Date: Sat, 21 Jul 2007 07:29:53 -0500 From: JD Bronson <jbronson@sixcompanies.com> To: Jordan Gordeev <jgordeev@dir.bg> Cc: max@love2party.net, freebsd-questions@freebsd.org Subject: Re: pf and keep/modulate state on 6.2 Message-ID: <200707211229.l6LCTqiL001484@ns2.sixcompanies.com> In-Reply-To: <46A1EA91.5000306@dir.bg> References: <200702252202.l1PM2r46003312@cheyenne.sixcompanies.com> <720051dc0702260052v8e4d2b2v9bbca164bfe87a4b@mail.gmail.com> <720051dc0702260052v8e4d2b2v9bbca164bfe87a4b@mail.gmail.com > <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> <46A1EA91.5000306@dir.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
thanks for the update on this. I had forgot about it since I just stopped using modulate state (is it really needed anymore?). Then, the beginning of this month I moved my firewall/router back over to OpenBSD 4.1 to stay more current with pf instead of running -CURRENT within FreebSD. This fix really should be incorporated into 6.2-STABLE or even 6.2-STANDARD I think. I wonder how many people use this and don't even know its messed up? -JD At 02:14 PM 7/21/2007 +0300, Jordan Gordeev wrote: >J.D. Bronson wrote: >>At 02:52 AM 02/26/2007, you wrote: >> >>>Wow, this fixed my FTP-over-DSL-to-6.2 problem too. With modulate >>>state, I was getting ~30K/sec. With just keep state, I'm now getting >>>more like what my connection is capable of. This is between two 6.2 >>>hosts on opposite sides of the Atlantic. >>> >>>Ted, I use pf because I like the format of the configuration file, I >>>like the logging and pftop, and like how it's harder to lock yourself >>>out of a remote machine by accident :) >>> >>>/JMS >> >>I use pf since its newer (I think?) and I came from openbsd..pf >>just works and the config file is nice and sweet. >>I had thought that modulate state would put a load on my proc, but >>sheesh, its a p4-3.06 - thats more than robust for a router. >>I wonder if we should file a bug on this? >>I am glad my post helped here. I still use modulate state for any >>INCOMING connections though (www/smtp/etc). > > >I'm replying to an old and long-forgotten thread to report my recent findings. >There's a bug in PF with modulate/synproxy state. Modulate/synproxy >state modulate sequence numbers, but don't modulate sequence numbers >in TCP SACK options. Some firewalls block TCP segments with sequence >numbers in the SACK option pointing outside the window, which causes >connection stalls. The bug was fixed in OpenBSD with revision 1.509 >of src/sys/net/pf.c about an year and a half ago. The bug is present >in FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT >with the big import of PF from OpenBSD 4.1. >I'm CC-ing Max to notify him of the bug present in -STABLE and to >ask him to deal with the issue by either porting the fix from >OpenBSD, or by documenting that modulate/synproxy state is broken. >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707211229.l6LCTqiL001484>