Hi Tom, 

I have just zeroed in the statistics and yes the state-mismatch is still
increasing. 

If I do enable logging, how would I know that packet is mismatched? 

Cheers, 

Mark
-----Original Message-----
From: Tom Uffner [mailto:tom@uffner.com] 
Sent: Thursday, 15 May 2008 11:55 a.m.
To: Kian Mohageri
Cc: Mark Pagulayan; freebsd-pf@freebsd.org
Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules

Kian Mohageri wrote:
quoted text
> On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan
>> The way I see this is that this rule would be applied to udp traffic
as
quoted text
>> well which will be dropped/blocked because flags only work for tcp
and
quoted text
>> this might be the cause of state-mismatches that I see in the table -
> 
> 'flags S/SA keep state' will work OK for UDP too.  Only the 'keep
> state' part will be applied to UDP, since no flags are involved.
> 
>> state-mismatch                  11577272           48.7/s
> 
> Could be caused by reloading your ruleset to include 'keep state'
> mid-connections, I think.  PF won't be aware of where the state is
> (especially true if you're using TCP window scaling), so it will fail
> after a while and you'll see state mismatches.

even if reloading the ruleset to include "keep state" and/or "flags
s/sa"
didn't sever pre-existing connections, it shouldn't cause that large a
number of mismatches.

when was the last time you zeroed the statistics? is the mismatch count
still increasing w/ the 7.0 stateful rules? you may need to add "log
(all)"
to find out where the state mismatches are coming from.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"