>Number: 137982 >Category: kern >Synopsis: when pf can hit state limits, random IP failures and no debugging info is provided >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 20 00:20:03 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Daniel Baker >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: >Environment: System: FreeBSD hullo 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #3: Thu Oct 30 08:02:54 CDT 2008 root@cfood:/usr/obj/usr/src/sys/CFOOD amd64 >Description: When you exceed the maximum number of connections as specified in pf, random socket errors occur. For example, a DNS lookup may fail or any number of socket/IP issues. >How-To-Repeat: Set state limits very low in pf.conf and generate enough connections to exceed that limit, then try to open sockets or use the network. >Fix: For a user, watch everything (pfctl -s all) and if this is affecting you, set higher pf limits in pf.conf such as: set limit { states 75000, src-nodes 75000, frags 25000 } However, the ACTUAL bug fix to prevent this from confusing users is to have pf syslog when limits are hit and suggest a fix. >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"