strange packet loss

2003-03-14 Thread Matt Provost
We're running an OpenBSD 3.1 pf firewall between our network and our ISP. Lately we've had trouble with packet loss - it occurs at random intervals, but almost always lasts around 18 seconds (+-1 sec). In between, everything looks fine. The drops wreak havoc with ssh sessions though. We've got a d

Re: pf state issue

2003-03-14 Thread Daniel Hartmeier
On Fri, Mar 14, 2003 at 01:28:02PM -0500, ben fleis wrote: > udp 127.0.0.1:30551 -> 127.0.0.1:53 MULTIPLE:SINGLE > udp 127.0.0.1:53 -> 127.0.0.1:30551 SINGLE:NO TRAFFIC > > since udp itself is stateless, each half of the connection ought to simply > be held on a timer, nothing else.

Re: pf state issue

2003-03-14 Thread ben fleis
On Fri, Mar 14, 2003 at 10:56:56AM -0600, Mike Frantzen wrote: > The state indication is client:server. Connection state is kept on each > side of the connection semi independantly. For instance with TCP if > someone sends a SYN and then a RESET, we'll start up in SYN_SET:CLOSED > end up in TIME_

Re: pf state issue

2003-03-14 Thread Mike Frantzen
> i was just curious, from pftop i saw these states: > udp Out 127.0.0.1:14770 127.0.0.1:53 2:1 32 0 2 186 > and w/ pfctl -s state | grep udp, u see the same kind of stuff: > udp 127.0.0.1:30551 -> 127.0.0.1:53 MULTIPLE:SINGLE > question is very simple: why? i assume t

Re: pf state issue

2003-03-14 Thread Can Erkin Acar
On Fri, Mar 14, 2003 at 09:04:51AM -0500, ben fleis wrote: > i hope this is the right forum for asking this question... i imagine it will > have a simple answer :) simple answer : no need to keep state on lo :) simple facts: - these packets are filtered on lo0 twice, one inbound and one outbound

Re: source limit

2003-03-14 Thread Nikolay Denev
- Original Message - From: "Ed White" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 14, 2003 3:53 PM Subject: Re: source limit > On Friday 14 March 2003 11:48, Niki Denev wrote: > > Something like counting not only the states created by given rule number, > > but the ru

pf state issue

2003-03-14 Thread ben fleis
i hope this is the right forum for asking this question... i imagine it will have a simple answer :) i was just curious, from pftop i saw these states: PR DIR SRC DEST STATE AGE EXP PKTS BYTES udp Out 127.0.0.1:14770 127.0.0.1:53 2:1 32 0 2

Re: source limit

2003-03-14 Thread Ed White
On Friday 14 March 2003 11:48, Niki Denev wrote: > Something like counting not only the states created by given rule number, > but the rules created by given ip address and rule number. Obviously this is 3.4 I've some ideas about it and also other interesting RFC ;-) However I think now it's a ba

source limit

2003-03-14 Thread Niki Denev
Currently with the option to limit the states that are created from some rule, i can limit the total connections to some machine/service. But it would be very nice if it is possible to limit the connections from a single ip (i mean not specific ip, but from 'any'), much like the effect that can be