On Tue, 2003-07-22 at 02:02, Trevor Talbot wrote: > On Friday, Jul 18, 2003, at 13:26 US/Pacific, Angel Todorov wrote: > > > I use the following pf.conf file for an internal network that passes > > through the openbsd gateway box then goes its way to the external > > firewall -> then outside The problem is that often packets are > > dropped, for ex. pingging google.com from an internal network's hosts > > results in almost 40-50 % of the packets dropped... Do you know > > anything that may be the cause of the problem (i.e pf timeout > > settings, queue design errors, passing packets errors, kernel options, > > etc?) > > Can narrow it down real quick with tcpdump. Use it on both the > internal and external interfaces, and make sure the packets appear on > both. If they appear on one but not the other, then the machine isn't > passing them for some reason. To figure out if it's pf, just disable > it (pfctl -d) and see what happens. If it is pf, add log to all of > your block rules, and apply tcpdump (use -e) to pflog0. Use pfctl > -vvsq to watch the drop counts in the queues. If it isn't pf, the > "packets not forwardable" counter in netstat -p ip will at least tell > you if the kernel doesn't like routing them. Keep an eye on > /var/log/messages for general errors, especially from network hardware.
Also make sure you aren't using crappy NIC cards :-) --Bryan
