On Mon 24 Nov 2014 19:24:55 NZDT +1300, Nishant Sharma wrote:
Thanks.
> I have observed this happening when there are infected machines in the
> network that incessantly send web requests. This causes squid to query
> filterdns which fills all the states and new connections are slow to
> open.
>
> Have a look on state table and you will see most of them from
> 127.0.0.1 to 127.0.0.1:53.
There is no abnormality in the state table. For the first occurrance of
this problem used-states peaked at 170 (RRD, 1 week, 1h average), for
the second at 120 (RRD, 1 day, 5 minutes average).
For the first time I checked this in the web interface at the time, the
second time I couldn't get a web login.
The access log shows a client doing web browsing with a request rate of
up to something like 20/second for the first. That's normal, pages
loading all their CDN and adcr.p references. No activity for the second
time(!) in the log, but that seems a bit low.
I had increased the squifguard processes from the default 5 to 20 (had
to hack the php) to avoid warnings about insufficient processes.
> Immediate measure can be not to use dns-forwarder as DNS for the
> firewall. Sift through squid access log to find out infected machines
> and sanitise them.
No infected machines present.
It is entirely possible that my ISP had DNS or general congestion at the
time. However I expect pfsense not to shoot itself when its Internet
connection is less than perfect.
As a quick measure I have moved squid + squidguard logs to a different
filesystem and changed process limits from
kern.maxfiles: 12328
kern.maxfilesperproc: 11095
to
kern.maxfiles: 15000
kern.maxfilesperproc: 3000
And squid needs its logging sorted:
uniq < cache.log > cache.log-uniq
wc -l cache.log*
98234680 cache.log
64153 cache.log-uniq
So I am still looking for the cause of this suicidal pfsense box. Any
pointers gratefully accepted.
Volker
--
Volker Kuhlmann
http://volker.top.geek.nz/ Please do not CC list postings to me.
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
