From owner-freebsd-pf@FreeBSD.ORG Fri Aug 31 06:35:34 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 51F77106566C for ; Fri, 31 Aug 2012 06:35:34 +0000 (UTC) (envelope-from css@morefoo.com) Received: from mail.morefoo.com (mail.morefoo.com [207.99.53.222]) by mx1.freebsd.org (Postfix) with ESMTP id 1CE458FC1F for ; Fri, 31 Aug 2012 06:35:33 +0000 (UTC) Received: from nac.morefoo.com (mail.morefoo.com [207.99.53.222]) by mail.morefoo.com (Postfix) with ESMTP id CACBF2D4A63 for ; Fri, 31 Aug 2012 02:26:49 -0400 (EDT) X-Virus-Scanned: amavisd-new at morefoo.com Received: from mail.morefoo.com ([207.99.53.222]) by nac.morefoo.com (nac.morefoo.com [207.99.53.222]) (amavisd-new, port 10024) with ESMTP id mEac9PD9pFWt for ; Fri, 31 Aug 2012 02:26:48 -0400 (EDT) Received: from toasty.sporklab.com (foon.sporktines.com [96.57.144.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: css@morefoo.com) by mail.morefoo.com (Postfix) with ESMTPSA id C91572D4806 for ; Fri, 31 Aug 2012 02:26:48 -0400 (EDT) From: CSS Content-Type: text/plain; charset=us-ascii Message-Id: <35E5558A-6AF6-4E67-8FF9-70C74B9EB5D0@morefoo.com> Date: Fri, 31 Aug 2012 02:26:47 -0400 To: freebsd-pf@freebsd.org Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: active pf states vs. active connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Aug 2012 06:35:34 -0000 Hello, We've recently been seeing issues when creating a large number of = outbound connections where the number of states kept by pf seriously = outnumbers the number of actual connections as shown by netstat. It's = not terribly surprising - the kernel has different timeout values than = the firewall. However as I've been slowly moving the pf timeouts down = (mainly on finwait entries), I'm not seeing the number of states really = shrink. For example, we might see about 200 connections in FIN_WAIT_2 in = netstat, but over 20,000 tracked in pf, even with the tcp.finwait = dropped down to 5s. It's a problem I never really thought about before - how to address the = inherent difference between the how aggressively the kernel ages old = connections out vs. how aggressively pf times them out. Before I hit the list with a bunch of stats, I just wanted to get a feel = for whether I'm on the right track here - should I essentially be = turning down pf timeouts to match kernel tcp timeout parameters? If I = should, why am I seeing so many lingering state entries? This is FreeBSD 8.3. Thanks, Charles=