[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf chokes

To: andre@dalle.ca, misc@openbsd.org
Subject: Re: pf chokes
From: rootman <rootman22@comcast.net>
Date: Fri, 26 Mar 2004 06:07:40 -0700
Content-Disposition: inline
References: <200403252120.25886.rootman22@comcast.net> <20040326081226.GA29278@dalle.ca>
User-Agent: KMail/1.5.4

On Friday 26 March 2004 01:12 am, Andre Dalle wrote:
> You should check "pfctl -s info" for starters.  It could be that your
> state or frag tables are filling up, given the 30-45minutes until things
> stop.

Ok, I'll check that today and see what it says.

>
> I found on my firewall that I reach 20+ thousand states in the evenings,
> and 10+ thousand during the day - the default limit is only 10,000.
>
> Note that "rdr" rules will also create states in addition to specific
> keep/modulate state filter rules.

I don't have any "rdr" directives in my rules.

>
> If that's not it - try "pfctl -d" to disable the packet filter.  This is
> better than changing or flushing your rules because it will bypass the
> PF system entirely.

Ok, I'll try that.  All I know is connectivity stays up if I reconnect the old
CAT5 cable going from the router to the 3Com hub and it isn't until I switch
to the crossover cable that I start having problems.

Thanks for your suggestions.

>
> On Thu, Mar 25, 2004 at 09:20:25PM -0700, rootman wrote:
> > Hi,
> >
> > I've recently built a transparent-bridge
> > firewall on an IBM 300PL desktop using OpenBSD 3.3-R to
> > protect one of our T1 connections where I work.  The T1 was connected
> > to an old Cisco router via 10baseT transceiver to a 8 port 3Com 10/100
> > hub and then there's a patch cable going from that hub to a Cisco 100MB
> > switch to provide connectivity to a couple users in another part of the
> > building.  I placed the firewall between the router and 3Com hub via a
> > crossover cable going between the firewall and router on one 3Com 3C905B
> > nic and a regular cat5 cable from the internal nic to the 3Com hub.  When
> > I rebooted the firewall everything works for about  30 - 45 minutes then
> > all of the sudden it doesn't let any traffic in or out.  I did some
> > research and read about someone else having the same trouble who was told
> > to:
> >
> > 1. Comment out the "scrub in/out" directives in pf.conf
> > 2. Compile a custom kernel and upgrade to stable
> > 3. Change the 3com nics from autoselect to full-duplex
> >
> > I have done all of the above and the same thing keeps happening.
> >
> > I've even tried using some older 3Com 10/100 pci nics and also
> > changing my rules to a basic "pass in all + pass out all" so I don't
> > think the problem is with my rules or hardware but possibly somewhere
> > with the router and/or hub and switch.
> >
> > Here's the pf.conf rules I used:
> >
> > http://www.oswars.net/downloads/OpenBSD/pf.conf.oswars
> >
> > Does anyone know where the bottleneck might reside?
> >
> > Thanks
> >
> > #R

Follow-Ups:
- pf chokes (Possibly Fixed!)
  - From: rootman <rootman22@comcast.net>

References:
- pf chokes
  - From: rootman <rootman22@comcast.net>
- Re: pf chokes
  - From: Andre Dalle <andre@dalle.ca>

Prev by Date: Pfsync + CARP
Next by Date: http://uptime.netcraft.com/up/graph/?host=www.openbsd.org
Prev by thread: Re: pf chokes
Next by thread: pf chokes (Possibly Fixed!)
Index(es):
- Date
- Thread