Martti Kuparinen wrote:
I have big problems with IPF 4.1.29 on NetBSD 5.0_RC2. I had two SSH sessions open and they were visible asSource IP Destination IP ST PR #pkts #bytes ttl 10.0.18.3,36821 xxx.xxx.xxx.130,22 4/4 tcp 213 21388 3:58:26 10.0.18.3,45536 xxx.xxx.xxx.140,22 4/4 tcp 43 7668 3:59:55Later (say 15 minutes or so, i.e. not even close to the TTL) I noticed both my SSH sessions were unresponsive so I logged into the firewall and and saw no state entries for my SSH sessions.Anyone else having similar problems with IPF on NetBSD 5.0?This might in fact be ipnat related as I have no problems at work were the firewall is running NetBSD/amd64 5.0_RC2 but we are using public IP addresses and no NAT at all...
I found a "solution" for my problem, I added */10 * * * * /sbin/ipf -F sto /var/cron/tabs/root and now things work much better again. Here's a graph from my firewall, I installed the cron job yesterday evening so you can clearly see number of sessions go down with this flushing job.
http://kuparinen.org/martti/tmp/firewall-day.pngI don't know if flushing every 10 minutes ("*/10 *") is overkill, maybe once per hour ("* */1") or so would be enough. Anyway, so far everything has been stable without any connection breaks...
Martti