Looking at these stats, I would guess that you are running with the default limit of states, 10,000. You have nearly 10,000 in your state table now, and every time you get to the limit, new connections fail (the 'memory' counter: 13.7/s).
You can check with pfctl -sm, and change the limit with 'set limit states'. You didn't say which version of PF you're running (or on what platform for that matter), but you may also want to look at the adaptive timeouts to reduce pressure on the state table. On any sane version of PF, this is enabled by default (you can check by looking at the adaptive.start and adaptive.end values from 'pfctl -st'; they should be 60% and 120% of the state limit by default) -Ryan P.S. In the more general case, you can use tcpdump on the pflog interface, assuming that you're using the 'log' keyword on your block rules, to see what is being blocked. But there are many things inside PF which will drop packets without logging, which is what you see in the counters below. On Fri, Nov 13, 2009 at 09:03:25AM -0800, LeiV wrote: > I have a openbsd pf firewall protecting a web server, I have noticed that > some pages gives me errors when browsing through my site (sometimes it works > sometimes not), then I looked at pf and saw that is blocking a lot of > connectyions, how do I know which connections is blocking? > > # pfctl -s info > Status: Enabled for 202 days 23:34:57 Debug: Urgent > > Interface Stats for bge0 IPv4 IPv6 > Bytes In 1637636412652 1992 > Bytes Out 1954253582327 0 > Packets In > Passed 6000993286 31 > Blocked 125620228 0 > Packets Out > Passed 6379190130 0 > Blocked 43305301 0 > > State Table Total Rate > current entries 9656 > searches 25855533798 1474.3/s > inserts 2050396787 116.9/s > removals 2050387131 116.9/s > Counters > match 2334111432 133.1/s > bad-offset 0 0.0/s > fragment 64 0.0/s > short 20 0.0/s > normalize 0 0.0/s > memory 240838837 13.7/s > bad-timestamp 0 0.0/s > congestion 118 0.0/s > ip-option 0 0.0/s > proto-cksum 0 0.0/s > state-mismatch 275884 0.0/s > state-insert 33110230 1.9/s > state-limit 0 0.0/s > src-limit 0 0.0/s > synproxy 0 0.0/s
