From owner-freebsd-questions@FreeBSD.ORG Sun Jun 17 02:49:32 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 45D6116A400 for ; Sun, 17 Jun 2007 02:49:32 +0000 (UTC) (envelope-from netslists@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170]) by mx1.freebsd.org (Postfix) with ESMTP id AA5D013C448 for ; Sun, 17 Jun 2007 02:49:31 +0000 (UTC) (envelope-from netslists@gmail.com) Received: by ug-out-1314.google.com with SMTP id u2so1261354uge for ; Sat, 16 Jun 2007 19:49:30 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=HZCAu6j2QGom5tfGH6a2Ly8dSuj+1TSwrVY1QkbGnT3eaVvpauUl1E+2wkdZ+jpQk/cSfBWX9pCsVV4bx1Eis7RlcGZLzn/6hRg32uZxmVIz5fLYUkeM04MbgTCw2LJNRWursD+3K8aY6lpCFX82rZSOXeYyVj/AaEQ0yeYE2hU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=rPJhVOGYdUEeLt8d5/4whWCwj+tXiaZ8toCmUf9ZqTtdDQgkqaCRPzzx97IKyNjQ85ynEMEw5Lwj3hBTR57woA+rp4TxS/AmUUbmmbLZlqJBkOB029vonuqnlbjVhb1d5Q/bkeMWzSM7EufA4agQcPUpSiIzvO7DQB37MOU6yu0= Received: by 10.66.242.19 with SMTP id p19mr3939963ugh.1182048570345; Sat, 16 Jun 2007 19:49:30 -0700 (PDT) Received: from ?192.168.16.16? ( [91.135.49.192]) by mx.google.com with ESMTP id i4sm3529988nfh.2007.06.16.19.49.28 (version=SSLv3 cipher=RC4-MD5); Sat, 16 Jun 2007 19:49:29 -0700 (PDT) Message-ID: <4674A131.4050200@gmail.com> Date: Sun, 17 Jun 2007 04:49:21 +0200 From: Sten Daniel Soersdal User-Agent: Thunderbird 2.0.0.4 (Windows/20070604) MIME-Version: 1.0 To: Vlad GURDIGA References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: pf(4) + fetch(1) + http://ftp.gnu.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jun 2007 02:49:32 -0000 Vlad GURDIGA wrote: > Hello, > > There is one strange thing going on with this combination. I saw this > many times by now: when fetch(1) is trying to download something from > http://ftp.gnu.org, it is hanging after a very small amount of data; > sometimes on 0%. After disabling pf(4), fetch(1) is not hanging any > more, so I guess that the problem is somewhere in my pf.conf. Here is > it: > > ---- pf.conf -- begin --- > ext_if = "em0" > icmp_types="echoreq" > > # don't filter on the loopback interface > set skip on lo0 > set block-policy return > > scrub all no-df random-id reassemble tcp > > # setup a default deny policy > block all > > # activate spoofing protection for the internal interface. > antispoof quick for lo0 inet > > # pass tcp, udp, and icmp out on the external (Internet) interface. > # keep state on udp and icmp and modulate state on tcp. > pass in on $ext_if proto tcp from any to $ext_if port 65522 keep state > > pass in inet proto icmp all icmp-type $icmp_types keep state > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto {udp, icmp} all keep state > ---- pf.conf -- end --- > My guess is, your path-mtu is lower at some point between you and ftp.gnu.org which (may or may not) result in an icmp packet indicating that the packet was dropped as fragmentation was needed but DF flag was set. it is usually possible to see via tcpdump or ethereal. try permitting all icmp packets both ways to see. -- Sten Daniel Soersdal