FreeBSD Mail Archives

Date:      Sat, 04 Apr 2009 11:44:31 +0200
From:      Sebastiaan van Erk <sebster@sebster.com>
To:        Artis Caune <artis.caune@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: state mismatch/connection issues
Message-ID:  <49D72BFF.40109@sebster.com>
In-Reply-To: <9e20d71e0904021328u5e871322k1523c2ce0bf9fdd1@mail.gmail.com>
References:  <49C9F27F.3010505@sebster.com> <9e20d71e0904021328u5e871322k1523c2ce0bf9fdd1@mail.gmail.com>


[-- Attachment #1 --]
Hi,

Thanks for the reply.

> try without "block out log quick on $ext_if from !$ext_ip1 to any" rule.
I have other firewalls with the same rule which don't show the problem.

> btw, is your firewall forwarding traffic or doing nat?
Actually it does neither, there is no need for the backend servers to 
access the internet directly.

> Can you show pfctl -sr and ifconfig output?

Looking again at the pfctl -s info output, I saw something which I 
missed the first time around:

State Table                          Total             Rate
   current entries                      668
   searches                        70482052          118.5/s
   inserts                          8153087           13.7/s
   removals                         8152419           13.7/s
Counters
   match                           10637818           17.9/s
   bad-offset                             0            0.0/s
   fragment                               0            0.0/s
   short                                  0            0.0/s
   normalize                              1            0.0/s
   memory                           2405587            4.0/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                              0            0.0/s
   proto-cksum                          510            0.0/s
   state-mismatch                   2276240            3.8/s
   state-insert                           0            0.0/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s

The memory limit is hit almost the same amount of time as the state 
mismatches. It seems that my limits were simply too low. I have 
increased the limits (states/frags) and will see if the problem is 
resolved now.

Regards,
Sebastiaan

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	Q0�0�l�S|
��6�$1-~�j�0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*�H��
	sebster@sebster.com0�"0
	*�H��
�0�
�����Va�\b��E�nݚ��a<���M8�ʄ���^tv>x��7����3bo���hi���2oq������S�_�¶�Bm^�p����*I	x"��9pt���!j������a�r�#���)n)��^�?'�z�<).+Ѐ4i����g���R'�UP��*\��Ւ���,?��.�;?f�B�ܯ����TzM I�Dվ�CK�*�3�Y��ŧ
�m��ca�z���t��xʐs�q�/�00.0U0�sebster@sebster.com0U�00
	*�H��
��KT�4�W6��ӽ���q]
t�S`�� %f�1��G:H��b�z�Jj$Ej��E��'�J���V~�-�VbVn�JZE/�`@��@0�4!+�T:��c	پ���f`$Z�=1�#|�o�G[�OBRG0�0�l�S|
��6�$1-~�j�0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*�H��
	sebster@sebster.com0�"0
	*�H��
�0�
�����Va�\b��E�nݚ��a<���M8�ʄ���^tv>x��7����3bo���hi���2oq������S�_�¶�Bm^�p����*I	x"��9pt���!j������a�r�#���)n)��^�?'�z�<).+Ѐ4i����g���R'�UP��*\��Ւ���,?��.�;?f�B�ܯ����TzM I�Dվ�CK�*�3�Y��ŧ
�m��ca�z���t��xʐs�q�/�00.0U0�sebster@sebster.com0U�00
	*�H��
��KT�4�W6��ӽ���q]
t�S`�� %f�1��G:H��b�z�Jj$Ej��E��'�J���V~�-�VbVn�JZE/�`@��@0�4!+�T:��c	پ���f`$Z�=1�#|�o�G[�OBRG0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�q0�m0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0	+���0	*�H��
	1	*�H��
0	*�H��
	1
090404094431Z0#	*�H��
	1=E�?V�P�G���dʠ0_	*�H��
	1R0P0	`�He0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0��*�H��
	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0
	*�H��
����J�'"(uL�9S2��S�B	ڙ�O�f۱CG�g��߈@R?��táAh~��*�?�	E���e�cl��WN�^��ĭxW�\ź�7I����q�"�J��]Ļj�|��"
6^)��g�"���>�A�G��P/��4�?����)��{�����U2ǘA�����ҷ�&Cwd���0��J<����dG-��t"����\��3�L+@��h�2�!ד��+Ȫg�NU�눽ɧ���2\�&b�Z�[��

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49D72BFF.40109>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation