I've recently setup a new pair of OpenBSD 6.2 pf firewalls (with carp)
in my lab, and that's not performing very well.

tcp-based NFS v3 and v4 traffic (between Linux clients and a NetApp
server) through it is struggling, and some SSH or HTTPS transfers are
stalling, with their states disapearing from the state table.

I'm trying to figure out what's going on to fix the issue.

The main anomaly I see is the huge number (and it keeps growing) of
half-open tcp states, after 24h of uptime. See pfctl -vsi output

Any clues on how to diagnose this and hopefully fix my firewalls ?

Below here are the limits and timeouts form my pf.conf, plus pfctl -vsi and
pfctl -st output

Thanks in advance,

set limit states 80000
set timeout { adaptive.start 0, adaptive.end 0 }
set timeout {tcp.closing 1800, tcp.finwait 90, tcp.closed 180 }

Status: Enabled for 0 days 00:18:58              Debug: err

Hostid:   0xbe01b86e
Checksum: 0x489fc22aa9e7d141eb93cb12375c7c55

Interface Stats for vlan4             IPv4             IPv6
  Bytes In                      5766746796       3274270260
  Bytes Out                     3158075114       4781634462
  Packets In
    Passed                        18928091         11038798
    Blocked                        2378976           124784
  Packets Out
    Passed                         2911529          3575695
    Blocked                            108               29

State Table                          Total             Rate
  current entries                    58485               
  half-open tcp                 4294375902               
  searches                       715176441       628450.3/s
  inserts                         42749792        37565.7/s
  removals                        42691307        37514.3/s
Source Tracking Table
  current entries                        0               
  searches                               0            0.0/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
  match                            6889153         6053.7/s
  bad-offset                             0            0.0/s
  fragment                            4338            3.8/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                          6297            5.5/s
  ip-option                         258621          227.3/s
  proto-cksum                            0            0.0/s
  state-mismatch                       190            0.2/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  translate                              0            0.0/s
  no-route                               0            0.0/s
Limit Counters
  max states per rule                    0            0.0/s
  max-src-states                         0            0.0/s
  max-src-nodes                          0            0.0/s
  max-src-conn                           0            0.0/s
  max-src-conn-rate                      0            0.0/s
  overload table insertion               0            0.0/s
  overload flush states                  0            0.0/s

tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                1800s
tcp.finwait                  90s
tcp.closed                  180s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         60s
interval                     10s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

Matthieu Herrb

Reply via email to