From owner-freebsd-pf@FreeBSD.ORG Thu Dec 7 13:38:14 2006 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DF99616A4AB for ; Thu, 7 Dec 2006 13:38:13 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id F32A943E3C for ; Thu, 7 Dec 2006 13:35:17 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 824A47BFD06; Thu, 7 Dec 2006 14:35:54 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id xB8qf5VMKBF7; Thu, 7 Dec 2006 14:35:51 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 34FEA7BFD04; Thu, 7 Dec 2006 14:35:35 +0100 (CET) Date: Thu, 7 Dec 2006 14:35:35 +0100 From: Gergely CZUCZY To: "Roman Gorohov. " Message-ID: <20061207133535.GA16219@harmless.hu> References: <546388630.20061207163149@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <546388630.20061207163149@gmail.com> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@FreeBSD.org Subject: Re: ftp-proxy problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2006 13:38:14 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 07, 2006 at 04:31:49PM +0300, Roman Gorohov. wrot= e: > Hello, all. > We got a heavy load server with pf mostly doing nat and redirection. > [root@fw]#uname -r > 6.1-RELEASE > [root@fw]#pfctl -sr | wc -l > 546 > [root@fw]#pfctl -ss | wc -l > 9452 > Traffic is about 8 Mb/s. > /etc/inetd.conf: ftp-proxy stream tcp nowait root /usr/lib= exec/ftp-proxy ftp-proxy -u proxy -m 55000 -M 57000 -t 180 > /etc/pf.conf: rdr on $int_if proto tcp from any to any port 21 -> 127.0.0= =2E1 port 8021=20 > Traffic is about 8 megabit/s. > All working ok until we turn on ftp-proxy.=20 > After that(and some time) server suddenly hang.=20 > Just hang, no kernel trap and clear console, didn't responding for any > key(I don't know how might that be, never expect it from BSD). > Meanwhile I can see one event relating to that - ftp-proxy. > And its not hardware issue, we got two identical server(hp dl 380, afair)= working in carp, and both hanging.=20 > Last messages: > Dec 7 15:14:42 fw inetd[640]: ftp-proxy from 10.10.1.70 exceeded counts/= min (limit 60/min) > Dec 7 15:14:44 fw inetd[640]: ftp-proxy from 10.10.1.70 exceeded counts/= min (limit 60/min) > Dec 7 15:14:45 fw ftp-proxy[64195]: xfer_data (server to client): failed= (Connection reset by peer) with flags 00 > Dec 7 15:14:55 fw ftp-proxy[64196]: xfer_data (server to client): failed= (Connection reset by peer) with flags 00 > Dec 7 15:32:31 fw syslogd: kernel boot file is /boot/kernel/kernel >=20 > Are there any known issue with ftp-proxy+pf? try to use pftpx instead of ftp-proxy, it's available from ports. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owG1Vc2LHEUUX7P4QYNCPIgo6AOF7LLTPd3ztTsjk+8liWRRkkAISwg13a+ni62u aqte78wE/wAPIuJRD/HmSfAgnoJ3xXjUP8CDNw+ec/BVz+zmw1zTzHTXq4/38Xu/ 9+rLV9fXTpz8/Ycf97c+/+qbF75/WU+2yppIT8NS2EOpwySOkzAZdJJh2Au3B0Mc 5jjsdLNu0h0MdudvfnfBaEJN4Y1FhSMgnFO7UkLqDyAthHVI45rycCc42ndRuso4 SdLoEUitpMbjtRtWaJejDXd1ajKppyP4pDaEWVhZqUlMFAbBRxpuFHULLmIK8XYL OnE8AEEQ90bdZNQbfrwHW3E3jltwzZRCwyVjTWEOI3jymVlD4wBHwWm4jEqZFgil IpZuIkwNgYACxeEClBEZOLSHaGEmqYAqh9I4UgvIDLsImm0LnYHFTFpMfWBezb41 hs7ms9vv1VqUCKHlyUGUhNd2r+6eu777xJYqT0lB6Cx8CrMUQsWrzdPvDZ650T21 cdjrd3jIAOa5TEE6EBNTE+zA3qTtvD9tpLTNYFMWpUbnI8ipYljNfLECxJFFUQJQ WjWyNjMhCcDb9nK7drat5IRBm2Pafuz4o2FYw2pQQr8fxzGEe9DfbgYEyU585EiV r7ywmQWj4X1O7x2Z+9NkGhdya0rGdQEs+09lLEEngfA0JJ3tKI7icTDu7CbLhZ24 k4w78bMhKHEqJpKWOJxTCmbGHvjUmQOoNUmeQKDaau/JcTDRUt+5nDjzVAja8Fl2 hnNJssTNI1K4OstQMx0KoaerQx/Wjhq5xTDCAVqNCsiKqmFKqlBY4PidUdiCTGb6 FDF/uDC0Zz3kxvqYWdEBLjauMNH8hgPOCBT8L+W0oMYlmPB5jd4NnFdMPuCMNcid v35x04e7h0LPCqkQrkDK1eAQOUoEPqO9TSXIW/Sge33hY/H74NlbSY6D8OHYbCYs MrKuZrOzZZ3QzIBkAEimQq0w2SgqyBR0d7gIRS6k3RwHx6BLzY7YqtVAMTFcUR4o eYzdVcHYleicmKLz5ekLHbYh6Y+S3qjXgXwGDY/3B7349uM8bgJP4sj/ou2YIUkR M2TADafZtcdBycY3lCwZpUHcZmnzf/p7z1l/3+s/1sk2kmGfrcy57d3JBAnYWPGK U5IqycBusg+CM5gxiBvcKvWyyXjCIDOASwPRbi6bU67E1EEcP222/wyzg+dsttvh huzNuoVTZpqNjgph4jtK7jnJRdr2Unu5svoEp1elx2SjAvntG4Cnv16Sb2X0KJqt Kj8TkG1aRe2QOzRVc86hI+TebfJHO1vM5lPcGA45MH+bLFPqOwj3hiA4v8BWEFxC O0Wu5wt36/TuIih5L5kRTJfTUdpMn+VyKBWzNCrqIAhD7/FNRC3R8SXoKIJLLLA3 jluGOkTf2dhg6ZZ1Jqx0GAWfnVl/cc3fokdX8MkT//TW7qV///nOH3fPvvT1L7fe +Pn+lQfFK6+rtXv799997e1vf33rt8tf/PVQrv/074PBw/8A =PJDe -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8--