+2u6n9jki Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Johan and List, In my case a few months ago it was pahu. Don't give that fine fellow an account on your precious system ! But seriously, I had a pf-firewalled jail being being used for DNS testing, with large numbers of udp "connections" hanging around in pf state. While the default udp timeout settings in PF are lower than those of the tcp timeouts, it is was still too high for it to to remove the states in time before hitting the default 10k state limit! If this is the case with you - run 'pfctl -s state | wc -l' - when there is traffic load you may see that hitting 10k states if you've not tuned that variable. What to do next - up the state limit or lower the state timeouts. I did both, to be safe. in /etc/pf.conf these must be at the very top of the file: # options # 10k is insanely low, lets raise it.. set limit { frags 16384, states 32768 } # timeouts - see 'pfctl -s timeouts' for options - you will want to=20 # change the tcp ones rather than the udp ones for your smtp setup.=20 # but these are mine, I set them for the dns traffic. set timeout { udp.first 15, udp.single 5, udp.multiple 30 } don't forget to: $ /etc/rc.d/pf check && =EF=BB=BF/etc/rc.d/pf reload HTH, Alex On Sat, 2008-05-17 at 16:33 +0200, Johan Str=C3=B6m wrote: > Hello >=20 > I got a FreeBSD 7 machine running mail services (among other things). =20 > This machine recently replaced a FreeBSD 6.2 machine doing the same =20 > tasks. > Now and then I need to send alot of mail to customers (mailing list), =20 > and one thing i've noticed now after the change is that when I use a =20 > lot of connections subsequently (high connection rate, even if they =20 > are very shortlived) inside a jail (dunno if that has anything to do =20 > with it though), I start to get Operation not permitted in return to =20 > connect(). > I've seen this in the PHP app that sends mail, when it tried to =20 > connect to localhost, as well as from postfix when it have been trying =20 > to connect to amavisd on localhost, but also from postfix when it has =20 > tried to connect to remote SMTP servers. >=20 > I do have PF for filtering, but there are no max-src-conn-rate limits =20 > enabled for any rules that is used for this. However, from one of the =20 > jail I do have a hfsc queue limiting the outgoing mail traffic from =20 > one jailed IP. But I'm not sure that this would be the problem, since =20 > I've also seen the problem when doing localhost connects in the jail, =20 > and also in other jails on an entierly different IP that is not =20 > affected. >=20 > Does anyone have any clues about what I can look at and tune to fix =20 > this? >=20 > Thanks! >=20 > -- > Johan Str=C3=B6m > Stromnet > johan@stromnet.se > http://www.stromnet.se/ >=20 >=20 > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" --=-4WU6AqCfRhU+2u6n9jki Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBILvd7ey4m6/eWxTQRAhuWAJ9MaVHRQkza3Hdb25CtQhHiz09KMwCfQzVw dSLK+Ik5TadrYUpngZeyQS4= =7Fyq -----END PGP SIGNATURE----- --=-4WU6AqCfRhU+2u6n9jki--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1211037564.6326.27.camel>