FreeBSD Mail Archives

Date:      Mon, 11 Jun 2007 18:08:04 -0300
From:      "Gilberto Villani Brito" <linux@giboia.org>
To:        "FreeBSD (PF)" <freebsd-pf@freebsd.org>
Subject:   Firewall delay.
Message-ID:  <6e6841490706111408x51f53de9j9f94c6910d259035@mail.gmail.com>

next in thread | raw e-mail | index | archive | help

Hi,
I have a firewall (FreeBSD + PF) for my network witch speed is max 20 Mbps.
Sometimes my firewall begins lost packets with high delay.
My log:
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 4368-5824
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 5824-7280
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 7280-8259
Jun 11 16:33:05 teste2 pf_reassemble: 8259 < 8259?
Jun 11 16:33:05 teste2 pf_reassemble: complete: 0xc24c4200(8279)
Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.137.2.2:2787
189.36.241.138:64323 69.210.247.107:26977 [lo=1070436136 hi
gh=1070436137 win=16384 modulator=0] [lo=23 high=16407 win=1
modulator=0] 10:10 RA seq=0 ack=1070436136 len=23 ackskew=0 pkts
=2:1
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 7360-8404
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 1044, next
-1, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 0-1472
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 1472, next
7360, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 1472-2944
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 2944, next
7360, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 2944-4416
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 4416, next
7360, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 4416-5888
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 5888, next
7360, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 5888-7360
Jun 11 16:33:05 teste2 pf_reassemble: 8404 < 8404?
Jun 11 16:33:05 teste2 pf_reassemble: complete: 0xc22ec800(8424)
Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.143.4.2:1916
189.36.241.144:62874 68.50.45.106:37812 [lo=1994065 high=20
53760 win=8760 modulator=0] [lo=3076635998 high=3076644605 win=65535
modulator=0] 10:10 R seq=3076635998 ack=1994065 len=0 ac
kskew=0 pkts=11:6
Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.143.4.2:1916
189.36.241.144:62874 68.50.45.106:37812 [lo=1994065 high=20
53760 win=8760 modulator=0] [lo=3076635998 high=3076644605 win=65535
modulator=0] 10:10 R seq=3076635998 ack=1994065 len=0 ac
kskew=0 pkts=11:7

I deleted the line scrub in all and now my log is:
Jun 11 17:59:20 teste2 pf: State failure on: 1       | 5
Jun 11 17:59:22 teste2 pf: loose state match: TCP 24.20.246.56:45086
24.20.246.56:45086 10.137.2.2:4849 [lo=745162846 high=745162871
win=17367 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 PA
seq=745162846 ack=0 len=48 ackskew=0 pkts=1:0
Jun 11 17:59:22 teste2 pf: loose state match: TCP 10.137.2.2:4849
189.36.241.138:62521 24.20.246.56:45086 [lo=745162846 high=745162871
win=17367 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 PA
seq=745162846 ack=0 len=48 ackskew=0 pkts=1:0
Jun 11 17:59:22 teste2 pf: BAD state: TCP 10.139.32.2:1136
189.36.241.140:52465 200.176.2.71:80 [lo=373432 high=381624 win=8192
modulator=0] [lo=2103533023 high=2103541215 win=8192 modulator=0] 4:2
SA seq=2121929591 ack=373432 len=0 ackskew=0 pkts=2:1 dir=in,rev
Jun 11 17:59:22 teste2 pf: State failure on: 1       | 5
Jun 11 17:59:25 teste2 pf: BAD state: TCP 10.32.3.2:4424
189.36.241.33:60839 200.77.10.59:35581 [lo=2664673092 high=2664673093
win=16384 modulator=0] [lo=860203439 high=860219823 win=1 modulator=0]
4:2 SA seq=3776746073 ack=2664673092 len=0 ackskew=0 pkts=3:1
dir=in,rev
Jun 11 17:59:25 teste2 pf: State failure on:   2     |   6
Jun 11 17:59:26 teste2 pf: BAD state: TCP 10.37.6.5:3044
189.36.241.38:53176 72.14.209.85:80 [lo=3600173939 high=3600182129
win=65535 modulator=0] [lo=2902009590 high=2902075125 win=8190
modulator=0] 4:2 SA seq=3133227478 ack=3600173939 len=0 ackskew=0
pkts=3:1 dir=in,rev

My pf.conf:
set debug misc
set timeout { interval 10, frag 30 ,src.track 0 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 100000, src-nodes 100000, frags 5000 }
set loginterface em0
set optimization conservative
set block-policy drop
set require-order yes
set state-policy floating

I have about 1500 ips passing through this firewall and the server is
not full process.
Does somebody have any tip???


-- 
Gilberto Villani Brito
System Administrator
Londrina - PR
Brazil
gilbertovb(a)gmail.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6e6841490706111408x51f53de9j9f94c6910d259035>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation