From owner-freebsd-pf@FreeBSD.ORG Sat Mar 5 19:00:01 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAB5816A4CE for ; Sat, 5 Mar 2005 19:00:00 +0000 (GMT) Received: from hotmail.com (bay24-f33.bay24.hotmail.com [64.4.18.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id B284043D2F for ; Sat, 5 Mar 2005 19:00:00 +0000 (GMT) (envelope-from segr@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 5 Mar 2005 11:00:00 -0800 Message-ID: Received: from 204.9.110.182 by by24fd.bay24.hotmail.msn.com with HTTP; Sat, 05 Mar 2005 18:59:59 GMT X-Originating-IP: [204.9.110.182] X-Originating-Email: [segr@hotmail.com] X-Sender: segr@hotmail.com From: "Stephane Raimbault" To: freebsd-pf@freebsd.org Date: Sat, 05 Mar 2005 11:59:59 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 05 Mar 2005 19:00:00.0317 (UTC) FILETIME=[87ECD6D0:01C521B5] Subject: nat / rdr timeouts? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2005 19:00:01 -0000 I have a box running FreeBSD 5.3-RELEASE-p5 and I'm running at nat and redirecting port 80 traffic to a couple internal servers. I was running some benchmarks with the apache ab tool and discovered a couple problems popping up. I could run the ab benchmark with the following options no problem: ab -c 5 -n 50 http:///host.html however as soon as I put the concurrency to 1... ab -c 1 -n 50 http:///host.html It would inconsistently start blocking and timing out with this error: apr_poll: The timeout specified has expired (70007) Total of 46 requests completed When I noctice that ab gets' hung up... running this pfctl -F state on the nat box seems to fix the problem and ab completes it's test this leads me to guess that something in pf is causing this block to occur based on the states? Possibly to prevent a DoS? Does anyone know what is causing this and if it's a tunable value. here is the pf rules I have for this test. ------------------------ ext_if="em1" int_net="10.0.11.0/27" web_servers = "{ 10.0.11.16,10.0.11.17 }" nat on $ext_if from $int_net to any -> ($ext_if) rdr on $ext_if proto tcp from any to any port 80 -> $web_servers round-robin ------------------------ The problem is also there when I only have one web_servers set instead of 2. Any thougths/ideas are welcome. Thank you, Stephane. _________________________________________________________________ Powerful Parental Controls Let your child discover the best the Internet has to offer. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSNŽ Premium right now and get the first two months FREE*.