On 2024-09-23, kasak <kasak@kasakoff.net> wrote:
>
> 23.09.2024 15:22, Brian Conway пишет:
>> On Mon, Sep 23, 2024, at 6:19 AM, kasak wrote:
>>> Hello, misc!
>>>
>>> Could you please share your wisdom about this problem.
>>>
>>> On my openbsd firewall, sometimes network become slow and some daemons
>>> stop working.
>>>
>>> /var/log/messages have this messages when slowdown is in place:
>>>
>>> Sep 23 13:49:34 gater ntpd[30891]: sendto: Permission denied
>>> Sep 23 13:56:22 gater isakmpd[64631]: sendmsg (14, 0x784ce63ce408, 0):
>>> Permission denied
>>>
>>> also nginx have this messages:
>>>
>>> connect() to 172.16.0.80:443 failed (13: Permission denied) while
>>> connecting to upstream
>>>
>>> also i cannot ping nor nslookup anything also because "permission denied"
>>>
>>> I found workaround by flushing pf states. After pfctl -F states
>>> everything start to work again.
>>>
>>> But maybe i should tune something i did not know about?
>>>
>>> How can I diagnose this failures?
>> You may have a full state table. Try:
>>
>> pfctl -si
>> pfctl -ss
> Do I understand correctly that "current entries" (pfctl -si) is the
> number of states?
Yes but just show all of pfctl -si as that may give other clues too.
pfctl -sm and pfctl -st may also be useful.
>> Alternatively `pfctl -sa` includes all. If you have run out of available state tracking, I would spot check what is using up all the state entries and whether it is expected prior to increasing the limit.
(pfctl -sa will be pretty huge if you have a full state table and you
probably don't want to send that to the list)
--
Please keep replies on the mailing list.
No comments:
Post a Comment