Hi,I upgrade to the latest FreeBSD-7.0 release using freebsd-update, with kernel 7.0-RELEASE-p11.
I still get massive amounts of state mismatches and intermittent connection problems (connection refused, operation not permitted) with outging connections....
My firewall rules are unchanged (see below), the stats are now: Status: Enabled for 3 days 21:29:15 Debug: Urgent State Table Total Rate current entries 1994 searches 33567431 99.7/s inserts 4611322 13.7/s removals 4609328 13.7/s Counters match 6170429 18.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 1 0.0/s memory 1516667 4.5/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 247 0.0/s state-mismatch 1438892 4.3/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/sDoes anybody have *any* clue what's going on, and how I can go about fixing it?
Thanks in advance, Sebastiaan Sebastiaan van Erk wrote:
Hi,I'm running FreeBSD-7.0 RELEASE with the following patch to the kernel (I know it's integrated in the latest patchlevels which you get when you do freebsd-update, but since I'm still getting state-mismatches WITH the patch I'm holding off on the upgrade until I have more information as to the nature of the problem):*** net/pf.c 2007/09/07 21:34:10 1.558 --- net/pf.c 2007/09/18 19:45:59 1.559 *************** pf_test_state_tcp(struct pf_state **state, int directi *** 3730,3735 **** --- 3730,3751 ---- REASON_SET(reason, PFRES_SYNPROXY); return (PF_SYNPROXY_DROP); } + } + + if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) && + dst->state >= TCPS_FIN_WAIT_2 && + src->state >= TCPS_FIN_WAIT_2) { + if (pf_status.debug >= PF_DEBUG_MISC) { + printf("pf: state reuse "); + pf_print_state(*state); + pf_print_flags(th->th_flags); + printf("\n"); + } + /* XXX make sure it's the same direction ?? */ + (*state)->src.state = (*state)->dst.state = TCPS_CLOSED; + pf_unlink_state(*state); + *state = NULL; + return (PF_DROP); } if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {The problem I'm having is that I get intermittent connection refused/operation not permitted to another machine on the local network. When I do pfctl -s info I see *huge* numbers of state mismatches:Status: Enabled for 94 days 01:27:40 Debug: Urgent State Table Total Rate current entries 398 searches 986228319 121.4/s inserts 104049508 12.8/s removals 104049110 12.8/s Counters match 107482262 13.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 42 0.0/s memory 3125235 0.4/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 13919 0.0/s state-mismatch 3039814 0.4/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/sThis is causing serious problems at them moment. It seems that the state problems occur in certain small time windows (my nagios starts reporting that every service is connection refused/operation not permitted, which is about 20 services). Then I get 20 recovery messages.The firewall rules are trivially simple, $ext_if has 2 ips and $int_if has one:interfaces = "{" $ext_if "," $int_if "}" scrub in all set skip on lo0 antispoof for $interfaces inet block out log quick on $ext_if from !$ext_ip1 to any block in quick on $ext_if from any to 255.255.255.255 block log all pass in quick inet proto icmp all icmp-type $icmp_types pass in quick on $int_if from $int_net to any pass out quick on $int_if from any to $int_net pass out on $ext_if proto tcp all pass out on $ext_if proto { udp, icmp } all pass in on $ext_if proto tcp from any to $ext_ip1 port $tcp_services1 pass in on $ext_if proto tcp from any to $ext_ip2 port $tcp_services2Does anybody have any idea what's going on and where I can look? This is a production server so it's seriously influencing the quality of the hosted services. :-(Regards, Sebastiaan
smime.p7s
Description: S/MIME Cryptographic Signature
