Patrick, Thanks for responding. I will start watching this. I am using NAT with <100 hosts. Most of the traffic is https. NetBSD 4.0 amd64, 2 cpu, 1G memory State Table Total Rate current entries 4410 searches 7162532 270.3/s inserts 357457 13.5/s removals 353047 13.3/s Counters match 364479 13.8/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 6407 0.2/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 0 states adaptive.end 0 states src.track 0s LIMITS: states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 Patrick Welche wrote:
On Thu, Jul 16, 2009 at 09:32:55PM -0500, Steve Pribyl wrote:I am using NetBSD 4.0 with Carp and pf. The problem is pf works great for a while then starts to not work, slow, refuses pings, forwarding, etc in a random way. So, I need so suggestions on how to debug this or even if someone has seen or heard of this before.Roughly how many hosts have you got on your network? Are you using network address translation? Just guessing: many many connections all holding state, state table becomes full so no more new connections allowed through. Some connection finishes, so now there is room for a new one, so "randomly" works again... pfctl -s all Should show what is going on... My impression though is that defaults are fine for hundreds of hosts, so check through your rules? Cheers, Patrick