Date: Sat, 5 Mar 2005 23:20:00 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Stephane Raimbault <segr@hotmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: nat / rdr timeouts? Message-ID: <20050305222000.GC26999@insomnia.benzedrine.cx> In-Reply-To: <BAY24-F31D17EC37593D6F6C2DF03CC5D0@phx.gbl> References: <20050305200559.GA26999@insomnia.benzedrine.cx> <BAY24-F31D17EC37593D6F6C2DF03CC5D0@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 05, 2005 at 02:57:56PM -0700, Stephane Raimbault wrote: > I cvsup'd RELENG_5 and recompiled the kernel and I'm seeing the same > results. Do I need to recompile any other parts of the system? No, that's it. > Do we believe I've stumbled onto a bug of pf... or is this some sort of > anti-DoS feature? The default limit on number of states is 10,000. If further packets try to create state, they are dropped. But it doesn't look like you're hitting that. Enable debug loggin (pfctl -xm), reproduce the problem, then check /var/log/messages for anything from pf. Also quote pfctl -vvss output after the problem, as well as pfctl -si, please. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050305222000.GC26999>