Hello,
Mark Pagulayan schreef:
Hi Tom,
I have just zeroed in the statistics and yes the state-mismatch is still
increasing.
If I do enable logging, how would I know that packet is mismatched?
If you use tcpdump, the standard flags will also show what rule it matched,
so if it is an 'pass all' rule, it mismatched your other rule.
-- Jille
Cheers,
Mark
-----Original Message-----
From: Tom Uffner [mailto:[EMAIL PROTECTED]
Sent: Thursday, 15 May 2008 11:55 a.m.
To: Kian Mohageri
Cc: Mark Pagulayan; freebsd-pf@freebsd.org
Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules
Kian Mohageri wrote:
On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan
The way I see this is that this rule would be applied to udp traffic
as
well which will be dropped/blocked because flags only work for tcp
and
this might be the cause of state-mismatches that I see in the table -
'flags S/SA keep state' will work OK for UDP too. Only the 'keep
state' part will be applied to UDP, since no flags are involved.
state-mismatch 11577272 48.7/s
Could be caused by reloading your ruleset to include 'keep state'
mid-connections, I think. PF won't be aware of where the state is
(especially true if you're using TCP window scaling), so it will fail
after a while and you'll see state mismatches.
even if reloading the ruleset to include "keep state" and/or "flags
s/sa"
didn't sever pre-existing connections, it shouldn't cause that large a
number of mismatches.
when was the last time you zeroed the statistics? is the mismatch count
still increasing w/ the 7.0 stateful rules? you may need to add "log
(all)"
to find out where the state mismatches are coming from.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
