[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-pf
Subject:    Firewall delay.
From:       "Gilberto Villani Brito" <linux () giboia ! org>
Date:       2007-06-11 21:08:04
Message-ID: 6e6841490706111408x51f53de9j9f94c6910d259035 () mail ! gmail ! com
[Download RAW message or body]

Hi,
I have a firewall (FreeBSD + PF) for my network witch speed is max 20 Mbps.
Sometimes my firewall begins lost packets with high delay.
My log:
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 4368-5824
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 5824-7280
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 1735 @ 7280-8259
Jun 11 16:33:05 teste2 pf_reassemble: 8259 < 8259?
Jun 11 16:33:05 teste2 pf_reassemble: complete: 0xc24c4200(8279)
Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.137.2.2:2787
189.36.241.138:64323 69.210.247.107:26977 [lo70436136 hi
gh70436137 win384 modulator=0] [lo# high407 win=1
modulator=0] 10:10 RA seq=0 ack70436136 len# ackskew=0 pkts
=2:1
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 7360-8404
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 1044, next
-1, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 0-1472
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 1472, next
7360, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 1472-2944
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 2944, next
7360, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 2944-4416
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 4416, next
7360, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 4416-5888
Jun 11 16:33:05 teste2 pf_reassemble: missing fragment at 5888, next
7360, max 8404
Jun 11 16:33:05 teste2 pf_normalize_ip: reass frag 31593 @ 5888-7360
Jun 11 16:33:05 teste2 pf_reassemble: 8404 < 8404?
Jun 11 16:33:05 teste2 pf_reassemble: complete: 0xc22ec800(8424)
Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.143.4.2:1916
189.36.241.144:62874 68.50.45.106:37812 [lo94065 high 
53760 win‡60 modulator=0] [lo076635998 high076644605 wine535
modulator=0] 10:10 R seq076635998 ack94065 len=0 ac
kskew=0 pkts:6
Jun 11 16:33:05 teste2 pf: loose state match: TCP 10.143.4.2:1916
189.36.241.144:62874 68.50.45.106:37812 [lo94065 high 
53760 win‡60 modulator=0] [lo076635998 high076644605 wine535
modulator=0] 10:10 R seq076635998 ack94065 len=0 ac
kskew=0 pkts:7

I deleted the line scrub in all and now my log is:
Jun 11 17:59:20 teste2 pf: State failure on: 1       | 5
Jun 11 17:59:22 teste2 pf: loose state match: TCP 24.20.246.56:45086
24.20.246.56:45086 10.137.2.2:4849 [lot5162846 hight5162871
win367 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 PA
seqt5162846 ack=0 lenH ackskew=0 pkts=1:0
Jun 11 17:59:22 teste2 pf: loose state match: TCP 10.137.2.2:4849
189.36.241.138:62521 24.20.246.56:45086 [lot5162846 hight5162871
win367 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 PA
seqt5162846 ack=0 lenH ackskew=0 pkts=1:0
Jun 11 17:59:22 teste2 pf: BAD state: TCP 10.139.32.2:1136
189.36.241.140:52465 200.176.2.71:80 [lo73432 high81624 win92
modulator=0] [lo!03533023 high!03541215 win92 modulator=0] 4:2
SA seq!21929591 ack73432 len=0 ackskew=0 pkts=2:1 dir=in,rev
Jun 11 17:59:22 teste2 pf: State failure on: 1       | 5
Jun 11 17:59:25 teste2 pf: BAD state: TCP 10.32.3.2:4424
189.36.241.33:60839 200.77.10.59:35581 [lo&64673092 high&64673093
win384 modulator=0] [lo†0203439 high†0219823 win=1 modulator=0]
4:2 SA seq776746073 ack&64673092 len=0 ackskew=0 pkts=3:1
dir=in,rev
Jun 11 17:59:25 teste2 pf: State failure on:   2     |   6
Jun 11 17:59:26 teste2 pf: BAD state: TCP 10.37.6.5:3044
189.36.241.38:53176 72.14.209.85:80 [lo600173939 high600182129
wine535 modulator=0] [lo)02009590 high)02075125 win90
modulator=0] 4:2 SA seq133227478 ack600173939 len=0 ackskew=0
pkts=3:1 dir=in,rev

My pf.conf:
set debug misc
set timeout { interval 10, frag 30 ,src.track 0 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 100000, src-nodes 100000, frags 5000 }
set loginterface em0
set optimization conservative
set block-policy drop
set require-order yes
set state-policy floating

I have about 1500 ips passing through this firewall and the server is
not full process.
Does somebody have any tip???


--
Gilberto Villani Brito
System Administrator
Londrina - PR
Brazil
gilbertovb(a)gmail.com

[prev in list] [next in list] [prev in thread] [next in thread]