From owner-freebsd-pf@FreeBSD.ORG Mon Mar 10 13:35:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0D8F71065670 for ; Mon, 10 Mar 2008 13:35:55 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: from core.rxsec.com (core.rxsec.com [64.132.46.102]) by mx1.freebsd.org (Postfix) with SMTP id C883A8FC1A for ; Mon, 10 Mar 2008 13:35:54 +0000 (UTC) (envelope-from cmarlatt@rxsec.com) Received: (qmail 71151 invoked by uid 2009); 10 Mar 2008 13:28:52 -0000 Received: from 10.1.0.239 by core.rxsec.com (envelope-from , uid 2008) with qmail-scanner-1.25-st-qms (clamdscan: 0.86.2/1102. spamassassin: 3.0.4. perlscan: 1.25-st-qms. Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 4.786095 secs); 10 Mar 2008 13:28:52 -0000 X-Spam-Status: No, hits=-4.4 required=5.0 X-Antivirus-RXSEC-Mail-From: cmarlatt@rxsec.com via core.rxsec.com X-Antivirus-RXSEC: 1.25-st-qms (Clear:RC:0(10.1.0.239):SA:0(-4.4/5.0):. Processed in 4.786095 secs Process 71095) Received: from unknown (HELO ?10.1.0.239?) (cmarlatt@rxsec.com@10.1.0.239) by core.rxsec.com with SMTP; 10 Mar 2008 13:28:47 -0000 Message-ID: <47D5392A.6060407@rxsec.com> Date: Mon, 10 Mar 2008 09:35:38 -0400 From: Chris Marlatt Organization: Receive Security User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Lorenz Helleis References: <151806.66922.qm@web53707.mail.re2.yahoo.com> In-Reply-To: <151806.66922.qm@web53707.mail.re2.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Dropped Packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Mar 2008 13:35:55 -0000 Lorenz Helleis wrote: > Do the machines generating the traffic have multiple paths? > > The only time I've really seen pf have problems with sessions is when > the devices send and receive traffic via different paths or multiple > paths (i.e. traffic comes in via firewall01 but goes out firewall02 and > firewall01 and firewall02 do not implement pfsync). > > Regards, > > Chris > > > I have 2 firewalls , and they were working very good until yesterday... I implemente pfsync in the firewalls... > > I think i need to optimize the rules , like increase the tables.. or something like this.... > > did you increase this values on your firewall ? > > Tell me about your firewall... > > Lorenz. > Please correct me if I'm reading this incorrectly. But it sounds like you're saying the firewalls worked fine until you implemented pfsync, is this correct? If so try backing out of that to isolate that change and confirm this. I've seen pfsync packets either by lost of "slow" in synchronizing with the other firewall and as a result state mismatching occurring on the secondary firewall (if both are active - i.e. arp balance). If you're using that try disabling it and see if there is an improvement. Also, have you made any modifications to sysctl.conf and loader.conf? If so please post them here. Regards, Chris