state mismatch/connection issues
Sebastiaan van Erk
sebster at sebster.com
Sat Apr 4 02:44:35 PDT 2009
Hi,
Thanks for the reply.
> try without "block out log quick on $ext_if from !$ext_ip1 to any" rule.
I have other firewalls with the same rule which don't show the problem.
> btw, is your firewall forwarding traffic or doing nat?
Actually it does neither, there is no need for the backend servers to
access the internet directly.
> Can you show pfctl -sr and ifconfig output?
Looking again at the pfctl -s info output, I saw something which I
missed the first time around:
State Table Total Rate
current entries 668
searches 70482052 118.5/s
inserts 8153087 13.7/s
removals 8152419 13.7/s
Counters
match 10637818 17.9/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 1 0.0/s
memory 2405587 4.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 510 0.0/s
state-mismatch 2276240 3.8/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
The memory limit is hit almost the same amount of time as the state
mismatches. It seems that my limits were simply too low. I have
increased the limits (states/frags) and will see if the problem is
resolved now.
Regards,
Sebastiaan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3328 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090404/70b56a65/smime.bin
More information about the freebsd-pf
mailing list