PF and States

Thu, 02 Dec 2010 20:27:59 -0800 

Hi,

We recently deployed OBSD4.7 boxes to do load balancing in our
environment with relayd.

After few hours we encountered problem with the server going beyond
10,000 states.  After much research and man pages, we setup states to a
"ridiculous" number.
Yes the number was 100,000.  We also changed the states to expire much
faster.  Redeployed the box and everything was normal for few days till
again we started having issues with the box.
This time the states were 20,000 and again pf/relayd started having
issues.  The box has like 4gig of ram, multiple cores etc.  By issues I
mean can't ssh to box sometimes , can't get relayctl to show hosts etc.

Can someone who is expert at this look at it and tell me what may be
wrong here?
I have couple of questions:

1.  Do I need pf for relayd when I am not doing redirects?
2.  How much states can i "really" have on a box that has 4 gig ram?
Is it governed by how much mem is allocated to kernel? (i read it
somewhere while googling).  Can I change that?


Here is pf.conf.  Basically since the box is BEHIND a corporate
firewall Juniper.  We didn't really need to block anything. So pf.conf
is very simple and so is the relayd.conf:

I would really appreciate any help.

ext_if="fxp0"
web_if="fxp1"

set loginterface $ext_if
set optimization aggressive
set skip on lo
set limit { states 100000  }


set timeout tcp.first           10
set timeout tcp.opening         10
set timeout tcp.established     60
set timeout tcp.closing         10
set timeout tcp.finwait         10
set timeout tcp.closed          10


pass quick on $ext_if
pass quick on $mgt_if


Here is the relayd.conf file:


# $OpenBSD: relayd.conf,v 1.13 2008/03/03 16:58:41 reyk Exp $
#
# Macros
#

images_vip="10.1.0.107"

#
# Global Options
#
interval 30
#timeout 180
#
# Each table will be mapped to a pf table.
#
table <webhosts> {   web01 web02  web03   web04   web05  web06 }
                       table <fallback> { 127.0.0.1 }

#
# Services will be mapped to a rdr rule.
#

#
# Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration
#
relay web {
       listen on $webip port 80
       session timeout 180
       forward to <webhosts> port 8080 mode roundrobin \
               check tcp
}

thank you

Reply via email to