Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 15 Jun 2007 09:10:41 +0200
From:      Volker <volker@vwsoft.com>
To:        Vlad GURDIGA <gurdiga@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pf(4) + fetch(1) + http://ftp.gnu.org
Message-ID:  <46723B71.1080404@vwsoft.com>
In-Reply-To: <da7069940706142324s42457676h58a4bd0956c78b54@mail.gmail.com>
References:  <da7069940706141336y25371e4cq5769beb2fa5208e3@mail.gmail.com> <da7069940706142324s42457676h58a4bd0956c78b54@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 06/15/07 08:24, Vlad GURDIGA wrote:
> Hello,
> 
> There is one strange thing going on with this combination. I saw this
> many times by now: when fetch(1) is trying to download something from
> http://ftp.gnu.org, it is hanging after a very small amount of data;
> sometimes on 0%. After disabling pf(4), fetch(1) is not hanging any
> more, so I guess that the problem is somewhere in my pf.conf. Here is
> it:
> 
> ---- pf.conf -- begin ---
> ext_if  = "em0"
> icmp_types="echoreq"
> 
> # don't filter on the loopback interface
> set skip on lo0
> set block-policy return
> 
> scrub all no-df random-id reassemble tcp
> 
> # setup a default deny policy
> block all
> 
> # activate spoofing protection for the internal interface.
> antispoof quick for lo0 inet
> 
> # pass tcp, udp, and icmp out on the external (Internet) interface.
> # keep state on udp and icmp and modulate state on tcp.
> pass in on $ext_if proto tcp from any to $ext_if port 65522 keep state
> 
> pass in inet proto icmp all icmp-type $icmp_types keep state
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto {udp, icmp} all keep state
> ---- pf.conf -- end ---
> 
> Any idea what's wrong here?

Vlad,

if we're out of ideas, there would be something wrong... ;)

My first try is to replace your 'pass out on $ext_if ... modulate
state ...' by 'keep state'. modulate state is more of use for incoming
connections as you don't want half open connections to your services.

HTH

Volker

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46723B71.1080404>