The following reply was made to PR kern/121668; it has been
noted by GNATS.
From: Max Laier <max love2party.net>
To: bug-followupfreebsd.org,
lfrigaultagneau.org
Cc:
Subject: Re: kern/121668: connect randomly fails with EPERM
with some pf rules
Date: Thu, 13 Mar 2008 20:26:39 +0100
> sysctl net.inet.tcp.nolocaltimewait=1
> not needed, but helps to reproduce the problem with
client and server
> on the same computer.
Okay, now this is just asking for trouble. pf does
thorough checks on TCP
states, one of which is to enforce the 2MSL quite time
before port reuse.
If you set above sysctl you specificly ask FreeBSD to break
that rule and
thus cause pf to bark.
You can also hit the issue if you have a large number of
(consecutive)
connections between two hosts (e.g. [poorly configured]
squid ->
www-backends, mysql, ...). The sollution is to:
1) Reduce the connection spree and use one permanent
connection
2) Increase the ephemeral port range
net.inet.ip.portrange.hi{first,last}
3) Decrease the pf state timeout tcp.{closing,closed} in
order to relax
the check. You can do this globaly and on a per-rule
basis.
-- Max
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
