On Thu, May 17, 2007 at 07:44:41PM +0200, Hauke Fath wrote:
> From some point of time (reached within a few hours on a working day) all
> incoming packets were blocked. In the end, the router itself was flooding
> the local DNS servers with requests while at the same time blocking some of
> the outgoing packets:
> 
> 05:59:59.971309 wm0 @131:2 b 130.83.xx.yy,58501 ->
> ns1.hrz.tu-darmstadt.de[130.83.22.63],domain PR udp len 20 72 OUT
>
> where group 131 has
> 
> # ipfstat -on | grep 131
> @2 block out log quick on wm0 all head 131
> @1 pass out quick proto tcp from 130.83.xx.yy/32 to any flags S/FSRPAU keep
> state keep frags group 131
> @2 pass out quick proto udp from 130.83. xx.yy/32 to any keep state keep
> frags group 131
> @3 pass out quick proto icmp from 130.83. xx.yy/32 to any keep state keep
> frags group 131
> #
...

What you really need to look at is "ipfstat -s" and see what it has
for the "maximum" counter.  4.1.22 does improve the situation when
it is time to clean out the state table and make room for new connections.

Darren