We're running an OpenBSD 3.1 pf firewall between our network and our
ISP. Lately we've had trouble with packet loss - it occurs at random
intervals, but almost always lasts around 18 seconds (+-1 sec). In
between, everything looks fine. The drops wreak havoc with ssh sessions
though.
We've got a d
On Fri, Mar 14, 2003 at 01:28:02PM -0500, ben fleis wrote:
> udp 127.0.0.1:30551 -> 127.0.0.1:53 MULTIPLE:SINGLE
> udp 127.0.0.1:53 -> 127.0.0.1:30551 SINGLE:NO TRAFFIC
>
> since udp itself is stateless, each half of the connection ought to simply
> be held on a timer, nothing else.
On Fri, Mar 14, 2003 at 10:56:56AM -0600, Mike Frantzen wrote:
> The state indication is client:server. Connection state is kept on each
> side of the connection semi independantly. For instance with TCP if
> someone sends a SYN and then a RESET, we'll start up in SYN_SET:CLOSED
> end up in TIME_
> i was just curious, from pftop i saw these states:
> udp Out 127.0.0.1:14770 127.0.0.1:53 2:1 32 0 2 186
> and w/ pfctl -s state | grep udp, u see the same kind of stuff:
> udp 127.0.0.1:30551 -> 127.0.0.1:53 MULTIPLE:SINGLE
> question is very simple: why? i assume t
On Fri, Mar 14, 2003 at 09:04:51AM -0500, ben fleis wrote:
> i hope this is the right forum for asking this question... i imagine it will
> have a simple answer :)
simple answer : no need to keep state on lo :)
simple facts:
- these packets are filtered on lo0 twice, one inbound and one outbound
- Original Message -
From: "Ed White" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 14, 2003 3:53 PM
Subject: Re: source limit
> On Friday 14 March 2003 11:48, Niki Denev wrote:
> > Something like counting not only the states created by given rule
number,
> > but the ru
i hope this is the right forum for asking this question... i imagine it will
have a simple answer :)
i was just curious, from pftop i saw these states:
PR DIR SRC DEST STATE AGE EXP PKTS BYTES
udp Out 127.0.0.1:14770 127.0.0.1:53 2:1 32 0 2
On Friday 14 March 2003 11:48, Niki Denev wrote:
> Something like counting not only the states created by given rule number,
> but the rules created by given ip address and rule number.
Obviously this is 3.4
I've some ideas about it and also other interesting RFC ;-)
However I think now it's a ba
Currently with the option to limit the states that are created from some
rule,
i can limit the total connections to some machine/service.
But it would be very nice if it is possible to limit the connections from a
single ip (i mean not
specific ip, but from 'any'), much like the effect that can be