On 2024-09-23, kasak <ka...@kasakoff.net> wrote: > > 23.09.2024 15:22, Brian Conway пишет: >> On Mon, Sep 23, 2024, at 6:19 AM, kasak wrote: >>> Hello, misc! >>> >>> Could you please share your wisdom about this problem. >>> >>> On my openbsd firewall, sometimes network become slow and some daemons >>> stop working. >>> >>> /var/log/messages have this messages when slowdown is in place: >>> >>> Sep 23 13:49:34 gater ntpd[30891]: sendto: Permission denied >>> Sep 23 13:56:22 gater isakmpd[64631]: sendmsg (14, 0x784ce63ce408, 0): >>> Permission denied >>> >>> also nginx have this messages: >>> >>> connect() to 172.16.0.80:443 failed (13: Permission denied) while >>> connecting to upstream >>> >>> also i cannot ping nor nslookup anything also because "permission denied" >>> >>> I found workaround by flushing pf states. After pfctl -F states >>> everything start to work again. >>> >>> But maybe i should tune something i did not know about? >>> >>> How can I diagnose this failures? >> You may have a full state table. Try: >> >> pfctl -si >> pfctl -ss > Do I understand correctly that "current entries" (pfctl -si) is the > number of states?
Yes but just show all of pfctl -si as that may give other clues too. pfctl -sm and pfctl -st may also be useful. >> Alternatively `pfctl -sa` includes all. If you have run out of available >> state tracking, I would spot check what is using up all the state entries >> and whether it is expected prior to increasing the limit. (pfctl -sa will be pretty huge if you have a full state table and you probably don't want to send that to the list) -- Please keep replies on the mailing list.
