On 27 Jan 2015, at 07:25, Aristedes Maniatis <[email protected]> wrote: > > I have been unable to find much documentation about the counter called > "state-mismatch". I notice it going up on my firewall (FreeBSD 10.1) but only > at a slow rate (maybe at around 1 per minute). > > What is the significance of this value? Is it indicative of dropped states > (and I should be increasing the state timeout)?
It's not really documented in our pfctl(8) manpage, but the OpenBSD version does
mention it:
state-mismatch
packet was associated with a state entry, but sequence numbers did
not
match
So maybe something is dropping packets, making holes in the sequence numbers?
Or
maybe somebody is trying something sneaky? :)
-Dimitry
signature.asc
Description: Message signed with OpenPGP using GPGMail
