From owner-freebsd-pf@FreeBSD.ORG  Sat Mar  5 22:20:02 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F0A6516A4CE
	for <freebsd-pf@freebsd.org>; Sat,  5 Mar 2005 22:20:02 +0000 (GMT)
Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8481143D3F
	for <freebsd-pf@freebsd.org>; Sat,  5 Mar 2005 22:20:01 +0000 (GMT)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1])
	j25MK0Zr010951
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Sat, 5 Mar 2005 23:20:01 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j25MK0pt016776;
	Sat, 5 Mar 2005 23:20:00 +0100 (MET)
Date: Sat, 5 Mar 2005 23:20:00 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Stephane Raimbault <segr@hotmail.com>
Message-ID: <20050305222000.GC26999@insomnia.benzedrine.cx>
References: <20050305200559.GA26999@insomnia.benzedrine.cx>
	<BAY24-F31D17EC37593D6F6C2DF03CC5D0@phx.gbl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BAY24-F31D17EC37593D6F6C2DF03CC5D0@phx.gbl>
User-Agent: Mutt/1.5.6i
cc: freebsd-pf@freebsd.org
Subject: Re: nat / rdr timeouts?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2005 22:20:03 -0000

On Sat, Mar 05, 2005 at 02:57:56PM -0700, Stephane Raimbault wrote:

> I cvsup'd RELENG_5 and recompiled the kernel and I'm seeing the same 
> results.  Do I need to recompile any other parts of the system?

No, that's it.

> Do we believe I've stumbled onto a bug of pf... or is this some sort of 
> anti-DoS feature?

The default limit on number of states is 10,000. If further packets try
to create state, they are dropped. But it doesn't look like you're
hitting that.

Enable debug loggin (pfctl -xm), reproduce the problem, then check
/var/log/messages for anything from pf.

Also quote pfctl -vvss output after the problem, as well as pfctl -si,
please.

Daniel