On 2007/06/13 12:01, Geraerts Andy wrote:
> >> Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535)
> >> failed
> >>
> >> Can this be the cause of my errors?
>
> >Yes, you have run out of available ports to NAT from.
>
> >The straightforward answer is to NAT from a larger pool of addresses
> >i.e. nat ... -> { 1.1.1.1, 2.2.2.2, 3.3.3.0/24}
> >
> >The 50001:65535 range is set in /usr/src/sbin/pfctl/pfctl_parser.c
> >(PF_NAT_PROXY_PORT_LOW and ..._HIGH) which might give some opportunity
> >to shoot yourself in the foot (especially if you don't bother to make
> >related changes to sysctl net.inet.ip.port* to keep some hiports free
> >for connections from the box itself).
>
> If I look at the state table, I see :
>
> State Table Total Rate
> current entries 3744
> searches 2144319853 2594.8/s
> inserts 6610702 8.0/s
> removals 6606958 8.0/s
>
> Can I have more NAT port consumption than states?
hmm, no I don't think so.
'available ports' is taken from ports used by the machine itself
_and_ ports used by NAT, they're all from the same pool, so it's not
'NAT port consumption' as such - could it be processes on the machine
as Peter suggested? netstat -nfinet -ptcp should have a long list
if that's it.
> Is there a way to see wich nat consumes the most ports so
> I can add ip aliases to this specific nat?
Should just be 'pfctl -sn -v' and look at states..(or parse
pfctl -ss output).
