On Thu, Nov 17, 2005 at 04:03:25AM -0600, Kevin wrote: > On 11/16/05, Jon Hart <[EMAIL PROTECTED]> wrote: > > pass in on $CLIENT_IF inet proto tcp from $CLIENT_NET to $SERVER_NET \ > > port 12345 flags S/SA modulate state > > I know it's a stupid question, but have you tried the same ruleset, > but not modulating state? How about the same rules, with pass in/out > rules and no:"keep state"?
I haven't tried with something other than modulate state, but I'll give it a shot. As far as not keeping state, I'm not sure that'll help because then the packets may be denied going in/out on the other interface. > > Any input, whether its pf, OpenBSD or > > client related would be much appreciated. > > While running similar tests (httperf or http_load) with large numbers > of TCP sessions where the client and the server are running OpenBSD, > I've run into issues which appear to be related to filling up the > local host (not pf) TCP state table with TIME_WAIT entries on the > client, the server, or both. > > This can be diagnosed by running "netstat -np tcp" on the > client/server, right when the problem starts. Thats the odd part. When the firewall is involved, netstat on the client tops out at around, oh, 400 or so in TIME_WAIT. Without the firewall, there are thousands in TIME_WAIT and this mysterious 45s timeout does not exist. Thanks! -jon