From owner-freebsd-pf@FreeBSD.ORG Fri Jun 9 08:47:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9442616A494 for ; Fri, 9 Jun 2006 08:47:55 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EDA543D77 for ; Fri, 9 Jun 2006 08:47:53 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id p77so529386nfc for ; Fri, 09 Jun 2006 01:47:50 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:subject:cc:in-reply-to:mime-version:content-type:references; b=WfP++6G49Jwj/USxNx+Q1QHzWen3ZaNDkFgR42cGdRjzOhHZxAswfBMQJsvJdu2YNFvxlT8nDsHqIxv2zlpSe9uwM10geeZV/4YsGxouZcQ05wCG7WJ+XKvWWqA5EIbq77jcIlGC/wKNqVLy0w7CSoYomUHcWriHzvJSaywy2hs= Received: by 10.48.238.17 with SMTP id l17mr2201617nfh; Fri, 09 Jun 2006 01:47:50 -0700 (PDT) Received: by 10.48.108.17 with HTTP; Fri, 9 Jun 2006 01:47:50 -0700 (PDT) Message-ID: Date: Fri, 9 Jun 2006 01:47:50 -0700 From: "Kian Mohageri" In-Reply-To: MIME-Version: 1.0 References: <4F9C9299A10AE74E89EA580D14AA10A605F5BA@royal64.emp.zapto.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-stable@freebsd.org, freebsd-pf@freebsd.org Subject: Re: pf buggy on 6.1-STABLE? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 08:47:55 -0000 I think it is also worth mentioning that the connections failed (at least for me) immediately. There does not appear to be any timeouts. Initially, this is what lead me to believe it was NOT pf because my block policy was drop, not reject. When a packet is a state mismatch, doesn't it simply get discarded (assuming block policy is "drop")? If so, shouldn't the client simply assume packet was lost and retransmit, or time out after a period of time? I am having trouble understanding why the connection would fail immediately if pf was dropping packets. That, however, should mean that disabling pf wouldn't help -- but it does. Does pf handle state-mismatch differently? Maybe a pf expert could speak on that. Kian On 6/8/06, Kian Mohageri wrote: > > I'm aware. I meant that as "pass quick" (without any keep state) ;) > > Kian > > > On 6/8/06, Daniel Eriksson < daniel_k_eriksson@telia.com> wrote: > > > > Kian Mohageri wrote: > > > > > 'pass quick' (non-stateful) fixed the problems but I wasn't > > > satisfied with that for obvious reasons. > > > > The 'quick' keyword does not make the rule non-stateful, it only aborts > > further evaluation of the specific packet. > > > > See http://www.openbsd.org/faq/pf/filter.html#quick for more > > information. > > > > /Daniel Eriksson > > > >