From owner-freebsd-pf@FreeBSD.ORG Mon Jun 11 21:08:10 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AFDB416A474 for ; Mon, 11 Jun 2007 21:08:10 +0000 (UTC) (envelope-from linux@giboia.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187]) by mx1.freebsd.org (Postfix) with ESMTP id 9ECD113C4EF for ; Mon, 11 Jun 2007 21:08:08 +0000 (UTC) (envelope-from linux@giboia.org) Received: by mu-out-0910.google.com with SMTP id w9so977788mue for ; Mon, 11 Jun 2007 14:08:06 -0700 (PDT) Received: by 10.82.156.12 with SMTP id d12mr11717455bue.1181596084498; Mon, 11 Jun 2007 14:08:04 -0700 (PDT) Received: by 10.82.141.7 with HTTP; Mon, 11 Jun 2007 14:08:04 -0700 (PDT) Message-ID: <6e6841490706111408x51f53de9j9f94c6910d259035@mail.gmail.com> Date: Mon, 11 Jun 2007 18:08:04 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Firewall delay. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jun 2007 21:08:10 -0000 Hi, I have a firewall (FreeBSD + PF) for my network witch speed is max 20 Mbps. Sometimes my firewall begins lost packets with high delay. My log: Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 4368-5824 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 5824-7280 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 7280-8259 Jun 11 16:33:05 teste2 pf_reassemble: 8259 < 8259? Jun 11 16:33:05 teste2 pf_reassemble: complete: 0xc24c4200(8279) Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.137.2.2:2787 189.36.241.138:64323 69.210.247.107:26977 [lo=1070436136 hi gh=1070436137 win=16384 modulator=0] [lo=23 high=16407 win=1 modulator=0] 10:10 RA seq=0 ack=1070436136 len=23 ackskew=0 pkts =2:1 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 7360-8404 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 1044, next -1, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 0-1472 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 1472, next 7360, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 1472-2944 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 2944, next 7360, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 2944-4416 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 4416, next 7360, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 4416-5888 Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 5888, next 7360, max 8404 Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 5888-7360 Jun 11 16:33:05 teste2 pf_reassemble: 8404 < 8404? Jun 11 16:33:05 teste2 pf_reassemble: complete: 0xc22ec800(8424) Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.143.4.2:1916 189.36.241.144:62874 68.50.45.106:37812 [lo=1994065 high=20 53760 win=8760 modulator=0] [lo=3076635998 high=3076644605 win=65535 modulator=0] 10:10 R seq=3076635998 ack=1994065 len=0 ac kskew=0 pkts=11:6 Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.143.4.2:1916 189.36.241.144:62874 68.50.45.106:37812 [lo=1994065 high=20 53760 win=8760 modulator=0] [lo=3076635998 high=3076644605 win=65535 modulator=0] 10:10 R seq=3076635998 ack=1994065 len=0 ac kskew=0 pkts=11:7 I deleted the line scrub in all and now my log is: Jun 11 17:59:20 teste2 pf: State failure on: 1 | 5 Jun 11 17:59:22 teste2 pf: loose state match: TCP 24.20.246.56:45086 24.20.246.56:45086 10.137.2.2:4849 [lo=745162846 high=745162871 win=17367 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 PA seq=745162846 ack=0 len=48 ackskew=0 pkts=1:0 Jun 11 17:59:22 teste2 pf: loose state match: TCP 10.137.2.2:4849 189.36.241.138:62521 24.20.246.56:45086 [lo=745162846 high=745162871 win=17367 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 PA seq=745162846 ack=0 len=48 ackskew=0 pkts=1:0 Jun 11 17:59:22 teste2 pf: BAD state: TCP 10.139.32.2:1136 189.36.241.140:52465 200.176.2.71:80 [lo=373432 high=381624 win=8192 modulator=0] [lo=2103533023 high=2103541215 win=8192 modulator=0] 4:2 SA seq=2121929591 ack=373432 len=0 ackskew=0 pkts=2:1 dir=in,rev Jun 11 17:59:22 teste2 pf: State failure on: 1 | 5 Jun 11 17:59:25 teste2 pf: BAD state: TCP 10.32.3.2:4424 189.36.241.33:60839 200.77.10.59:35581 [lo=2664673092 high=2664673093 win=16384 modulator=0] [lo=860203439 high=860219823 win=1 modulator=0] 4:2 SA seq=3776746073 ack=2664673092 len=0 ackskew=0 pkts=3:1 dir=in,rev Jun 11 17:59:25 teste2 pf: State failure on: 2 | 6 Jun 11 17:59:26 teste2 pf: BAD state: TCP 10.37.6.5:3044 189.36.241.38:53176 72.14.209.85:80 [lo=3600173939 high=3600182129 win=65535 modulator=0] [lo=2902009590 high=2902075125 win=8190 modulator=0] 4:2 SA seq=3133227478 ack=3600173939 len=0 ackskew=0 pkts=3:1 dir=in,rev My pf.conf: set debug misc set timeout { interval 10, frag 30 ,src.track 0 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 100000, src-nodes 100000, frags 5000 } set loginterface em0 set optimization conservative set block-policy drop set require-order yes set state-policy floating I have about 1500 ips passing through this firewall and the server is not full process. Does somebody have any tip??? -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com