Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Nov 2006 12:08:28 -0500
From:      "Dan Langille" <dan@langille.org>
To:        "Greg Hennessy" <Greg.Hennessy@nviz.net>
Cc:        freebsd-pf@freebsd.org
Subject:   RE: state table filled up?
Message-ID:  <455C54BC.19625.6810B25F@dan.langille.org>
In-Reply-To: <000001c708d9$880876d0$0301a8c0@vaio>
References:  <455AFDD3.28719.62D53A13@dan.langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 15 Nov 2006 at 17:14, Greg Hennessy wrote:

> > I suspect this may have been my state table filling up.
> > 
> 
> For a high traffic'd internet facing service such as Freshports, running
> pfstat, symon or even the pf snmp mibs loaded into something such as Cacti
> is not optional. 
> 
> They would have kept track of firewall state table utilisation over time. 

I have symon and catci installed and running.  symon is happily 
updating my .rrd files:

[dan@nyi:/var/db/symon] $ ls -l
total 53168
-rw-r--r--  1 root  wheel   4379264 Nov 16 12:07 cpu0.rrd
-rw-r--r--  1 root  wheel   8757064 Nov 16 12:07 if_fxp0.rrd
-rw-r--r--  1 root  wheel   4379264 Nov 16 12:07 io_ad0.rrd
-rw-r--r--  1 root  wheel  13134864 Nov 16 12:07 mbuf.rrd
-rw-r--r--  1 root  wheel   4379264 Nov 16 12:07 mem.rrd
-rw-r--r--  1 root  wheel  19263784 Nov 16 12:07 pf.rrd
[dan@nyi:/var/db/symon] $

I have no idea how to get Cacti to graph this data.  Clues please?

> As a short term measure. 
> 
>  pfctl -si
> 
> will tell you how many entries are in the state table. 

Seems pretty good.  Opinions?

$ sudo pfctl -si
Password:
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 1 days 04:20:53           Debug: Urgent

Hostid: 0xd61d30d4

State Table                          Total             Rate
  current entries                      168
  searches                         7301670           71.5/s
  inserts                           175525            1.7/s
  removals                          175357            1.7/s
Counters
  match                             221650            2.2/s
  bad-offset                             0            0.0/s
  fragment                               1            0.0/s
  short                                  0            0.0/s
  normalize                             12            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                      4792            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                          477115            4.7/s


-- 
Dan Langille : Software Developer looking for work
my resume: http://www.freebsddiary.org/dan_langille.php

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?455C54BC.19625.6810B25F>