Re: Zero PF Counters

[j knight]

--- Quoting William Bloom on 2005/10/10 at 13:56 -0700:

> The PF man page gives meager detail about the congestion counter.  And the 
> only 
> FAQ items for this that I can find are related to queueing (and I don't have 
> queues in my ruleset).  What is the meaning of a non-zero congestion counter, 
> and what action is PF taking when the congestion counter is incremented?

If the output interface queue is congested (i.e., is full), pf will just
drop the packet and then increment the counter. This is independant of
altq.

Zero PF Counters

[William Bloom]

Perhaps I've misread the man page, but it's not obvious to me how to zero the 
PF 
counters.  For example, 'pfctl -si' shows a non-zero congestion counter, and 
I'd 
like to clear that counter after I think the congestion issue is remedied.  But 
I see no way to do that (apart from a reboot).  How to do this?

Change in subject...

One odd symptom I've experienced is that permitted users will login (SSH) to a 
host behind the firewall successfully, work with the system for a few minutes, 
then get disconnected suddenly.  When I TCP dump from the login host, I see 
his/her session established successfully and work begins.  Then, a few minutes 
after successful flow of traffic both directions, the user's desktop sends a 
long flurry of TCP resets as the connection is lost.  When I disable PF (pfctl 
-d) on the firewall, the symptom vanishes.  Now, if the ruleset had handled the 
TCP state wrongly, then I would have expected the TCP connection to not have 
survived long enough for the user to get several minutes of work done.  The 
firewall's pflog (block log) shows no packets dropped for these connections, 
and 
there are no entries for packets dropped due to congestion.

What's an interpretation of this?  I am baffled for the moment.

Another change in subject...

The PF man page gives meager detail about the congestion counter.  And the only 
FAQ items for this that I can find are related to queueing (and I don't have 
queues in my ruleset).  What is the meaning of a non-zero congestion counter, 
and what action is PF taking when the congestion counter is incremented?


Bill
-- 
William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado 
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 
| 
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.