From owner-freebsd-pf@FreeBSD.ORG Fri Mar 7 15:52:58 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0E4461065670 for ; Fri, 7 Mar 2008 15:52:58 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id AE6EA8FC19 for ; Fri, 7 Mar 2008 15:52:57 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 62489 invoked by uid 2009); 7 Mar 2008 15:19:36 -0000 Received: from 10.1.0.239 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 5.473674 secs); 07 Mar 2008 15:19:36 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 5.473674 secs Process 62478) Received: from unknown (HELO ?10.1.0.239?) (cmarlatt@rxsec.com@10.1.0.239) by core.rxsec.com with SMTP; 7 Mar 2008 15:19:30 -0000 Message-ID: <47D15E8B.8040207@rxsec.com> Date: Fri, 07 Mar 2008 10:26:03 -0500 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Lorenz Helleis References: <659091.90986.qm@web53704.mail.re2.yahoo.com> In-Reply-To: <659091.90986.qm@web53704.mail.re2.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Mar 2008 15:52:58 -0000 Lorenz Helleis wrote: > hello. > > I have a firewall with 75.000 simultaneous conections, and i set the limit to 100.000. > > I think the hardware is OK, but when increase the traffic on the network, some connections is dropped. I did not increase other value, like table, src-nodes.... How do I know if is everthing ok with the other values ? > > what happen if the number of connections touch the limit of 100.000 ? it will drop the idle conections ? or what ? > From my experience new connections will appear to timeout as PF has no more sessions available for new connections. As sessions die off organically new connections will be permitted but there is nothing actively killing old / idle connections to make way for new sessions if the limit is reached. Depending on how much memory you have you should be fine increasing the max session limit. I've had some of my firewalls over 1,000,000 sessions without a problem. You may want to check your switch for errors and watch your interface (netstat -I IFACE -nd 1) to see when/where your drops are. What kind of cpu usage are you seeing when you start dropping the packets? Regards, Chris