From owner-freebsd-pf@FreeBSD.ORG Mon Aug 15 00:25:09 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C1C0E106564A for ; Mon, 15 Aug 2011 00:25:09 +0000 (UTC) (envelope-from dschulz@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 811DD8FC0C for ; Mon, 15 Aug 2011 00:25:08 +0000 (UTC) Received: by ywo32 with SMTP id 32so2216079ywo.13 for ; Sun, 14 Aug 2011 17:25:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=0f0jEH05yCnJMyPf32s2X1kb0v092sBR+vpAmI4tFBk=; b=Z/FSknDvpD+loFoT3rRjt7/Go/9ujBUIDpGVh+O0z3lJd0DSYHPpKV+HopwViZ61B/ sM/zTUvwaL05dcF5a6Xzup68yvW8/sZ6tRynoEg63vMhIIWi1ZEkvEuzQ9PILbU0OcUW t34M5foDl4u50hIAOjv3qMrfeWmCvU0cUvR3A= MIME-Version: 1.0 Received: by 10.146.187.39 with SMTP id k39mr3259940yaf.30.1313366502276; Sun, 14 Aug 2011 17:01:42 -0700 (PDT) Received: by 10.147.99.11 with HTTP; Sun, 14 Aug 2011 17:01:42 -0700 (PDT) In-Reply-To: <20110525093449.GD70509@relay.ibs.dn.ua> References: <4DD8E815.4090209@herveybayaustralia.com.au> <20110522122229.GD36033@relay.ibs.dn.ua> <4DD9EF87.6070104@herveybayaustralia.com.au> <20110524072550.GB70509@relay.ibs.dn.ua> <4DDBAFF9.20705@herveybayaustralia.com.au> <20110525093449.GD70509@relay.ibs.dn.ua> Date: Sun, 14 Aug 2011 20:01:42 -0400 Message-ID: From: Diego Schulz To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: pf firewall nat and IPSec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2011 00:25:09 -0000 Have you considered the possibility that Android is the culprit? http://code.google.com/p/android/issues/detail?id=4706 From owner-freebsd-pf@FreeBSD.ORG Mon Aug 15 11:07:08 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 019781065670 for ; Mon, 15 Aug 2011 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E473F8FC0A for ; Mon, 15 Aug 2011 11:07:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p7FB77cY014812 for ; Mon, 15 Aug 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p7FB77JB014810 for freebsd-pf@FreeBSD.org; Mon, 15 Aug 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Aug 2011 11:07:07 GMT Message-Id: <201108151107.p7FB77JB014810@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Aug 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/159390 pf [pf] [panic] mutex pf task mtx owned at /usr/src/sys/c o kern/159029 pf [pf] [panic] m_copym, offset > size of mbuf chain when o kern/158873 pf [pf] [panic] When I launch pf daemon, I have a kernel o kern/158636 pf [pf] if_pfsync.c fails to build when NBPFILTER == 0 o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 50 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 17 12:27:11 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 478F31065673; Wed, 17 Aug 2011 12:27:11 +0000 (UTC) (envelope-from flo@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 300048FC25; Wed, 17 Aug 2011 12:27:11 +0000 (UTC) Received: from bender.solomo.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p7HCR9oS023831; Wed, 17 Aug 2011 12:27:10 GMT (envelope-from flo@freebsd.org) Message-ID: <4E4BB39D.8070903@freebsd.org> Date: Wed, 17 Aug 2011 14:27:09 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0) Gecko/20110816 Thunderbird/6.0 MIME-Version: 1.0 To: obrien@freebsd.org References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> In-Reply-To: <20110708170240.GA59024@dragon.NUXI.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: "Bjoern A. Zeeb" , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 12:27:11 -0000 On 08.07.2011 19:02, David O'Brien wrote: > On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien wrote: >>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output from one >>> of these experiences. �Would they be useful to you in looking into this? >> >> please send those. >> Also useful would be a description of your setup. > > Ermal, > Thanks. I'll send to you off list. > Hi, did you guys find out what was wrong? I may have a similar problem. My server loses connection after some time. I think it is because the state table is getting full, but i only have a couple of active states. The current entries keep increasing, i had ~3600 this morning. flo@tb:~ # sudo pfctl -vsi|grep "current entries" No ALTQ support in kernel ALTQ related functions disabled current entries 4891 current entries 0 flo@tb:~ # sudo pfctl -ss| wc -l No ALTQ support in kernel ALTQ related functions disabled 12 Every new connection is added to the current entries but it seems they are never removed?! I've set debug to loud, what else should i do to track this down? Thanks, Florian From owner-freebsd-pf@FreeBSD.ORG Wed Aug 17 12:30:06 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 622A2106566B; Wed, 17 Aug 2011 12:30:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) by mx1.freebsd.org (Postfix) with ESMTP id 150628FC1A; Wed, 17 Aug 2011 12:30:06 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 0002F25D37C0; Wed, 17 Aug 2011 12:30:04 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 245E8BD3C30; Wed, 17 Aug 2011 12:30:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id L9jG3gVQqo4A; Wed, 17 Aug 2011 12:30:02 +0000 (UTC) Received: from orange-en1.sbone.de (orange-en1.sbone.de [IPv6:fde9:577b:c1a9:31:cabc:c8ff:fecf:e8e3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id B5997BD3C03; Wed, 17 Aug 2011 12:30:02 +0000 (UTC) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=utf-8 From: "Bjoern A. Zeeb" In-Reply-To: <4E4BB39D.8070903@freebsd.org> Date: Wed, 17 Aug 2011 12:30:02 +0000 Content-Transfer-Encoding: quoted-printable Message-Id: <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> To: Florian Smeets X-Mailer: Apple Mail (2.1084) Cc: freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 12:30:06 -0000 On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: > On 08.07.2011 19:02, David O'Brien wrote: >> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien = wrote: >>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output = from one >>>> of these experiences. =EF=BF=BDWould they be useful to you in = looking into this? >>>=20 >>> please send those. >>> Also useful would be a description of your setup. >>=20 >> Ermal, >> Thanks. I'll send to you off list. >>=20 >=20 > Hi, >=20 > did you guys find out what was wrong? I may have a similar problem. My = server loses connection after some time. I think it is because the state = table is getting full, but i only have a couple of active states. >=20 > The current entries keep increasing, i had ~3600 this morning. >=20 > flo@tb:~ # sudo pfctl -vsi|grep "current entries" > No ALTQ support in kernel > ALTQ related functions disabled > current entries 4891 > current entries 0 > flo@tb:~ # sudo pfctl -ss| wc -l > No ALTQ support in kernel > ALTQ related functions disabled > 12 >=20 > Every new connection is added to the current entries but it seems they = are never removed?! >=20 > I've set debug to loud, what else should i do to track this down? What version (SVN r#) are you running? --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 17 12:37:24 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDE8F10656D3 for ; Wed, 17 Aug 2011 12:37:24 +0000 (UTC) (envelope-from flo@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B57EA8FC12; Wed, 17 Aug 2011 12:37:24 +0000 (UTC) Received: from bender.solomo.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p7HCbNN6034817; Wed, 17 Aug 2011 12:37:24 GMT (envelope-from flo@freebsd.org) Message-ID: <4E4BB602.2060205@freebsd.org> Date: Wed, 17 Aug 2011 14:37:22 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0) Gecko/20110816 Thunderbird/6.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> In-Reply-To: <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 12:37:24 -0000 On 17.08.2011 14:30, Bjoern A. Zeeb wrote: > > On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: > >> On 08.07.2011 19:02, David O'Brien wrote: >>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien wrote: >>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output from one >>>>> of these experiences. �Would they be useful to you in looking into this? >>>> >>>> please send those. >>>> Also useful would be a description of your setup. >>> >>> Ermal, >>> Thanks. I'll send to you off list. >>> >> >> Hi, >> >> did you guys find out what was wrong? I may have a similar problem. My server loses connection after some time. I think it is because the state table is getting full, but i only have a couple of active states. >> >> The current entries keep increasing, i had ~3600 this morning. >> >> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >> No ALTQ support in kernel >> ALTQ related functions disabled >> current entries 4891 >> current entries 0 >> flo@tb:~ # sudo pfctl -ss| wc -l >> No ALTQ support in kernel >> ALTQ related functions disabled >> 12 >> >> Every new connection is added to the current entries but it seems they are never removed?! >> >> I've set debug to loud, what else should i do to track this down? > > > What version (SVN r#) are you running? > FreeBSD 9.0-BETA1 #2 r224876: Mon Aug 15 09:52:56 CEST 2011 From owner-freebsd-pf@FreeBSD.ORG Wed Aug 17 12:58:42 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6519106564A for ; Wed, 17 Aug 2011 12:58:41 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx1.freebsd.org (Postfix) with ESMTP id AA2F78FC16 for ; Wed, 17 Aug 2011 12:58:41 +0000 (UTC) Received: by iye7 with SMTP id 7so3368390iye.17 for ; Wed, 17 Aug 2011 05:58:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=mq9e5o4zFa05H9oZ876NKVTkl+CsQBsF5U7AnCtRmAU=; b=UW4Q62ERILIntPuWYZTDu4TzI/XQBjqbLN3mZsc8ynZIezsPdIzm4PluENsqXE6hYv knD0nXTxd72gqrp7UPulhFepF4jDMebZTa/KST9wFYn1AZztmBbqa7FKmppu5tdov5x7 F6orMEKBSDm2FGCFJMoW5gYswmWbC9nEts6Fo= MIME-Version: 1.0 Received: by 10.231.41.147 with SMTP id o19mr2060016ibe.82.1313585920728; Wed, 17 Aug 2011 05:58:40 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.154.79 with HTTP; Wed, 17 Aug 2011 05:58:40 -0700 (PDT) In-Reply-To: <4E4BB602.2060205@freebsd.org> References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> Date: Wed, 17 Aug 2011 14:58:40 +0200 X-Google-Sender-Auth: ajgFPglb-6gC1PrQH9EKvT96DYc Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Florian Smeets Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "Bjoern A. Zeeb" , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 12:58:42 -0000 On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets wrote: > On 17.08.2011 14:30, Bjoern A. Zeeb wrote: >> >> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: >> >>> On 08.07.2011 19:02, David O'Brien wrote: >>>> >>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>>> >>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien >>>>> wrote: >>>>>> >>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output fro= m >>>>>> one >>>>>> of these experiences. =EF=BF=BDWould they be useful to you in lookin= g into >>>>>> this? >>>>> >>>>> please send those. >>>>> Also useful would be a description of your setup. >>>> >>>> Ermal, >>>> Thanks. =C2=A0I'll send to you off list. >>>> >>> >>> Hi, >>> >>> did you guys find out what was wrong? I may have a similar problem. My >>> server loses connection after some time. I think it is because the stat= e >>> table is getting full, but i only have a couple of active states. >>> >>> The current entries keep increasing, i had ~3600 this morning. >>> >>> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >>> No ALTQ support in kernel >>> ALTQ related functions disabled >>> =C2=A0current entries =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 4891 >>> =C2=A0current entries =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 >>> flo@tb:~ # sudo pfctl -ss| wc -l >>> No ALTQ support in kernel >>> ALTQ related functions disabled >>> =C2=A0 =C2=A0 =C2=A012 >>> >>> Every new connection is added to the current entries but it seems they >>> are never removed?! >>> >>> I've set debug to loud, what else should i do to track this down? >> >> There is a thread in freebsd-net@ explaining some culprits with state table numbers from pfctl -ss and number from pfctl -vsi. >> What version (SVN r#) are you running? >> > > FreeBSD 9.0-BETA1 #2 r224876: Mon Aug 15 09:52:56 CEST 2011 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Aug 17 13:05:54 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 68CF9106566C; Wed, 17 Aug 2011 13:05:54 +0000 (UTC) (envelope-from flo@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3464E8FC0C; Wed, 17 Aug 2011 13:05:54 +0000 (UTC) Received: from bender.solomo.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p7HD5qfG060534; Wed, 17 Aug 2011 13:05:53 GMT (envelope-from flo@freebsd.org) Message-ID: <4E4BBCB0.4090003@freebsd.org> Date: Wed, 17 Aug 2011 15:05:52 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0) Gecko/20110816 Thunderbird/6.0 MIME-Version: 1.0 To: =?UTF-8?B?RXJtYWwgTHXDp2k=?= References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: "Bjoern A. Zeeb" , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 13:05:54 -0000 On 17.08.2011 14:58, Ermal Luçi wrote: > On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets wrote: >> On 17.08.2011 14:30, Bjoern A. Zeeb wrote: >>> >>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: >>> >>>> On 08.07.2011 19:02, David O'Brien wrote: >>>>> >>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>>>> >>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien >>>>>> wrote: >>>>>>> >>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output from >>>>>>> one >>>>>>> of these experiences. �Would they be useful to you in looking into >>>>>>> this? >>>>>> >>>>>> please send those. >>>>>> Also useful would be a description of your setup. >>>>> >>>>> Ermal, >>>>> Thanks. I'll send to you off list. >>>>> >>>> >>>> Hi, >>>> >>>> did you guys find out what was wrong? I may have a similar problem. My >>>> server loses connection after some time. I think it is because the state >>>> table is getting full, but i only have a couple of active states. >>>> >>>> The current entries keep increasing, i had ~3600 this morning. >>>> >>>> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >>>> No ALTQ support in kernel >>>> ALTQ related functions disabled >>>> current entries 4891 >>>> current entries 0 >>>> flo@tb:~ # sudo pfctl -ss| wc -l >>>> No ALTQ support in kernel >>>> ALTQ related functions disabled >>>> 12 >>>> >>>> Every new connection is added to the current entries but it seems they >>>> are never removed?! >>>> >>>> I've set debug to loud, what else should i do to track this down? >>> >>> > > There is a thread in freebsd-net@ explaining some culprits with > state table numbers from pfctl -ss and number from pfctl -vsi. > Ok, having another look at pfctl -vsi it looks like it confirms my suspicion that states do not get removed. State Table Total Rate current entries 5082 searches 296083 3.7/s inserts 5082 0.1/s removals 0 0.0/s Cheers, Florian From owner-freebsd-pf@FreeBSD.ORG Wed Aug 17 13:31:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2435106566C; Wed, 17 Aug 2011 13:31:45 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 657738FC16; Wed, 17 Aug 2011 13:31:45 +0000 (UTC) Received: by ywo32 with SMTP id 32so847284ywo.13 for ; Wed, 17 Aug 2011 06:31:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=zAYwKx8ugDsB7w7d+YSycELiKyZ8+FjX1AiSQfwx21w=; b=hrn9PkPQVQOD4Jig8ssXoguMbkN0TTcLSR/fbEhS+33NjLDsKYEs54o5VgtZWxCNrh tQFY0x3X3KNrjS/rbOzCKef7EnLZn9BYfSORRC9qRQeMy78CpahYDxFhYGBiIAhoDxdT m21iSoKgprrQ1O2yliT5osjihITPQjZL3AvEY= MIME-Version: 1.0 Received: by 10.42.136.199 with SMTP id v7mr942161ict.81.1313587904482; Wed, 17 Aug 2011 06:31:44 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.154.79 with HTTP; Wed, 17 Aug 2011 06:31:44 -0700 (PDT) In-Reply-To: <4E4BBCB0.4090003@freebsd.org> References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> <4E4BBCB0.4090003@freebsd.org> Date: Wed, 17 Aug 2011 15:31:44 +0200 X-Google-Sender-Auth: aVNqnTMLy_BTugqBHnch7ZGeBok Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Florian Smeets Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "Bjoern A. Zeeb" , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 13:31:45 -0000 On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets wrote: > On 17.08.2011 14:58, Ermal Lu=C3=A7i wrote: >> >> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets =C2=A0w= rote: >>> >>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote: >>>> >>>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: >>>> >>>>> On 08.07.2011 19:02, David O'Brien wrote: >>>>>> >>>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>>>>> >>>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien >>>>>>> wrote: >>>>>>>> >>>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output >>>>>>>> from >>>>>>>> one >>>>>>>> of these experiences. =EF=BF=BDWould they be useful to you in look= ing into >>>>>>>> this? >>>>>>> >>>>>>> please send those. >>>>>>> Also useful would be a description of your setup. >>>>>> >>>>>> Ermal, >>>>>> Thanks. =C2=A0I'll send to you off list. >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> did you guys find out what was wrong? I may have a similar problem. M= y >>>>> server loses connection after some time. I think it is because the >>>>> state >>>>> table is getting full, but i only have a couple of active states. >>>>> >>>>> The current entries keep increasing, i had ~3600 this morning. >>>>> >>>>> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >>>>> No ALTQ support in kernel >>>>> ALTQ related functions disabled >>>>> =C2=A0current entries =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 4891 >>>>> =C2=A0current entries =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A00 >>>>> flo@tb:~ # sudo pfctl -ss| wc -l >>>>> No ALTQ support in kernel >>>>> ALTQ related functions disabled >>>>> =C2=A0 =C2=A0 =C2=A012 >>>>> >>>>> Every new connection is added to the current entries but it seems the= y >>>>> are never removed?! >>>>> >>>>> I've set debug to loud, what else should i do to track this down? >>>> >>>> >> >> There is a thread in freebsd-net@ explaining some culprits with >> state table numbers from pfctl -ss =C2=A0and number from pfctl -vsi. >> > > Ok, having another look at pfctl -vsi it looks like it confirms my suspic= ion > that states do not get removed. > > State Table =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Total =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 Rate > =C2=A0current entries =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 5082 > =C2=A0searches =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0296083 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A03.7/s > =C2=A0inserts =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 5082 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A00.1/s > =C2=A0removals =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A00.0/s > Well really it depends on the timeframe this statistic was taken! I do not want to be a nonbeliver but this was confirmed working by other people that reported the same 'issue'. Other than that you can do a pfctl -dvvss and pfctl -dvvsi for every minute and send them to compare. Further more there should be a kernel thread "pfpurge" that is running, verify with procstat which does the job of purging your states. --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Wed Aug 17 15:56:46 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BCA11065673; Wed, 17 Aug 2011 15:56:46 +0000 (UTC) (envelope-from obrien@NUXI.org) Received: from dragon.nuxi.org (trang.nuxi.org [74.95.12.85]) by mx1.freebsd.org (Postfix) with ESMTP id 54B848FC14; Wed, 17 Aug 2011 15:56:45 +0000 (UTC) Received: from dragon.nuxi.org (obrien@localhost [127.0.0.1]) by dragon.nuxi.org (8.14.5/8.14.5) with ESMTP id p7HFMNhJ086497; Wed, 17 Aug 2011 08:22:23 -0700 (PDT) (envelope-from obrien@dragon.nuxi.org) Received: (from obrien@localhost) by dragon.nuxi.org (8.14.5/8.14.4/Submit) id p7HFMN8E086496; Wed, 17 Aug 2011 08:22:23 -0700 (PDT) (envelope-from obrien) Date: Wed, 17 Aug 2011 08:22:23 -0700 From: "David O'Brien" To: Florian Smeets Message-ID: <20110817152223.GH3964@dragon.NUXI.org> References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E4BB39D.8070903@freebsd.org> X-Operating-System: FreeBSD 9.0-CURRENT X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? User-Agent: Mutt/1.5.20 (2009-06-14) Cc: "Bjoern A. Zeeb" , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: obrien@freebsd.org List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 15:56:46 -0000 On Wed, Aug 17, 2011 at 02:27:09PM +0200, Florian Smeets wrote: > did you guys find out what was wrong? I may have a similar problem. Nope, never did. At this point I'm afraid and unwilling to update my kernel to a post r223636 kernel. -- -- David (obrien@FreeBSD.org) From owner-freebsd-pf@FreeBSD.ORG Thu Aug 18 23:42:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94A54106564A; Thu, 18 Aug 2011 23:42:45 +0000 (UTC) (envelope-from pierre@userid.org) Received: from mail.storm.ca (unknown [IPv6:2607:f0b0:0:6:209:87:239:66]) by mx1.freebsd.org (Postfix) with ESMTP id 539628FC25; Thu, 18 Aug 2011 23:42:45 +0000 (UTC) Received: from mail.userid.org (pandora.userid.org [216.106.102.33]) by mail.storm.ca (8.14.2+Sun/8.14.2) with ESMTP id p7INZRwP025220 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Aug 2011 19:35:37 -0400 (EDT) Received: from [192.168.3.99] (unknown [192.168.3.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pierre) by mail.userid.org (Postfix) with ESMTP id 754782C77ED; Thu, 18 Aug 2011 19:35:00 -0400 (EDT) Message-ID: <4E4DA196.7090304@userid.org> Date: Thu, 18 Aug 2011 19:34:46 -0400 From: Pierre Lamy User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: =?UTF-8?B?RXJtYWwgTHXDp2k=?= References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> <4E4BBCB0.4090003@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-userid-MailScanner-Information: Please contact the ISP for more information X-userid-MailScanner-ID: 754782C77ED.A09BA X-userid-MailScanner: Found to be clean X-userid-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, ALL_TRUSTED -1.44) X-userid-MailScanner-From: pierre@userid.org X-Spam-Status: No Cc: "Bjoern A. Zeeb" , Florian Smeets , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2011 23:42:45 -0000 I just found how to resolve the problem (1 minute ago) as I was also having the same issue. If you compile pf into the kernel, state removals are NOT performed at all. pftop will show you garbage null entries. Flushing current states works for real states, but the malloc is never cleared for the garbage entries. Eventually you will run out of memory (max state entries too high), or be unable to add any more states. A reboot is the only way to clear it. I recompiled as a module and not in the kernel, it "just works" without any special extra steps. Broken: Status: Enabled for 1 days 22:31:20 Debug: Urgent State Table Total Rate current entries 1948548 searches 88746415 529.9/s inserts 1948548 11.6/s removals 0 0.0/s Fixed: Status: Enabled for 0 days 00:05:29 Debug: Urgent State Table Total Rate current entries 0 searches 382 1.2/s inserts 2 0.0/s removals 2 0.0/s Very strange that this should happen, but hopefully this will assist whoever manages this code. Pierre On 8/17/2011 9:31 AM, Ermal Luçi wrote: > On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets wrote: >> On 17.08.2011 14:58, Ermal Luçi wrote: >>> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets wrote: >>>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote: >>>>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: >>>>> >>>>>> On 08.07.2011 19:02, David O'Brien wrote: >>>>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien >>>>>>>> wrote: >>>>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output >>>>>>>>> from >>>>>>>>> one >>>>>>>>> of these experiences. �Would they be useful to you in looking into >>>>>>>>> this? >>>>>>>> please send those. >>>>>>>> Also useful would be a description of your setup. >>>>>>> Ermal, >>>>>>> Thanks. I'll send to you off list. >>>>>>> >>>>>> Hi, >>>>>> >>>>>> did you guys find out what was wrong? I may have a similar problem. My >>>>>> server loses connection after some time. I think it is because the >>>>>> state >>>>>> table is getting full, but i only have a couple of active states. >>>>>> >>>>>> The current entries keep increasing, i had ~3600 this morning. >>>>>> >>>>>> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> current entries 4891 >>>>>> current entries 0 >>>>>> flo@tb:~ # sudo pfctl -ss| wc -l >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> 12 >>>>>> >>>>>> Every new connection is added to the current entries but it seems they >>>>>> are never removed?! >>>>>> >>>>>> I've set debug to loud, what else should i do to track this down? >>>>> >>> There is a thread in freebsd-net@ explaining some culprits with >>> state table numbers from pfctl -ss and number from pfctl -vsi. >>> >> Ok, having another look at pfctl -vsi it looks like it confirms my suspicion >> that states do not get removed. >> >> State Table Total Rate >> current entries 5082 >> searches 296083 3.7/s >> inserts 5082 0.1/s >> removals 0 0.0/s >> > Well really it depends on the timeframe this statistic was taken! > > I do not want to be a nonbeliver but this was confirmed working by > other people that reported the same 'issue'. > > Other than that you can do a pfctl -dvvss and pfctl -dvvsi for every > minute and send them to compare. > Further more there should be a kernel thread "pfpurge" that is > running, verify with procstat which does the job of purging your > states. > From owner-freebsd-pf@FreeBSD.ORG Thu Aug 18 23:43:14 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95AE21065670; Thu, 18 Aug 2011 23:43:14 +0000 (UTC) (envelope-from pierre@userid.org) Received: from mail.storm.ca (unknown [IPv6:2607:f0b0:0:6:209:87:239:66]) by mx1.freebsd.org (Postfix) with ESMTP id 552C38FC17; Thu, 18 Aug 2011 23:43:14 +0000 (UTC) Received: from mail.userid.org (pandora.userid.org [216.106.102.33]) by mail.storm.ca (8.14.2+Sun/8.14.2) with ESMTP id p7INh8TU025534 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Aug 2011 19:43:13 -0400 (EDT) Received: from [192.168.3.99] (unknown [192.168.3.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pierre) by mail.userid.org (Postfix) with ESMTP id 5F0BC2C77FA; Thu, 18 Aug 2011 19:42:14 -0400 (EDT) Message-ID: <4E4DA348.6070903@userid.org> Date: Thu, 18 Aug 2011 19:42:00 -0400 From: Pierre Lamy User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: =?UTF-8?B?RXJtYWwgTHXDp2k=?= References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> <4E4BBCB0.4090003@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-userid-MailScanner-Information: Please contact the ISP for more information X-userid-MailScanner-ID: 5F0BC2C77FA.A128F X-userid-MailScanner: Found to be clean X-userid-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, ALL_TRUSTED -1.44) X-userid-MailScanner-From: pierre@userid.org X-Spam-Status: No Cc: "Bjoern A. Zeeb" , Florian Smeets , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2011 23:43:14 -0000 PS: The kernels I used were from Aug 16 (broken compiled into kernel), and Aug 18 (fixed built as module). So it's possible that something got updated during that window to fix it. PPS: The reason I went to build it as a module was simply so that I could unload and reload it to clear the memory, although this turned out to be unnecessary. -Pierre On 8/17/2011 9:31 AM, Ermal Luçi wrote: > On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets wrote: >> On 17.08.2011 14:58, Ermal Luçi wrote: >>> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets wrote: >>>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote: >>>>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: >>>>> >>>>>> On 08.07.2011 19:02, David O'Brien wrote: >>>>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien >>>>>>>> wrote: >>>>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output >>>>>>>>> from >>>>>>>>> one >>>>>>>>> of these experiences. �Would they be useful to you in looking into >>>>>>>>> this? >>>>>>>> please send those. >>>>>>>> Also useful would be a description of your setup. >>>>>>> Ermal, >>>>>>> Thanks. I'll send to you off list. >>>>>>> >>>>>> Hi, >>>>>> >>>>>> did you guys find out what was wrong? I may have a similar problem. My >>>>>> server loses connection after some time. I think it is because the >>>>>> state >>>>>> table is getting full, but i only have a couple of active states. >>>>>> >>>>>> The current entries keep increasing, i had ~3600 this morning. >>>>>> >>>>>> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> current entries 4891 >>>>>> current entries 0 >>>>>> flo@tb:~ # sudo pfctl -ss| wc -l >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> 12 >>>>>> >>>>>> Every new connection is added to the current entries but it seems they >>>>>> are never removed?! >>>>>> >>>>>> I've set debug to loud, what else should i do to track this down? >>>>> >>> There is a thread in freebsd-net@ explaining some culprits with >>> state table numbers from pfctl -ss and number from pfctl -vsi. >>> >> Ok, having another look at pfctl -vsi it looks like it confirms my suspicion >> that states do not get removed. >> >> State Table Total Rate >> current entries 5082 >> searches 296083 3.7/s >> inserts 5082 0.1/s >> removals 0 0.0/s >> > Well really it depends on the timeframe this statistic was taken! > > I do not want to be a nonbeliver but this was confirmed working by > other people that reported the same 'issue'. > > Other than that you can do a pfctl -dvvss and pfctl -dvvsi for every > minute and send them to compare. > Further more there should be a kernel thread "pfpurge" that is > running, verify with procstat which does the job of purging your > states. > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 19 00:12:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EE611065675 for ; Fri, 19 Aug 2011 00:12:45 +0000 (UTC) (envelope-from pierre@userid.org) Received: from mail.storm.ca (unknown [IPv6:2607:f0b0:0:6:209:87:239:66]) by mx1.freebsd.org (Postfix) with ESMTP id 05EA88FC0A for ; Fri, 19 Aug 2011 00:12:44 +0000 (UTC) Received: from mail.userid.org (pandora.userid.org [216.106.102.33]) by mail.storm.ca (8.14.2+Sun/8.14.2) with ESMTP id p7INj2ax025598 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 18 Aug 2011 19:45:22 -0400 (EDT) Received: from [192.168.3.99] (unknown [192.168.3.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pierre) by mail.userid.org (Postfix) with ESMTP id BE2C32C77ED for ; Thu, 18 Aug 2011 19:44:31 -0400 (EDT) Message-ID: <4E4DA3D1.20206@userid.org> Date: Thu, 18 Aug 2011 19:44:17 -0400 From: Pierre Lamy User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> <4E4BBCB0.4090003@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-userid-MailScanner-Information: Please contact the ISP for more information X-userid-MailScanner-ID: BE2C32C77ED.A12D5 X-userid-MailScanner: Found to be clean X-userid-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.44, required 6, autolearn=not spam, ALL_TRUSTED -1.44) X-userid-MailScanner-From: pierre@userid.org X-Spam-Status: No Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 00:12:45 -0000 Sorry for being spammy. It did work normally for kernel -current from April 26 and seems to have broken after that date. On 8/17/2011 9:31 AM, Ermal Luçi wrote: > On Wed, Aug 17, 2011 at 3:05 PM, Florian Smeets wrote: >> On 17.08.2011 14:58, Ermal Luçi wrote: >>> On Wed, Aug 17, 2011 at 2:37 PM, Florian Smeets wrote: >>>> On 17.08.2011 14:30, Bjoern A. Zeeb wrote: >>>>> On Aug 17, 2011, at 12:27 PM, Florian Smeets wrote: >>>>> >>>>>> On 08.07.2011 19:02, David O'Brien wrote: >>>>>>> On Fri, Jul 08, 2011 at 02:26:37PM +0200, Ermal Lui wrote: >>>>>>>> On Thu, Jul 7, 2011 at 9:35 PM, David O'Brien >>>>>>>> wrote: >>>>>>>>> I have 'pfctl', 'netstat', 'netstat -rn', and 'sysctl -a' output >>>>>>>>> from >>>>>>>>> one >>>>>>>>> of these experiences. �Would they be useful to you in looking into >>>>>>>>> this? >>>>>>>> please send those. >>>>>>>> Also useful would be a description of your setup. >>>>>>> Ermal, >>>>>>> Thanks. I'll send to you off list. >>>>>>> >>>>>> Hi, >>>>>> >>>>>> did you guys find out what was wrong? I may have a similar problem. My >>>>>> server loses connection after some time. I think it is because the >>>>>> state >>>>>> table is getting full, but i only have a couple of active states. >>>>>> >>>>>> The current entries keep increasing, i had ~3600 this morning. >>>>>> >>>>>> flo@tb:~ # sudo pfctl -vsi|grep "current entries" >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> current entries 4891 >>>>>> current entries 0 >>>>>> flo@tb:~ # sudo pfctl -ss| wc -l >>>>>> No ALTQ support in kernel >>>>>> ALTQ related functions disabled >>>>>> 12 >>>>>> >>>>>> Every new connection is added to the current entries but it seems they >>>>>> are never removed?! >>>>>> >>>>>> I've set debug to loud, what else should i do to track this down? >>>>> >>> There is a thread in freebsd-net@ explaining some culprits with >>> state table numbers from pfctl -ss and number from pfctl -vsi. >>> >> Ok, having another look at pfctl -vsi it looks like it confirms my suspicion >> that states do not get removed. >> >> State Table Total Rate >> current entries 5082 >> searches 296083 3.7/s >> inserts 5082 0.1/s >> removals 0 0.0/s >> > Well really it depends on the timeframe this statistic was taken! > > I do not want to be a nonbeliver but this was confirmed working by > other people that reported the same 'issue'. > > Other than that you can do a pfctl -dvvss and pfctl -dvvsi for every > minute and send them to compare. > Further more there should be a kernel thread "pfpurge" that is > running, verify with procstat which does the job of purging your > states. > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 19 07:29:13 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C3591065675 for ; Fri, 19 Aug 2011 07:29:13 +0000 (UTC) (envelope-from salvador@cleverbridge.com) Received: from mail.cleverbridge.com (mail.cleverbridge.com [89.1.11.32]) by mx1.freebsd.org (Postfix) with ESMTP id 0E1F08FC16 for ; Fri, 19 Aug 2011 07:29:12 +0000 (UTC) Received: from jenny.chi.cleverbridge.com (jenny.chi.cleverbridge.com [10.64.0.64]) by mail.cleverbridge.com (Postfix) with ESMTP id 5DE479C55DC for ; Fri, 19 Aug 2011 09:10:11 +0200 (CEST) Received: from localhost (localhost.localdomain [127.0.0.1]) by jenny.chi.cleverbridge.com (Postfix) with ESMTP id E3AD1126FC60E for ; Fri, 19 Aug 2011 02:10:10 -0500 (CDT) X-Virus-Scanned: amavisd-new at jenny.chi.cleverbridge.com Received: from jenny.chi.cleverbridge.com ([127.0.0.1]) by localhost (jenny.chi.cleverbridge.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UBH50L+awvmP for ; Fri, 19 Aug 2011 02:10:10 -0500 (CDT) Received: from jenny.chi.cleverbridge.com (localhost.localdomain [127.0.0.1]) by jenny.chi.cleverbridge.com (Postfix) with ESMTP id 2E270126FC631 for ; Fri, 19 Aug 2011 02:10:10 -0500 (CDT) Date: Fri, 19 Aug 2011 02:10:10 -0500 (CDT) From: Tim Salvador To: freebsd-pf@freebsd.org Message-ID: <17390d5c-d9ec-4594-ad53-abaf6cd91135@jenny> In-Reply-To: <50952547-ec21-41a5-b54d-0d7466a6dcd6@jenny> MIME-Version: 1.0 X-Originating-IP: [10.64.26.210] X-Mailer: Zimbra 7.1.1_GA_3213 (ZimbraWebClient - FF3.0 (Linux)/7.1.1_GA_3196) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: blocking spotify with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 07:29:13 -0000 Greetings, Recently it has come to our attention that bandwidth has become an issue with increased spotify usage throughout the company. Im looking for a way to block access to it in pf. the rule that i am trying is the following: table { 78.31.8.0/22, 193.182.8.0/21 } block return in quick on $int_if proto tcp from 192.168.1.0/24 to port 4070 For whatever reason it showing that the rule is working but not really working. am i missing something? From owner-freebsd-pf@FreeBSD.ORG Fri Aug 19 09:45:08 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FD721065677; Fri, 19 Aug 2011 09:45:08 +0000 (UTC) (envelope-from flo@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6A86A8FC18; Fri, 19 Aug 2011 09:45:08 +0000 (UTC) Received: from bender.solomo.local (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p7J9j614016825; Fri, 19 Aug 2011 09:45:07 GMT (envelope-from flo@freebsd.org) Message-ID: <4E4E30A2.7040509@freebsd.org> Date: Fri, 19 Aug 2011 11:45:06 +0200 From: Florian Smeets User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0) Gecko/20110818 Thunderbird/6.0 MIME-Version: 1.0 To: Pierre Lamy References: <201106281157.p5SBvP5g048097@svn.freebsd.org> <20110629192224.2283efc8@fabiankeil.de> <20110707193539.GA60591@dragon.NUXI.org> <20110708170240.GA59024@dragon.NUXI.org> <4E4BB39D.8070903@freebsd.org> <22DE2AEF-22A3-4B6E-9E24-DCF0EDF40933@lists.zabbadoz.net> <4E4BB602.2060205@freebsd.org> <4E4BBCB0.4090003@freebsd.org> <4E4DA196.7090304@userid.org> In-Reply-To: <4E4DA196.7090304@userid.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , freebsd-pf@freebsd.org Subject: Re: svn commit: r223637 - in head: . contrib/pf/authpf contrib/pf/ftp-proxy contrib/pf/man contrib/pf/pfctl contrib/pf/pflogd sbin/pflogd sys/conf sys/contrib/altq/altq sys/contrib/pf/net sys/modules s... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 09:45:08 -0000 On 19.08.2011 01:34, Pierre Lamy wrote: > I just found how to resolve the problem (1 minute ago) as I was also > having the same issue. If you compile pf into the kernel, state removals > are NOT performed at all. pftop will show you garbage null entries. > Flushing current states works for real states, but the malloc is never > cleared for the garbage entries. Eventually you will run out of memory > (max state entries too high), or be unable to add any more states. A > reboot is the only way to clear it. > > I recompiled as a module and not in the kernel, it "just works" without > any special extra steps. > I can confirm (using the same kernel sources as before) that using the modules fixed the problem for me too. State Table Total Rate current entries 5 searches 807 4.0/s inserts 45 0.2/s removals 40 0.2/s Cheers, Florian From owner-freebsd-pf@FreeBSD.ORG Fri Aug 19 10:44:55 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38978106566B for ; Fri, 19 Aug 2011 10:44:55 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id C751F8FC16 for ; Fri, 19 Aug 2011 10:44:54 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.2) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.393.1; Fri, 19 Aug 2011 11:32:09 +0100 Received: from PEMEXMBXVS04.jellyfishnet.co.uk.local ([192.168.65.51]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Fri, 19 Aug 2011 11:33:21 +0100 From: Greg Hennessy To: Tim Salvador , "freebsd-pf@freebsd.org" Date: Fri, 19 Aug 2011 11:33:57 +0100 Thread-Topic: blocking spotify with pf Thread-Index: AcxeQaO38wtueHOxSlqgtkLdq6JL5QAF8RkA Message-ID: <9EB23F6C23A8B6488E8BCC92A48E83261277D43E76@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <50952547-ec21-41a5-b54d-0d7466a6dcd6@jenny> <17390d5c-d9ec-4594-ad53-abaf6cd91135@jenny> In-Reply-To: <17390d5c-d9ec-4594-ad53-abaf6cd91135@jenny> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: Subject: RE: blocking spotify with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 10:44:55 -0000 PiBSZWNlbnRseSBpdCBoYXMgY29tZSB0byBvdXIgYXR0ZW50aW9uIHRoYXQgYmFuZHdpZHRoIGhh cyBiZWNvbWUgYW4gaXNzdWUNCj4gd2l0aCBpbmNyZWFzZWQgc3BvdGlmeSB1c2FnZSB0aHJvdWdo b3V0IHRoZSBjb21wYW55LiBJbSBsb29raW5nIGZvciBhIHdheQ0KPiB0byBibG9jayBhY2Nlc3Mg dG8gaXQgaW4gcGYuIHRoZSBydWxlIHRoYXQgaSBhbSB0cnlpbmcgaXMgdGhlIGZvbGxvd2luZzoN Cj4gDQo+IHRhYmxlIDxzcG90aWZ5PiB7IDc4LjMxLjguMC8yMiwgMTkzLjE4Mi44LjAvMjEgfQ0K PiBibG9jayByZXR1cm4gaW4gcXVpY2sgb24gJGludF9pZiBwcm90byB0Y3AgZnJvbSAxOTIuMTY4 LjEuMC8yNCB0byA8c3BvdGlmeT4NCj4gcG9ydCA0MDcwDQo+IA0KPiBGb3Igd2hhdGV2ZXIgcmVh c29uIGl0IHNob3dpbmcgdGhhdCB0aGUgcnVsZSBpcyB3b3JraW5nIGJ1dCBub3QgcmVhbGx5DQo+ IHdvcmtpbmcuIGFtIGkgbWlzc2luZyBzb21ldGhpbmc/DQo+IA0KDQpZZXMsIHN0b3AgdHJ5aW5n IHRvIHBsdWcgYSBsZWFrIGluIGEgY29sYW5kZXIgYnkgdXNpbmcgYSBtYXRjaCBzdGljay4gDQoN CkJsb2NrIGJ5IGRlZmF1bHQgYnkgc3RhcnRpbmcgdGhlIHBvbGljeSB3aXRoIA0KDQoJQmxvY2sg bG9nIGFsbCANCg0KQW5kIG9ubHkgYWxsb3cgcm91dGVkIGVncmVzcyB0byB0aGUgc3BlY2lmaWMg c2l0ZXMgYW5kIHNlcnZpY2VzIHdoaWNoIGFyZSBkaXJlY3RseSByZWxhdGVkIHRvIGEgdmFsaWQg YnVzaW5lc3MgcmVxdWlyZW1lbnQsIA0KUnVuIGFsbCBicm93c2VyIHRyYWZmaWMgdGhyb3VnaCBh IHByb3h5IHNlcnZlciB0byBjYXRlZ29yaXNlIGFuZCBpbnNwZWN0IHRoZSBjb250ZW50LCBwZXJt aXR0aW5nIGludGVybmV0IGFjY2VzcyBmcm9tIHRoZSBwcm94eSB0byA4MCBhbmQgNDQzL3RjcCBv bmx5LiANCg0KDQpGb3IgYSBidXNpbmVzcyB0aGF0IGRlc2NyaWJlcyBpdHNlbGYgYXMgJ2FkdmFu Y2VkIGUtY29tbWVyY2UnIHlvdSBndXlzIHNob3VsZCBrbm93IHRoaXMgYWxyZWFkeSwgdGhpcyBp cyBub3Qgcm9ja2V0IHNjaWVuY2UuIA0KDQpXaXRoIGFuIG9wZW4gZG9vciBmbGFwcGluZyBpbiB0 aGUgYnJlZXplIGFzIHN1Z2dlc3RlZCBhYm92ZS4gSWYgSSB3YXMgdG8gc3BlY3VsYXRlLCBJIHdv dWxkIHN1Z2dlc3QgdGhhdCBTcG90aWZ5IGlzIHRoZSBsZWFzdCBwcm9ibGVtIHlvdSBzaG91bGQg d29ycnkgYWJvdXQgcmlnaHQgbm93LiANCg0KDQoNCiANCg0KIA0K From owner-freebsd-pf@FreeBSD.ORG Fri Aug 19 12:38:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D670106564A for ; Fri, 19 Aug 2011 12:38:47 +0000 (UTC) (envelope-from david@davidandrzejewski.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1CCA28FC12 for ; Fri, 19 Aug 2011 12:38:46 +0000 (UTC) Received: by ywo32 with SMTP id 32so2492132ywo.13 for ; Fri, 19 Aug 2011 05:38:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=davidandrzejewski.com; s=mail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=+CjbkeRwjt1lm5Bc8aZWMV4qiNpkVUZ00XFS9b2Wrhg=; b=PMlYs2buB99owqtnSZSbZA3qs4G4ymKDN+AOjjKemWjFMift7+DIrZ/pumdtycx+AX TYd2tzCza81yNEy2vyDrz4VijxUbmOmHFbV3k+LyOY7rPAZn/E9L8oTKYpJRULEobFO2 JigeOU9QAqbNOXWRWv5yfdYILAZMpwjS8z4WU= Received: by 10.101.111.1 with SMTP id o1mr2189664anm.49.1313756202117; Fri, 19 Aug 2011 05:16:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.100.46.18 with HTTP; Fri, 19 Aug 2011 05:16:22 -0700 (PDT) In-Reply-To: <9EB23F6C23A8B6488E8BCC92A48E83261277D43E76@PEMEXMBXVS04.jellyfishnet.co.uk.local> References: <50952547-ec21-41a5-b54d-0d7466a6dcd6@jenny> <17390d5c-d9ec-4594-ad53-abaf6cd91135@jenny> <9EB23F6C23A8B6488E8BCC92A48E83261277D43E76@PEMEXMBXVS04.jellyfishnet.co.uk.local> From: David Andrzejewski Date: Fri, 19 Aug 2011 08:16:22 -0400 Message-ID: To: "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: blocking spotify with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 12:38:47 -0000 Agreed, you probably want to look into blocking all by default, opening up what you want to allow (even if it is just about everything else), forcing all web traffic through a transparent proxy. Consider squid with squidguard and a good set of blacklists. The blacklists are usually categorized, and with squidguard, you can choose which categories to block and which to allow. As an example, a pf rule that would force port 80 traffic through transparent squid running on port 3128 is: rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 - Dave On Fri, Aug 19, 2011 at 6:33 AM, Greg Hennessy wrote: > > Recently it has come to our attention that bandwidth has become an issue > > with increased spotify usage throughout the company. Im looking for a way > > to block access to it in pf. the rule that i am trying is the following: > > > > table { 78.31.8.0/22, 193.182.8.0/21 } > > block return in quick on $int_if proto tcp from 192.168.1.0/24 to > > > port 4070 > > > > For whatever reason it showing that the rule is working but not really > > working. am i missing something? > > > > Yes, stop trying to plug a leak in a colander by using a match stick. > > Block by default by starting the policy with > > Block log all > > And only allow routed egress to the specific sites and services which are > directly related to a valid business requirement, > Run all browser traffic through a proxy server to categorise and inspect > the content, permitting internet access from the proxy to 80 and 443/tcp > only. > > > For a business that describes itself as 'advanced e-commerce' you guys > should know this already, this is not rocket science. > > With an open door flapping in the breeze as suggested above. If I was to > speculate, I would suggest that Spotify is the least problem you should > worry about right now. > > > > > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- David Andrzejewski http://davidandrzejewski.me http://www.davidandrzejewski.com