2007/7/13, Stuart Henderson <[EMAIL PROTECTED]>:
> pass log quick on $int_if proto tcp from $me to 10.10.10.10 port 80 ^^^ Is it any better without logging?>>> And `pfctl -si` have normal values. It's better to include the output. Also sysctl net.inet.ip.ifq.
# pfctl -si Status: Enabled for 14 days 23:22:42 Debug: Urgent State Table Total Rate current entries 34 searches 29928507 23.1/s inserts 96032 0.1/s removals 95998 0.1/s Counters match 700491 0.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 10254 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 69 0.0/s state-mismatch 200 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s # sysctl net.inet.ip.ifq net.inet.ip.ifq.len=0 net.inet.ip.ifq.maxlen=50 net.inet.ip.ifq.drops=0 It may be also important, before connection failed we can see following state: # pfctl -ss all tcp 10.10.10.101:8427 -> 10.10.10.10:80 SYN_SENT:CLOSED I don't see any differences with or without 'log' option.
