From owner-freebsd-pf@freebsd.org Mon Dec 14 09:55:26 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A575A43DDD for ; Mon, 14 Dec 2015 09:55:26 +0000 (UTC) (envelope-from Andrej.Kolontai@verwaltung.uni-muenchen.de) Received: from mailto1.verwaltung.uni-muenchen.de (mailto1.verwaltung.uni-muenchen.de [141.84.149.5]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (Client CN "Cisco Appliance Demo Certificate", Issuer "Cisco Appliance Demo Certificate" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 705C310FD for ; Mon, 14 Dec 2015 09:55:24 +0000 (UTC) (envelope-from Andrej.Kolontai@verwaltung.uni-muenchen.de) X-IronPort-AV: E=McAfee;i="5700,7163,8014"; a="9153744" X-IronPort-AV: E=Sophos;i="5.20,426,1444687200"; d="scan'208";a="9153744" Received: from cashts2.zuv.uni-muenchen.de ([10.153.81.104]) by smtpout1.verwaltung.uni-muenchen.de with ESMTP/TLS/AES256-SHA; 14 Dec 2015 10:54:10 +0100 Received: from MXS2.zuv.uni-muenchen.de ([fe80::e8db:cdb2:9a:a69f]) by CASHTS2.zuv.uni-muenchen.de ([::1]) with mapi id 14.03.0266.001; Mon, 14 Dec 2015 10:54:10 +0100 From: Kolontai Andrej To: "'freebsd-pf@freebsd.org'" Subject: RE: Machine freezes when loading pf ruleset Thread-Topic: Machine freezes when loading pf ruleset Thread-Index: AQHRNFzucmFzgWc5D0WUWL6FojqnDJ7KNUHQ Date: Mon, 14 Dec 2015 09:54:10 +0000 Message-ID: <894145A3DDBDEF4880E00D334DCD87264AA602D3@MXS2.zuv.uni-muenchen.de> References: <894145A3DDBDEF4880E00D334DCD87263EC814A8@MXS2.zuv.uni-muenchen.de> <894145A3DDBDEF4880E00D334DCD87263EC83B6C@MXS2.zuv.uni-muenchen.de> <566B4370.6090309@airnet.opole.pl> In-Reply-To: <566B4370.6090309@airnet.opole.pl> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.23.107.156] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 09:55:26 -0000 Hello Krzysiek, we've actually managed to resolve our problem. I guess I should have report= ed that back to the list, sorry for that.=20 Yet, our problem was not related to the issues addressed by the patch. It t= urned out to be a small bug in pfctl (https://bugs.freebsd.org/bugzilla/sho= w_bug.cgi?id=3D202996). In our configuration, pfctl effectively set the debug level to "loud" befor= e loading the ruleset and back to the normal value after it finished. That caused a lot of messages to be sent to the console and syslog right ou= t from the pf code. In result, this reduced the pf processing to the speed = of the console/syslog which apparently is not much on our machines. At leas= t not enough for gbit traffic. That's why the machine appeared to be frozen= .=20 You can only be affected by this bug if you have set the debug level inside= the ruleset, i.e. "set debug urgent". If that is the case just remove the = statement and try again. The debug level can also be set via command line i= f necessary. So far, we never had any problems again.=20 Viele Gr=FC=DFe=20 Andrej Kolontai Ludwig-Maximilians-Universitaet Muenchen Ref. VI.4 (IT-Sicherheit & Verzeichnisdienste)=20 Martiusstrasse 4 / 207 80802 Muenchen phone +49 (0)89 2180-3815 email mailto:andrej.kolontai@verwaltung.uni-muenchen.de web http://www.uni-muenchen.de/zuv/it/ >-----Original Message----- >From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >pf@freebsd.org] On Behalf Of Krzysiek >Sent: Friday, December 11, 2015 10:43 PM >To: freebsd-pf@freebsd.org >Subject: Re: Machine freezes when loading pf ruleset > >W dniu 2015-08-27 o 15:32, Kolontai Andrej pisze: >>> The patch provided at https://reviews.freebsd.org/D3503 should help you= r >case. >>> During a full ruleset reload, taking into account so many rules, you wi= ll >impact normal packet processing. >>> Hence you have the feeling of the box being frozen or not forwarding >traffic. >>> That patch reduces the overhead of reloading a ruleset. >>> Though even more lock breakdown is necessary on pf(4) but that is >another topic. >> Sounds great. I'll try that. >> >> Andrej >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >Hello, > >Dear Andrej >Please let us know, did the provided patch work for you? >I'm experiencing similar problems with 10.2 (r287460M), but my ruleset >is just 45 lines (`pfctl -sr | wc -l`). >Btw. I'm not using CARP/pfsync, just pf and pflog. > >Thanks! >Best regards >Krzysiek Barcikowski >_______________________________________________ >freebsd-pf@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-pf >To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Mon Dec 14 10:25:08 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2EC3A443A5 for ; Mon, 14 Dec 2015 10:25:08 +0000 (UTC) (envelope-from krzysiek@airnet.opole.pl) Received: from mail.bestpartner.pl (airmax.pl [176.111.128.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 694E3175D for ; Mon, 14 Dec 2015 10:25:07 +0000 (UTC) (envelope-from krzysiek@airnet.opole.pl) Received: from [176.111.149.40] (helo=[10.10.11.223]) by da.airnet.opole.pl with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.85) (envelope-from ) id 1a8QJO-000E79-2A for freebsd-pf@freebsd.org; Mon, 14 Dec 2015 11:24:58 +0100 Subject: Re: Machine freezes when loading pf ruleset To: freebsd-pf@freebsd.org References: <894145A3DDBDEF4880E00D334DCD87263EC814A8@MXS2.zuv.uni-muenchen.de> <894145A3DDBDEF4880E00D334DCD87263EC83B6C@MXS2.zuv.uni-muenchen.de> <566B4370.6090309@airnet.opole.pl> <894145A3DDBDEF4880E00D334DCD87264AA602D3@MXS2.zuv.uni-muenchen.de> From: Krzysiek Message-ID: <566E98F9.8090000@airnet.opole.pl> Date: Mon, 14 Dec 2015 11:24:57 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <894145A3DDBDEF4880E00D334DCD87264AA602D3@MXS2.zuv.uni-muenchen.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-Antivirus-Scanner: Clean mail though you should still use an Antivirus X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 10:25:08 -0000 Hello Andrej This is exactly my issue. Thanks a lot! Krzysiek Barcikowski W dniu 2015-12-14 o 10:54, Kolontai Andrej pisze: > Hello Krzysiek, > > we've actually managed to resolve our problem. I guess I should have reported that back to the list, sorry for that. > > Yet, our problem was not related to the issues addressed by the patch. It turned out to be a small bug in pfctl (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202996). > > In our configuration, pfctl effectively set the debug level to "loud" before loading the ruleset and back to the normal value after it finished. > That caused a lot of messages to be sent to the console and syslog right out from the pf code. In result, this reduced the pf processing to the speed of the console/syslog which apparently is not much on our machines. At least not enough for gbit traffic. That's why the machine appeared to be frozen. > > You can only be affected by this bug if you have set the debug level inside the ruleset, i.e. "set debug urgent". If that is the case just remove the statement and try again. The debug level can also be set via command line if necessary. > > So far, we never had any problems again. > > Viele Grüße > Andrej Kolontai > > Ludwig-Maximilians-Universitaet Muenchen > Ref. VI.4 (IT-Sicherheit & Verzeichnisdienste) > Martiusstrasse 4 / 207 > 80802 Muenchen > > phone +49 (0)89 2180-3815 > email mailto:andrej.kolontai@verwaltung.uni-muenchen.de > web http://www.uni-muenchen.de/zuv/it/ > > >> -----Original Message----- >> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- >> pf@freebsd.org] On Behalf Of Krzysiek >> Sent: Friday, December 11, 2015 10:43 PM >> To: freebsd-pf@freebsd.org >> Subject: Re: Machine freezes when loading pf ruleset >> >> W dniu 2015-08-27 o 15:32, Kolontai Andrej pisze: >>>> The patch provided at https://reviews.freebsd.org/D3503 should help your >> case. >>>> During a full ruleset reload, taking into account so many rules, you will >> impact normal packet processing. >>>> Hence you have the feeling of the box being frozen or not forwarding >> traffic. >>>> That patch reduces the overhead of reloading a ruleset. >>>> Though even more lock breakdown is necessary on pf(4) but that is >> another topic. >>> Sounds great. I'll try that. >>> >>> Andrej >>> >>> _______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> Hello, >> >> Dear Andrej >> Please let us know, did the provided patch work for you? >> I'm experiencing similar problems with 10.2 (r287460M), but my ruleset >> is just 45 lines (`pfctl -sr | wc -l`). >> Btw. I'm not using CARP/pfsync, just pf and pflog. >> >> Thanks! >> Best regards >> Krzysiek Barcikowski >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Mon Dec 14 11:28:20 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D9EEA440B0 for ; Mon, 14 Dec 2015 11:28:20 +0000 (UTC) (envelope-from vwijkw@sapref.com) Received: from za-smtp-delivery-145.mimecast.co.za (za-smtp-delivery-145.mimecast.co.za [41.74.201.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.mimecast.co.za", Issuer "Symantec Class 3 Secure Server CA - G4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D0F981FD8 for ; Mon, 14 Dec 2015 11:28:17 +0000 (UTC) (envelope-from vwijkw@sapref.com) Received: from DURMBX02.SAPREF.NET (197.97.102.52 [197.97.102.52]) by za-smtp-1.mimecast.co.za with ESMTP id za-mta-7-NpeBSt96Qwq7eFNoAHhAmw-1; Mon, 14 Dec 2015 13:21:42 +0200 Received: from DURMBX02.SAPREF.NET (2002:9bec:3818::9bec:3818) by DURMBX02.SAPREF.NET (2002:9bec:3818::9bec:3818) with Microsoft SMTP Server (TLS) id 15.0.995.29; Mon, 14 Dec 2015 13:21:39 +0200 Received: from DURMBX02.SAPREF.NET ([::1]) by DURMBX02.SAPREF.NET ([fe80::2dfc:a497:3062:3815%17]) with mapi id 15.00.0995.028; Mon, 14 Dec 2015 13:21:39 +0200 From: "Van Wijk, Willy" To: "freebsd-pf@freebsd.org" Subject: Drive A New Car from R499 P/M Thread-Topic: Drive A New Car from R499 P/M Thread-Index: AdE2YZrV6QAOlLOySWaw6KXwQptApA== Date: Mon, 14 Dec 2015 11:21:38 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [155.236.63.137] MIME-Version: 1.0 X-MC-Unique: NpeBSt96Qwq7eFNoAHhAmw-1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 11:28:20 -0000 =0A

=0A = E-MAIL DISCLAIMER & CONFIDENTIALITY CLAUSE.=0A
This message and an= y documents and/or files transmitted with it may contain confidential and p= roprietary information. They therefore constitute a privileged, private and= confidential communication intended only for the use of=0A
the addres= see. If you are not the intended recipient, you are hereby notified that an= y use, disclosure, distribution or copying of this message, or any document= s or files associated with it, are strictly prohibited. If you have=0A
received this message in error, please notify SAPREF immediately by replyi= ng to it, then delete it from your computer. SAPREF will not be held respon= sible for any errors or omissions in this message or any attachment, or for= any=0A
views or opinions therein, unless expressed by a representativ= e of SAPREF who is authorized to express such views. Otherwise such views a= nd opinions are solely those of the individual author of this message. The = recipient is=0A
responsible for maintaining suitable anti-virus mechan= isms to protect its computer systems and, should a virus infection occur as= a result of this communication, neither SAPREF nor its employees will be l= iable for any loss or=0A
damage occurring of any nature whatsoever. Me= ssages sent to and from this address may be monitored.=0A
SAPREF subsc= ribes to Tip-Offs Anonymous. Help us to fight crime, fraud, theft, unethica= l behaviour and any other activity which is detrimental to our success by p= honing 0800 20 44 09 or sending an e-mail to sapref@tip-offs.com=0A

From owner-freebsd-pf@freebsd.org Mon Dec 14 20:11:23 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0BDBA44E31 for ; Mon, 14 Dec 2015 20:11:23 +0000 (UTC) (envelope-from murdoch.john@moumantai.de) Received: from mx.moumantai.de (mx.moumantai.de [217.115.150.92]) by mx1.freebsd.org (Postfix) with ESMTP id BCF9A1B78 for ; Mon, 14 Dec 2015 20:11:23 +0000 (UTC) (envelope-from murdoch.john@moumantai.de) X-Virus-Scanned: amavisd-new at moumantai.de Received: from [10.0.187.42] (p5B20C2B2.dip0.t-ipconnect.de [91.32.194.178]) by mx.moumantai.de (Postfix) with ESMTPSA id 85FFC6F0E for ; Mon, 14 Dec 2015 20:59:06 +0100 (CET) From: murdoch.john@moumantai.de Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Unable to upload to S3 when pf is activated Message-Id: Date: Mon, 14 Dec 2015 21:04:58 +0100 To: "freebsd-pf@freebsd.org" Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Mailer: Apple Mail (2.3112) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 20:11:24 -0000 Hi there, this might sound as a strange question, but when I activate the PF firewall using a minimal rule set (see below), uploading files to AWS S3 becomes impossible. The boto library throws a =E2=80=98broken pipe=E2=80=99 exception. But = if I deactivate the firewall, everything works fine. > uname -a FreeBSD ip-10-193-173-48 10.2-RELEASE-p7 FreeBSD 10.2-RELEASE-p7 > cat /etc/pf.conf scrub all block return-icmp log (all) all pass log (all) all modulate state > aws =E2=80=94version aws-cli/1.9.12 Python/2.7.10 FreeBSD/10.2-RELEASE-p7 botocore/1.3.12 There are no =E2=80=98block=E2=80=99 entries when watching pflog0. https://gist.github.com/JoergFiedler/b284af0be47983ac867b I am lost. Anyone any ideas. Thanks a lot. John= From owner-freebsd-pf@freebsd.org Mon Dec 14 20:19:25 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EE80A47E98 for ; Mon, 14 Dec 2015 20:19:25 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C0091E32 for ; Mon, 14 Dec 2015 20:19:25 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [IPv6:2a02:1811:2419:4e02:7d76:2d8c:786b:90da] (unknown [IPv6:2a02:1811:2419:4e02:7d76:2d8c:786b:90da]) by venus.codepro.be (Postfix) with ESMTPSA id 5491E8489; Mon, 14 Dec 2015 21:19:21 +0100 (CET) Subject: Re: Unable to upload to S3 when pf is activated Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Content-Type: text/plain; charset=utf-8 From: Kristof Provost X-Checked-By-Nsa: Probably In-Reply-To: Date: Mon, 14 Dec 2015 21:19:19 +0100 Cc: "freebsd-pf@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <8F94731D-E0B3-4B94-83B8-1928ECBC20B8@FreeBSD.org> References: To: murdoch.john@moumantai.de X-Mailer: Apple Mail (2.3112) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 20:19:25 -0000 > On 14 Dec 2015, at 21:04, murdoch.john@moumantai.de wrote: > this might sound as a strange question, but when I activate the PF > firewall using a minimal rule set (see below), uploading files to > AWS S3 becomes impossible. ... > I am lost. Anyone any ideas. Am I right in assuming that the FreeBSD machine is also running on = Amazon? There=E2=80=99s a know problem with pf and TSO which manifests (among = other places) in EC2 instances. It=E2=80=99s actually been fixed in stable/10, so the 10.3 release will = have the fix. In 10.2 you can work around the problem by disabling TSO (ifconfig foo0 = -tso should do the trick). See PR 154428, 193579, 198868 for more information. Regards, Kristof= From owner-freebsd-pf@freebsd.org Mon Dec 14 20:38:53 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1CB8A43CBB for ; Mon, 14 Dec 2015 20:38:53 +0000 (UTC) (envelope-from murdoch.john@moumantai.de) Received: from mx.moumantai.de (mx.moumantai.de [217.115.150.92]) by mx1.freebsd.org (Postfix) with ESMTP id 9AC541B05; Mon, 14 Dec 2015 20:38:53 +0000 (UTC) (envelope-from murdoch.john@moumantai.de) X-Virus-Scanned: amavisd-new at moumantai.de Received: from [10.0.187.42] (p5B20C2B2.dip0.t-ipconnect.de [91.32.194.178]) by mx.moumantai.de (Postfix) with ESMTPSA id 4C3686FDB; Mon, 14 Dec 2015 21:32:59 +0100 (CET) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Subject: Re: Unable to upload to S3 when pf is activated From: murdoch.john@moumantai.de In-Reply-To: <8F94731D-E0B3-4B94-83B8-1928ECBC20B8@FreeBSD.org> Date: Mon, 14 Dec 2015 21:38:51 +0100 Cc: "freebsd-pf@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <97FFE650-FFC8-4EB3-81EF-CF3B7A55B1F1@moumantai.de> References: <8F94731D-E0B3-4B94-83B8-1928ECBC20B8@FreeBSD.org> To: Kristof Provost X-Mailer: Apple Mail (2.3112) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 20:38:53 -0000 Hi Kristof, yes, the machine runs on Amazon and yes again -tso fixed the problem. Could I have seen this somehow watching the pf log? Maybe package = length? Thanks you so much. I spent hours tracking this down. Best, JOERG > On 14 Dec 2015, at 21:19, Kristof Provost wrote: >=20 >=20 >> On 14 Dec 2015, at 21:04, murdoch.john@moumantai.de wrote: >> this might sound as a strange question, but when I activate the PF >> firewall using a minimal rule set (see below), uploading files to >> AWS S3 becomes impossible. > ... >> I am lost. Anyone any ideas. >=20 > Am I right in assuming that the FreeBSD machine is also running on = Amazon? >=20 > There=E2=80=99s a know problem with pf and TSO which manifests (among = other places) in EC2 instances. > It=E2=80=99s actually been fixed in stable/10, so the 10.3 release = will have the fix. > In 10.2 you can work around the problem by disabling TSO (ifconfig = foo0 -tso should do the trick). >=20 > See PR 154428, 193579, 198868 for more information. >=20 > Regards, > Kristof > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Mon Dec 14 20:45:26 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9C451A441A0 for ; Mon, 14 Dec 2015 20:45:26 +0000 (UTC) (envelope-from berend@pobox.com) Received: from sasl.smtp.pobox.com (pb-sasl0.int.icgroup.com [208.72.237.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D11A103C; Mon, 14 Dec 2015 20:45:25 +0000 (UTC) (envelope-from berend@pobox.com) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-sasl0.pobox.com (Postfix) with ESMTP id 6269C312E3; Mon, 14 Dec 2015 15:44:33 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date :message-id:from:to:cc:subject:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=sasl; bh=Hd4uA59NrYVJjOivmcL5kv34pKY=; b=MaxolkWqIeVfU5dx6rYmoSfa5kYj dPKAxvw0lXR0PMbVhf5iLZs1Cgp7S3IVzfdSa7J8RL3J7V3g/hoVpH2rgzVVoU/r Wc06ALnCHVWFaeGHiepMhEqpky41S3+gjISInizfIgKuj9kBKrH5OPdVXWpLGqzO Vnmnz0cPdwSm0ss= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:message-id :from:to:cc:subject:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=sasl; b=ohFAWw VsOOxpMXVVcGJ/aGMydi8HRBrPjFbxnQ2NmSduaTSnml6zwHv2ASWRX7KDaspnhu vt+cEuU46oF2oDldYidbo6hlLs0ADKO66qmb/1w22VLmIA+lhQC6ryLX2LJ5ozPz 4NqbwlGiOjiEBE+hdshl1tYT/y+7cKfm7XmAw= Received: from pb-sasl0.int.icgroup.com (unknown [127.0.0.1]) by pb-sasl0.pobox.com (Postfix) with ESMTP id 5A3FC312E1; Mon, 14 Dec 2015 15:44:33 -0500 (EST) Received: from bmach.nederware.nl (unknown [27.252.219.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-sasl0.pobox.com (Postfix) with ESMTPSA id C89DD312DF; Mon, 14 Dec 2015 15:44:32 -0500 (EST) Received: from bonobo.nederware.nl (bonobo.nederware.nl [192.168.33.4]) by bmach.nederware.nl (Postfix) with ESMTP id CE9C463E87; Tue, 15 Dec 2015 09:44:30 +1300 (NZDT) Received: from bonobo.nederware.nl (localhost [127.0.0.1]) by bonobo.nederware.nl (Postfix) with ESMTP id C2F3A198142A; Tue, 15 Dec 2015 09:44:30 +1300 (NZDT) Date: Tue, 15 Dec 2015 09:44:30 +1300 Message-ID: <87mvtciwup.wl-berend@pobox.com> From: Berend de Boer To: murdoch.john@moumantai.de Cc: Kristof Provost , "freebsd-pf@freebsd.org" Subject: Re: Unable to upload to S3 when pf is activated In-Reply-To: <97FFE650-FFC8-4EB3-81EF-CF3B7A55B1F1@moumantai.de> References: <8F94731D-E0B3-4B94-83B8-1928ECBC20B8@FreeBSD.org> <97FFE650-FFC8-4EB3-81EF-CF3B7A55B1F1@moumantai.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 EasyPG/1.0.0 Emacs/24.5 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: multipart/signed; boundary="pgp-sign-Multipart_Tue_Dec_15_09:44:30_2015-1"; micalg=pgp-sha256; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit X-Pobox-Relay-ID: 7ACDF71A-A2A3-11E5-A9AC-31311E2D4245-48001098!pb-sasl0.pobox.com X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 20:45:26 -0000 --pgp-sign-Multipart_Tue_Dec_15_09:44:30_2015-1 Content-Type: text/plain; format=flowed; charset=US-ASCII >>>>> "murdoch" == murdoch john writes: murdoch> Thanks you so much. I spent hours tracking this down. Welcome to the club :-) -- All the best, Berend de Boer --pgp-sign-Multipart_Tue_Dec_15_09:44:30_2015-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit Content-Description: OpenPGP Digital Signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJWbyouAAoJEKOfeD48G3g54tcP/1CWbJ1J28/G2ovcKNZTBq0m Y0rrgNI1ixwH4h8Jz0bB3mgQtNPdzpAN/cMcuyuSLgi8TLIZzIJeQkRX5kYkAhJK haZKwZSTidjNfj2rtbbaHzbd1WUHnlXHw1uL1w3I0+36J7Y7zxxLxSt8Ak1t+t/d spUa1pMFt7mjJ7yvUqoeJHvf90bmcCluBAJkqk0IzY6kf9W3FKAR9CyospVME3e2 7tJe93y2wwmbufsels2E6j4eiZrGPbHRUBrsyWwTGGm67kgXzsgNjRvYHeOv9CqF /MaB+kji/FNX3ZcZiSMFNOJK0IotdnXtqIKK9fKAPVl78KQ282Y20rdc6mbhybJi r6dFemiAp4zaMllAb4DZaZSCIfgqDUEy+8MSyerMGJFgtsL+2lWhOc0nm6kJApa8 /Dx6CqrsIbFaGT5T+8/Tc2FlJPd3ss40hBUym8XQHF08QSesfBiSdIVP1C0y4CN6 MT/OXNtTvLXW696pZQECUu9MDUGKMlO1Ho6sOtSiTgJdGeSLQxG/7vVm44Me4s+h ueTNYbT+2I5pf9vxBhtDKj6OrH+XwRb39LbO5ibIwtphqZtBmJqziiZK4mHThstH K+2pckzECV1/ldHCe/PSyL9v7WRckU9HtM4H03zSposmJDiiyaR6KP0hCOr8i1y1 F8W/5AILNCHy3L9Xsa1Z =d8ry -----END PGP SIGNATURE----- --pgp-sign-Multipart_Tue_Dec_15_09:44:30_2015-1-- From owner-freebsd-pf@freebsd.org Mon Dec 14 21:17:54 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 31C17A433A5 for ; Mon, 14 Dec 2015 21:17:54 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F38F118D5 for ; Mon, 14 Dec 2015 21:17:53 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [IPv6:2a02:1811:2419:4e02:7d76:2d8c:786b:90da] (unknown [IPv6:2a02:1811:2419:4e02:7d76:2d8c:786b:90da]) by venus.codepro.be (Postfix) with ESMTPSA id 3445D8539; Mon, 14 Dec 2015 22:17:51 +0100 (CET) Subject: Re: Unable to upload to S3 when pf is activated Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) Content-Type: text/plain; charset=utf-8 From: Kristof Provost X-Checked-By-Nsa: Probably In-Reply-To: <97FFE650-FFC8-4EB3-81EF-CF3B7A55B1F1@moumantai.de> Date: Mon, 14 Dec 2015 22:17:50 +0100 Cc: "freebsd-pf@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <28626F70-AF5A-4417-BEF2-2DC759EC948E@FreeBSD.org> References: <8F94731D-E0B3-4B94-83B8-1928ECBC20B8@FreeBSD.org> <97FFE650-FFC8-4EB3-81EF-CF3B7A55B1F1@moumantai.de> To: murdoch.john@moumantai.de X-Mailer: Apple Mail (2.3112) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2015 21:17:54 -0000 > On 14 Dec 2015, at 21:38, murdoch.john@moumantai.de wrote: > yes, the machine runs on Amazon and yes again -tso fixed the problem. >=20 > Could I have seen this somehow watching the pf log? Maybe package = length? It=E2=80=99d be hard to spot. The problem was related to the checksums, = so you=E2=80=99d have to explicitly look for checksum errors. To make it worse, you=E2=80=99d not spot the problem looking at tcpdump = captures on the machine itself (because you=E2=80=99d see the = pre-segmentation packets). In effect, the best, if not only, way to spot it would be to set up a = TCP connection to another machine you control and then send large chunks = of data (to trigger TSO) and look at those checksums. Regards, Kristof=