Hi list,
We are experiencing a steady flow of BAD state error messages that I
cannot explain.
According to google, incorrect state keeping should be the prime suspect
of BAD state errors so I have checked our current ruleset a couple of
times to make sure that we do keep state on every pass rule (flags
S/SA).
Moreover, as far as I know OpenBSD 4.1 should default to 'flags
S/SA keep state' on all pass rules anyways.
Most BAD state errors seem to occur on ACK's in the middle of
established connections.
Our setup is currently comprised of 2 bridging OpenBSD 4.1-STABLE
firewalls using pfsync and RSTP for failover. They protect 60-70
machines, mostly webservers.
Sanitized copies of /var/log/messages and our current ruleset can be
found here :
http://blog.myunix.dk/pf/
pfctl output:
# pfctl -si
Status: Enabled for 1 days 09:20:59 Debug: Misc
State Table Total Rate
current entries 13853
searches 727029054 6055.6/s
inserts 17777707 148.1/s
removals 17770562 148.0/s
Counters
match 19207675 160.0/s
bad-offset 0 0.0/s
fragment 6 0.0/s
short 4 0.0/s
normalize 64 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 4472 0.0/s
state-mismatch 117106 1.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
I hope that someone can shed some light what's going on ...
--
Med venlig hilsen / Best Regards
Henrik Johansen
[EMAIL PROTECTED]