[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pps or other unknown upper bound?



On Thu, Nov 17, 2005 at 09:54:02PM +0100, Daniel Hartmeier wrote:
> You can check if it's pf blocking them by running pfctl -si, see if the
> 'state-mismatch' counter (or any other, actually) is increasing with
> each SYN.
Ah, i see.  There are quite a few in there.  When I said "logging"
initialy, I actually meant pflog but I'll keep a closer eye on this from
now on.  I am very familiar with pfctl's -s options but the brain fog
from a late night prevented me from putting two and two together.
> If so, you can enable debug logging with pfctl -xm, then check
> /var/log/messages for line from pf.
Bingo.  There are entries in the logs when this condition happens but it
is not entirely clear what the problem aside from the fact that it is
a "BAD STATE":
Nov 17 21:44:48 fw-1 /bsd: pf: BAD state: TCP 10.7.0.112:12345
   10.7.0.112:12345 10.8.0.112:59635 [lo=3722728956 high=3722735388
   win=6432 modulator=4006337120 wscale=0] [lo=3737716700
   high=3737723132 win=6432 modulator=3433376110 wscale=0] 9:9
   S seq=3723083242 ack=3737716700 len=0 ackskew=0 pkts=5:5 dir=in,fwd
Nov 17 21:44:48 fw-1 /bsd: pf: State failure on: 1       | 5  
-jon