Re: PF and stalled connections

On Monday 30 December 2002 15:55, Abdul Rehman Gani wrote:
> Hi,
>
> I have just upgraded a working OBSD 2.9 + IPF firewall to OBSD 3.2 and PF.

I have tried the following:-

Installed 3.2 from CD - this is a complete install, only the config files were saved on another server, then restored to this server.

Config files saved were: pf.conf, hostname.fxp[01], tinydns and dnscache data files and relevant portion of rc.local

Rebuilt a kernel with NMBCLUSTERS=8192

Disabled the audio system (irq 10 conflict with fxp1)

Changed the NIC config from media autoselect to media 100baseTX mediaopt full-duplex

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

Rebooted (obviously)

Further observations:-

The stalls are connection based, ie. during a stall of one ssh session, I can still use another ssh session, to the same host or to another through the host, or even check pop mail on a server out side the firewall.

>From the firewall, two ping started, one to an internal host and another to an
external host will result in lost packets to the internal host.

A netstat -di shows zero collisions, error and drops on all interfaces

pfctl -s i:-

Status: Enabled for 0 days 03:12:35 Debug: Misc

State Table                          Total             Rate
  current entries                     1649
  searches                         2876881          249.0/s
  inserts                           112980            9.8/s
  removals                          111331            9.6/s
Counters
  match                             113708            9.8/s
  bad-offset                             0            0.0/s
  fragment                               3            0.0/s
  short                                  0            0.0/s
  normalize                              1            0.0/s
  memory                                 0            0.0/s

I do not have a limit set for states or fragments in pf.conf - what is the default?

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

What can people suggest? Any other diagnostics/debugs that I can use to obtain more info?

Thanks,

Abdul

-- 
http://www.eastcoast.co.za
Tel: +27-31-566-8080
Fax: +27-31-566-8010
Email: support@eastcoast.co.za