Date: Fri, 31 Aug 2012 02:26:47 -0400 From: CSS <css@morefoo.com> To: freebsd-pf@freebsd.org Subject: active pf states vs. active connections Message-ID: <35E5558A-6AF6-4E67-8FF9-70C74B9EB5D0@morefoo.com>
next in thread | raw e-mail | index | archive | help
Hello, We've recently been seeing issues when creating a large number of = outbound connections where the number of states kept by pf seriously = outnumbers the number of actual connections as shown by netstat. It's = not terribly surprising - the kernel has different timeout values than = the firewall. However as I've been slowly moving the pf timeouts down = (mainly on finwait entries), I'm not seeing the number of states really = shrink. For example, we might see about 200 connections in FIN_WAIT_2 in = netstat, but over 20,000 tracked in pf, even with the tcp.finwait = dropped down to 5s. It's a problem I never really thought about before - how to address the = inherent difference between the how aggressively the kernel ages old = connections out vs. how aggressively pf times them out. Before I hit the list with a bunch of stats, I just wanted to get a feel = for whether I'm on the right track here - should I essentially be = turning down pf timeouts to match kernel tcp timeout parameters? If I = should, why am I seeing so many lingering state entries? This is FreeBSD 8.3. Thanks, Charles=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35E5558A-6AF6-4E67-8FF9-70C74B9EB5D0>