From owner-freebsd-pf@FreeBSD.ORG Sat Dec 17 08:01:20 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A893516A41F for ; Sat, 17 Dec 2005 08:01:20 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6EB243D5D for ; Sat, 17 Dec 2005 08:01:19 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id jBH80qtw015776 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 17 Dec 2005 09:00:53 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id jBH80p9O014583; Sat, 17 Dec 2005 09:00:51 +0100 (MET) Date: Sat, 17 Dec 2005 09:00:48 +0100 From: Daniel Hartmeier To: Paul Dokas Message-ID: <20051217080048.GE14269@insomnia.benzedrine.cx> References: <20051216100915.73fef758.dokas@oitsec.umn.edu> <20051216183447.GA14269@insomnia.benzedrine.cx> <20051216190454.GF474@w4g.org> <20051216191831.GB14269@insomnia.benzedrine.cx> <20051216193830.GC14269@insomnia.benzedrine.cx> <20051216134759.795206f3.dokas@oitsec.umn.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051216134759.795206f3.dokas@oitsec.umn.edu> User-Agent: Mutt/1.5.10i Cc: frantzen@openbsd.org, freebsd-pf@freebsd.org Subject: Re: very odd PF + FreeBSD6.0 problems X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Dec 2005 08:01:20 -0000 On Fri, Dec 16, 2005 at 01:47:59PM -0600, Paul Dokas wrote: > Bingo (I think). I found the following in the firewall's kernel config: > > options HZ=2000 > > I'm going to get than changed and see if the problem goes away. I just discovered that this seems to be a know problem with setting HZ, if only I had searched earlier ;) Subject: 6-STABLE: HZ>1000, RFC1323 non-compliance, and PF http://marc.theaimsgroup.com/?t=113476573600004&r=1&w=2 Problem Report kern/61404 : RFC1323 timestamps with HZ > 1000 http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/61404 It appears that this is related to the HZ setting on your SSH server (i.e. one of the TCP endpoints) not any HZ setting on the kernel pf runs on itself (so it requires a fix in the generic TCP code, not within pf). Daniel