[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: state optimization too aggressive?

> Reviewing my logs for dropped packets, I see sometimes long series of 
> blocks where a host is sending tens of R or F packets; do these indicate 
> late responses and efforts to tear down connections for states that have 
> already been flushed from pf's tables? Example:
> > F 1729454233:1729454233(0) ack 
> 2593400436 win 32850 (DF)
Ya, Windows IIS can do some funny stuff with regard to honoring the FIN
in the name of "accelerating" web traffic.
> I thought that if this is the case adding 'set optimation conservative' 
> to my ruleset might alleviate it - is this a good idea? Or what should I 
> interpret this as?
The state timeout optimizations were chosen statistically off a certain
universities traffic (iirc they wished to remain nameless).  The
aggressive timeouts would misdiagnose 1 of 1K connections as terminated
when they were really idle; default was 1/10K and conservative was
something like 1/100K.  It wasn't quite that straight forward but you
get the point.  Your traffic pattern may include many of those corner
You could switch to conservative timeouts or just selectively increase
tcp.closing on your port 80 rules (an hour timeout would work).