First, as I mentioned before, the state timeout setting doesn't change the punishing period at all. Also, If I log in the pfsense router from another host in this punishing period, I would see that there isn't any 'from punished host to the router' states left. So it's reasonable that state timeout setting doesn't apply to my problem, there must be some other invisible mechanism working.
I've tried to restart the host when being punished, then after about 10-15 minutes, I connected the router on that host, still failed. About 90 minutes are still needed to be able to connect again. By the way, the problem can be repeated on either windows xp or windows 2003, both of which don't have any software firewall activated, including the windows firewall. The software I was using to test the problem is a stock exchange software, it has a utility to test the connection speed to many stock information servers to enable user to choose a fastest one. Thanks for your suggestions anyway, Bryan. On Sun, Apr 20, 2008 at 6:47 AM, Bryan Derman <[EMAIL PROTECTED]> wrote: > I'd suspect that it's the punished application and/or host that's caching > the information that prevents it from knowing that the router will again > accept its connections and so what you're really seeing is the fact that > the host isn't really trying to connect until its application's > "blocking" has timed out. I know that nearly all web browsers are *way* > too aggressive at caching information and this sounds like it could be > exactly that. > > The way you could test this would be to set pfSense's time to be low -- > say 5 minutes -- then restart the application (after getting it > "punished") and try after 10 minutes has elapsed (i.e., be sure to wait > beyond pfSense's time so the application doesn't just go into "punished" > mode, again). If you can connect, then that means it's the application's > problem, not pfSense's. > > If that doesn't work, next test whether it's the host's OS: set pfSense's > time to be low -- say 5 minutes -- then restart the host (after getting > it "punished") and try after 10 minutes has elapsed (i.e., be sure to > wait beyond pfSense's time so the host doesn't just go into "punished" > mode, again). If you can connect, then that means it's the host's > problem, not pfSense's. > > If this is it, please post a summary to the list (I prefer *not* to have > my email address appear on the list ... name is OK, just not email > address). Thanks. #;-) > > ______________________________________________________________________ > Previous message from Yin Gang on 2008-04-19 at 11:14 PM +0800 > ---------------------------------------------------------------------- > |Ok. > | > |I just tested the situation a few times: > | > |1. set a limit on the pfsense router. > |2. do something in the mentioned software to exactly break the limit > |on one host, then the host would be unable to reach to the pfsense > |router or the outside while it's all ok on the reverse direction. > |3. exit that software. > |4. keep pinging the router on the punished host to see if the > |pulishment would be ended automatically and how long the pulishment > |would last for if it would be. > | > |It seems that the pulished host would regain the access to the pfsense > |router in about one and half hour. > | > |I tried to set the 'state timeout in seconds' in advanced options to > |1800 (half hour) and found that the pulishment period wouldn't change > |at all. > | > |I can't find any other settings about this timeout in webConfigurator > |and /cf/conf/config.xml. Should I edit /etc/pf.conf directly? The file > |seems like a template with all lines commented. Also, there isn't any > |default value is near 90 minutes. > | > |On Fri, Apr 18, 2008 at 11:08 PM, Ermal Luçi <[EMAIL PROTECTED]> wrote: > |> > |> On Fri, Apr 18, 2008 at 9:53 AM, Yin Gang <[EMAIL PROTECTED]> wrote: > |> > Hi, > |> > > |> > I've been using pfsense 1.2 as my company's internet sharing router > |> > for a few days. > |> > > |> > Yesterday I set a threshold value for the "maximum new connections / > |> > per second" on the default LAN rule. I also set some other advanced > |> > options mainly to reduce the impact from some p2p download software. > |> > Today one guy came to me and said his computer can't reach to internet > |> > anymore. After some digging, I found that: > |> > > |> > He has a software on his computer which could emit many connections in > |> > all of a sudden (which has exceed my setting quite a lot) and after > |> > that his computer would failed to access internet. At this time, the > |> > pfsense router can ping his computer quite well while the later can't > |> > ping the router. Finally his computer can access the router or the > |> > internet again after changing its ip address or restarting the router. > |> > That's not a good solution for sure ;-) > |> > > |> > Because the problem could be repeated exactly, I guess that maybe the > |> > router has banned the computer's ip address because that software on > |> > it. I think there may be somewhere in the webConfigurator to handle > |> > these banning things. But I failed to find out any related function > |> > page. > |> > > |> > Then I cleared the 'maximum new connections per second' setting and > |> > the problem is just gone whatever the guy use that software. > |> > > |> > Of coz, I could just increase the threshold value or even tell the guy > |> > not to use that software. > |> > > |> > But I still wonder if there any way for me to view all these banned ip > |> > addresses? Is there any way for me to de-ban them? How long would be > |> > the banning period? > |> > > |> > |> There is no banning it is just doing what you told it to do. Limit the > |> number of concurrent connections on a configured time bases. > |> If you want still to keep that setting read the pf manual here to > |> configure just that machine ip to be more tolerant and be more > |> agressive on the time its tcp connections can live on the rule. > |> > |> Ermal > |> > |> > I'm not a bsd expert and just use unix/linux once in a while. Any help > |> > would be appreciated. > |> > > |> > -- > |> > Best Regards, > |> > Yin Gang > > -- > ----------------------------------------------------- > Bryan Derman Derman Enterprises Incorporated > [EMAIL PROTECTED] http://www.derman.com/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - > -- Best Regards, Yin Gang --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
