Hello,
Note: You can remove "keep state". This is implicit for newer version of
pf.
Note: These keep state, see above. You might want to add "no state" here,
to decrease state table usage.
But if it is "no state" it means it eats more CPU? Or not?
From the frequency of the logs, it looks like that there is heavy load
on the server
(or a high connection latency). If so, this may be a problem of state
table exhaustion
or timeouts. pf may drop a "dangling, almost finished" connection before
the final "FIN"
packet arrives and thus create such log entries as the final packet gets
blocked, when the
corresponding state table entry is not present any more.
Actually the server was just deployed and there shouldn't be much traffic
going through. I checked with pfctl:
State Table Total Rate
current entries 79
searches 9652489 16.2/s
inserts 486382 0.8/s
removals 486303 0.8/s
These seem pretty low, huh?
To eliminate this possibility, you should monitor the size of your state
table and possible increase the limits, if so.
Or insert some "no state" statements into your ruleset.
So, what would be the next idea to try? For now I did "set skip on $int_Jails"
and it seems to help.
Thanks,
Nejc
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
