Date: Wed, 14 May 2008 19:55:18 -0400 From: Tom Uffner <tom@uffner.com> To: Kian Mohageri <kian.mohageri@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Message-ID: <482B7BE6.9080608@uffner.com> In-Reply-To: <fee88ee40805141613k685c1536w9fc72e88aaa9f746@mail.gmail.com> References: <C65291A68BAF57499B18564A1EE4A761370E38@UXCHANGE1.UoA.auckland.ac.nz> <fee88ee40805141613k685c1536w9fc72e88aaa9f746@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
Kian Mohageri wrote: > On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan >> The way I see this is that this rule would be applied to udp traffic as >> well which will be dropped/blocked because flags only work for tcp and >> this might be the cause of state-mismatches that I see in the table - > > 'flags S/SA keep state' will work OK for UDP too. Only the 'keep > state' part will be applied to UDP, since no flags are involved. > >> state-mismatch 11577272 48.7/s > > Could be caused by reloading your ruleset to include 'keep state' > mid-connections, I think. PF won't be aware of where the state is > (especially true if you're using TCP window scaling), so it will fail > after a while and you'll see state mismatches. even if reloading the ruleset to include "keep state" and/or "flags s/sa" didn't sever pre-existing connections, it shouldn't cause that large a number of mismatches. when was the last time you zeroed the statistics? is the mismatch count still increasing w/ the 7.0 stateful rules? you may need to add "log (all)" to find out where the state mismatches are coming from.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?482B7BE6.9080608>