From owner-freebsd-pf@FreeBSD.ORG Mon Jul 30 11:08:29 2007 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFA1816A4D7 for ; Mon, 30 Jul 2007 11:08:29 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DD94613C4A7 for ; Mon, 30 Jul 2007 11:08:29 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6UB8TsM040700 for ; Mon, 30 Jul 2007 11:08:29 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6UB8SAP040696 for freebsd-pf@FreeBSD.org; Mon, 30 Jul 2007 11:08:28 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Jul 2007 11:08:28 GMT Message-Id: <200707301108.l6UB8SAP040696@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2007 11:08:30 -0000 Current FreeBSD problem reports Critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/111220 pf [pf] repeatable hangs while manipulating pf tables 1 problem total. Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/82271 pf [pf] cbq scheduler cause bad latency o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/110698 pf [pf] nat rule of pf without "on" clause causes invalid 3 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/93825 pf [pf] pf reply-to doesn't work o kern/103304 pf [pf] pf accepts nonexistent queue in rules o kern/106400 pf [pf] fatal trap 12 at restart of PF with ALTQ if ng0 d o kern/110174 pf [pf] pf pass route-to does not assign correct IP for t s conf/110838 pf tagged parameter on nat not working on FreeBSD 5.2 o kern/114567 pf [pf] LOR pf_ioctl.c + if.c 7 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Jul 31 11:13:54 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F79016A41B for ; Tue, 31 Jul 2007 11:13:54 +0000 (UTC) (envelope-from jamesoff@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.182]) by mx1.freebsd.org (Postfix) with ESMTP id 11EE713C46E for ; Tue, 31 Jul 2007 11:13:54 +0000 (UTC) (envelope-from jamesoff@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1975350waf for ; Tue, 31 Jul 2007 04:13:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ZkVveBL28TyID/I7NBTC979JV1GaJlqSoGRlsS+Q42VHnf+9fzJsWFIceCuEuSKBRPcqtrG4uoWp94zXD+NXgshRwSdShdY93M5qarXel89SNPPnSMV6trygGb3C9j8N++1glyJJ9LPutACfPzP5uacecpVx/r2GJTd/xOjywrw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ugwd9GErfMP/z0gFn1zChr5Xf0RcvIbDpHqOpS1lrczSlr21VBVvXNZcu80jl60YZUzGVF8uB7zoWvv6bSVhubEYcxSbhrRz9jm4XMpqJoQpnUBXUSBR6trIm/ln7mryM74J94CIk3U/NnmzHWoPJy4Pt8bkIgB0ICi/kFs5G1Q= Received: by 10.115.92.2 with SMTP id u2mr6536552wal.1185878747466; Tue, 31 Jul 2007 03:45:47 -0700 (PDT) Received: by 10.114.149.13 with HTTP; Tue, 31 Jul 2007 03:45:41 -0700 (PDT) Message-ID: <720051dc0707310345y1fe23172x69dce6b939ee50c6@mail.gmail.com> Date: Tue, 31 Jul 2007 11:45:41 +0100 From: "James Seward" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Transparent squid proxy with if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jul 2007 11:13:54 -0000 Hello all, I'm trying to set up a machine using if_bridge to do transparent proxying via squid. I've been following a selection of walkthroughs online including http://www.benzedrine.cx/transquid.html I have a machine with three network cards, two of which form the bridge and the third is for management. Using a rdr rule in pf.conf, I am rewriting packets from my workstation (currently the only client while I test) to localhost:8080. I have also tried redirecting to the IP of the management card. In both cases squid was configured to listen either on localhost:8080 or management_ip:8080. The "transparent" option appears on the http_port configuration line. Squid is currently set to allow anyone access. If squid is listening on the management_ip, I can point my browser at that and squid services my request normally. If I bind squid to localhost, I can nc(1) to it and it services my request. If I let the rdr rule redirect my packets to squid, nothing happens and the client times out. pfctl -sa shows that pf has done the redirection and displays something like: 127.0.0.1:8080 <- external_ip:80 <- client_ip:34582 CLOSED:SYN_SENT so it seems the SYN never arrives at squid. tcpdumping lo0 shows no traffic at all. I have tried this with and without IPs for the bridged cards (without would suit me better) but I'm not sure if that's the problem at this stage. --8<-- pf.conf ---- ext_if="fxp0" int_if="xl0" # send web-type stuff to the cache rdr on $int_if inet proto tcp \ from 192.168.200.112 to any port www \ -> 127.0.0.1 port 8080 pass in all pass out all ----- --8<--- squid.conf # egrep -v "^#" /usr/local/etc/squid/squid.conf | egrep -v '^$' http_port 127.0.0.1:8080 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 32 MB cache_dir ufs /usr/local/squid/cache 4096 16 256 access_log /usr/local/squid/logs/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_reply_access allow all icp_access allow all cache_mgr XXXXX mail_program mail visible_hostname XXXXX logfile_rotate 10 append_domain .XXXXX always_direct allow all coredump_dir /usr/local/squid/cache ------ --%<--- ifconfig fxp0: flags=8943 mtu 1500 options=8 inet 192.168.200.17 netmask 0xffffff00 broadcast 192.168.200.255 ether 00:a0:c9:ea:92:91 media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8943 mtu 1500 options=9 inet 192.168.200.16 netmask 0xffffff00 broadcast 192.168.200.255 ether 00:50:04:39:c2:f2 media: Ethernet autoselect (100baseTX ) status: active rl0: flags=8843 mtu 1500 options=8 inet 192.168.200.113 netmask 0xffffff00 broadcast 192.168.200.255 ether 00:40:f4:4d:84:31 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8843 mtu 1500 ether 5a:6b:3a:b8:6a:c1 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0 member: fxp0 flags=143 member: xl0 flags=143 ------ (xl0 and fxp0 currently have ips, but it doesn't work when they don't either) Sample state: STATES: self tcp 127.0.0.1:8080 <- 207.46.193.254:80 <- 192.168.200.112:50526 CLOSED:SYN_SENT Every walkthrough makes it sound very simple and easy; I feel like I must be missing something obvious :) Thanks in advance, James From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 11:36:31 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E63516A418 for ; Wed, 1 Aug 2007 11:36:31 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp.univ-lyon2.fr (smtp.univ-lyon2.fr [159.84.143.102]) by mx1.freebsd.org (Postfix) with ESMTP id E6D9D13C46C for ; Wed, 1 Aug 2007 11:36:30 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from localhost (localhost [127.0.0.1]) by smtp.univ-lyon2.fr (Postfix) with ESMTP id DAB504095A3F for ; Wed, 1 Aug 2007 13:12:54 +0200 (CEST) X-Virus-Scanned: amavisd-new at univ-lyon2.fr Received: from smtp.univ-lyon2.fr ([127.0.0.1]) by localhost (smtp.univ-lyon2.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xQPuwOFkneji for ; Wed, 1 Aug 2007 13:12:53 +0200 (CEST) Received: from [159.84.148.53] (serverosx.univ-lyon2.fr [159.84.148.53]) by smtp.univ-lyon2.fr (Postfix) with ESMTP id 5A09E4095A38 for ; Wed, 1 Aug 2007 13:12:53 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: Patrick Proniewski Date: Wed, 1 Aug 2007 13:12:52 +0200 X-Mailer: Apple Mail (2.752.2) Subject: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 11:36:31 -0000 Hi Two of us have found out a very strange issue with pf on FreeBSD 6.2 on a xDSL connection. In both case: - the FreeBSD system is pluged on a xDSL box provided by french ISP "free.fr" ("freebox") - pf is used to firewall the connection and to share it on a LAN using NAT. - pf.conf is relatively simple, and does not use ALTQ We have discover that requests to files on yield to very poor download rates (aprox. 140 KB/s), but we can launch 3 or more simultaneous download (aprox 120 KB/s each). So the total bandwidth looks ok. If we turn pf off (unload the kernel module or "set skip on $ext_if" in pf.conf), the download speed reaches 650-700 KB/s for the same file. (note: http://test-debit.free.fr is an official bandwidth test page for the ISP free.fr) Two things are strange: - pf acts like it's throttling the connection, while no throttling instruction is given - with other servers, it happens that the download speed is ok (not all servers), even if pf is active, but it's never ok with http:// test-debit.free.fr unless pf is off. I've come to the conclusion that pf alters in some way the TCP flow, and that this alteration is not compatible with some servers or network appliance, thus degrading the max transfer rates. I have no particular sysctl options, ALTQ is not active (I've tested a kernel with and without ALTQ: same result). We've tested pf.conf without "scrub in all": same result. Let me know if a tcpdumped transfert with and without pf could help. `dmesg`, `sysctl -a` and pf.conf upon request. Any hint is welcome. thanks, patpro From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 12:33:27 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DECBA16A418 for ; Wed, 1 Aug 2007 12:33:27 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (unknown [IPv6:2a01:170:1023:0:211:2fff:fec9:c52d]) by mx1.freebsd.org (Postfix) with ESMTP id 2EFB713C428 for ; Wed, 1 Aug 2007 12:33:26 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from [192.168.20.32] (sun.behrens [192.168.20.32]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l71CX4Od082534 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 1 Aug 2007 14:33:04 +0200 (CEST) (envelope-from frank@pinky.sax.de) Message-Id: <200708011233.l71CX4Od082534@pinky.frank-behrens.de> From: "Frank Behrens" To: freebsd-pf@freebsd.org Date: Wed, 01 Aug 2007 14:33:02 +0200 MIME-Version: 1.0 Priority: normal X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:070801:freebsd-pf@freebsd.org::gR/FaAunG8jWRKbR:000000000002Mez0 Subject: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 12:33:28 -0000 I've been using pf for some weeks (after some years with ipfw) without problems, but see a weird effect now - pf(4) seems to eat a tcp syn packet. ;-) This setup works without problems: - FreeBSD 6.2-STABLE-200705211513 i386 - acts as router, some internal interfaces, one WAN interface (tun0, DSL with pppoe) - NAT for WAN interface The problem appears when - additional WAN interface added (tun2, also DSL with pppoe) - policy based routing added (to test for http port only) # pfctl -s nat nat-anchor "iface2" all nat on tun0 inet from to any -> tun0-address # pfctl -a iface2 -s nat nat inet from !tun2-address to any port = http -> tun2-address pass out quick on tun0 route-to (tun2 tun2-peer) inet from tun2-address to any keep state pass out quick on tun2 route-to (tun0 tun0-peer) inet from tun0-address to any keep state When I try to connect from internal (NATed) host to an external address I see a delay, because the 1st SYN is resent (on internal interface): 13:55:30.256823 IP (tos 0x0, ttl 128, id 35958, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.2923 > 193.99.144.85.80: S, cksum 0x3f22 (correct), 1489020152:1489020152(0) win 65535 13:55:33.266554 IP (tos 0x0, ttl 128, id 35967, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.2923 > 193.99.144.85.80: S, cksum 0x3f22 (correct), 1489020152:1489020152(0) win 65535 13:55:33.325734 IP (tos 0x0, ttl 249, id 7928, offset 0, flags [DF], proto: TCP (6), length: 52) 193.99.144.85.80 > 192.168.50.02.2923: S, cksum 0xc2b3 (correct), 3368657865:3368657865(0) ack 1489020153 win 4320 13:55:33.325857 IP (tos 0x0, ttl 128, id 35968, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.50.02.2923 > 193.99.144.85.80: ., cksum 0x6b49 (correct), ack 1 win 43008 13:55:33.326854 IP (tos 0x0, ttl 128, id 35969, offset 0, flags [DF], proto: TCP (6), length: 137) 192.168.50.02.2923 > 193.99.144.85.80: P 1:98(97) ack 1 win 43008 then the traffic is normal, without any anomaly. On outgoing interface tun2 I see: 13:55:33.266603 IP (tos 0x0, ttl 127, id 35967, offset 0, flags [DF], proto: TCP (6), length: 52) 84.182.234.162.58104 > 193.99.144.85.80: S, cksum 0xfd03 (correct), 1489020152:148902015 2(0) win 65535 13:55:33.325695 IP (tos 0x0, ttl 250, id 7928, offset 0, flags [DF], proto: TCP (6), length: 52) 193.99.144.85.80 > 84.182.234.162.58104: S, cksum 0x8095 (correct), 3368657865:3368657865 (0) ack 1489020153 win 4320 13:55:33.325880 IP (tos 0x0, ttl 127, id 35968, offset 0, flags [DF], proto: TCP (6), length: 40) 84.182.234.162.58104 > 193.99.144.85.80: ., cksum 0x292b (correct), ack 1 win 43008 13:55:33.326872 IP (tos 0x0, ttl 127, id 35969, offset 0, flags [DF], proto: TCP (6), length: 137) 84.182.234.162.58104 > 193.99.144.85.80: P 1:98(97) ack 1 win 43008 So the 1st SYN packet seems to disappear, that creates an additional delay on every connection. Now I my questions come: 1. Does anybody know the reason, is there an error in my setup? 2. Do you believe it is pf(4) related or is it an network stack problem? 3. What can I do to solve the problem? Some more debug output? I can test patches or include some debug code in my kernel. Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 13:58:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9D3B16A417 for ; Wed, 1 Aug 2007 13:58:14 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp1.bethere.co.uk (smtp1.betherenow.co.uk [87.194.0.68]) by mx1.freebsd.org (Postfix) with ESMTP id 81A7C13C4B3 for ; Wed, 1 Aug 2007 13:58:14 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from thebeast (87-194-161-158.bethere.co.uk [87.194.161.158]) by smtp1.bethere.co.uk (Postfix) with SMTP id C729498076; Wed, 1 Aug 2007 14:37:07 +0100 (BST) From: "Greg Hennessy" To: "'Patrick Proniewski'" , References: In-Reply-To: Date: Wed, 1 Aug 2007 14:37:07 +0100 Message-ID: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcfUM8n0blugMnU4SfiKArbHy3ZbYQADP7fA Content-Language: en-gb X-Antivirus: avast! (VPS 000762-5, 31/07/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 13:58:14 -0000 > Hi > > Two of us have found out a very strange issue with pf on FreeBSD 6.2 > on a xDSL connection. > Posting a copy of your pf.conf and trawling the logs for drops around the same time as the transfers are underway would be useful. You're possibly meeting an issue with tcp window scaling and keeping state on something other than Flags S/A. Greg From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 15:32:27 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A66516A417 for ; Wed, 1 Aug 2007 15:32:27 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from postfix1-g20.free.fr (postfix1-g20.free.fr [212.27.60.42]) by mx1.freebsd.org (Postfix) with ESMTP id CC99513C45B for ; Wed, 1 Aug 2007 15:32:26 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by postfix1-g20.free.fr (Postfix) with ESMTP id EBFFC1818B52 for ; Wed, 1 Aug 2007 17:13:40 +0200 (CEST) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id 633C51AB2DA; Wed, 1 Aug 2007 17:13:39 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id F38761AB2E0; Wed, 1 Aug 2007 17:13:38 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id 69F411CC0E; Wed, 1 Aug 2007 17:13:38 +0200 (CEST) In-Reply-To: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Wed, 1 Aug 2007 17:13:38 +0200 To: "Greg Hennessy" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 15:32:27 -0000 On 01 ao=FBt 2007, at 15:37, Greg Hennessy wrote: > Posting a copy of your pf.conf here we go : # macros int_if =3D "em0" int_if_sec =3D "em1" ext_if =3D "fxp0" wif_if =3D "ath0" tcp_services =3D "{ 22, 113, 80, 443, 25, 53, 554 }" udp_services =3D "{ 53 }" admin_tcp_services =3D "{ 311, 625, 5900, 5988 }" admin_udp_services =3D "{ 3283 }" icmp_types =3D "echoreq" priv_nets =3D "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }" table persist { --few IPs-- } table persist { --few IPs-- } table persist file "/etc/pf.liste_ip_spamer" table persist file "/etc/pf.liste_ip_ssh_scan" table persist file "/etc/pf.liste_ip_webspam" table persist { --few IPs-- } # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $int_if_sec:network to any -> ($ext_if) # filter rules block log all block in log quick proto tcp from to any port smtp block in log quick proto tcp from to any port ssh block in log quick proto tcp from to any port http pass quick on lo0 all block drop in log quick on $ext_if from $priv_nets to any block drop out log quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) port =20 $tcp_services flags S/SA keep state pass in on $ext_if inet proto udp from any to ($ext_if) port =20 $udp_services keep state ##### admin pass in log on $ext_if inet proto tcp from { , =20 } to { ($ext_if), 192.168.0.2 } port $admin_tcp_services =20 flags S/SA keep state pass in log on $ext_if inet proto udp from { , =20 } to { ($ext_if), 192.168.0.2 } port $admin_udp_services =20 keep state ##### OpenArena pass in on $ext_if inet proto tcp from to ($ext_if) port =20 56789 flags S/SA keep state pass in on $ext_if inet proto udp from to ($ext_if) port =20 56789 keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass in on $int_if_sec from $int_if_sec:network to any keep state pass out on $int_if_sec from any to $int_if_sec:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state > and trawling the logs for drops around the > same time as the transfers are underway would be useful. Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0` Only a bunch of blocks for rule "0": 000000 rule 0/0(match): block in on fxp0: 82.235.245.158 > =20 82.235.12.223: [|tcp] 507955 rule 0/0(match): block in on fxp0: 82.235.245.158 > =20 82.235.12.223: [|tcp] 689510 rule 0/0(match): block in on fxp0: 82.235.245.158 > =20 82.235.12.223: [|tcp] 41. 432770 rule 0/0(match): block in on fxp0: 82.235.85.225 > =20 82.235.12.223: [|tcp] 584629 rule 0/0(match): block in on fxp0: 82.235.85.225 > =20 82.235.12.223: [|tcp] 2. 251236 rule 0/0(match): block in on fxp0: 82.235.228.221 > =20 82.235.12.223: [|tcp] 506420 rule 0/0(match): block in on fxp0: 82.235.225.106 > =20 82.235.12.223: [|tcp] 5. 288575 rule 0/0(match): block in on fxp0: 82.235.225.106 > =20 82.235.12.223: [|tcp] 12. 352415 rule 0/0(match): block in on fxp0: 82.235.245.158 > =20 82.235.12.223: [|tcp] I've found this in /var/log/debug.log: ../.. Aug 1 14:00:01 boleskine pflogd[410]: [priv]: msg PRIV_OPEN_LOG =20 received Aug 1 16:00:02 boleskine pflogd[410]: [priv]: msg PRIV_OPEN_LOG =20 received ../.. But I believe it's not related to my problem at all. regards, patpro From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 15:42:20 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E53D516A41A for ; Wed, 1 Aug 2007 15:42:20 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id 9F3FA13C48D for ; Wed, 1 Aug 2007 15:42:20 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id CCAD31AB30A; Wed, 1 Aug 2007 17:42:19 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 13F2F1AB303; Wed, 1 Aug 2007 17:42:19 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id 77EA41CC0E; Wed, 1 Aug 2007 17:42:18 +0200 (CEST) In-Reply-To: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <611A93D3-A392-493B-80ED-4C5AC77AA77A@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Wed, 1 Aug 2007 17:42:19 +0200 To: "Greg Hennessy" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 15:42:21 -0000 On 01 ao=FBt 2007, at 15:37, Greg Hennessy wrote: > You're possibly meeting an issue with tcp window scaling and =20 > keeping state > on something other than Flags S/A. While playing around with systat I've discovered that the transfer =20 rate can be as low as 20 KB/s and as high as 850 KB/s on a single =20 download from http://test-debit.free.fr, but the mean value will =20 always be around 120-150 KB/s when pf is active. =46rom one sample to =20= another (every second), the transfer rate is very erratic. If I disable pf on ext_if (set skip on $ext_if), the transfer rate =20 reaches quickly 850 KB/s and is almost stable. It decreases to =20 400-450 KB/s for 1 or 2 seconds, 3 or 4 times per minute. regards, patpro= From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 16:21:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 004FA16A417 for ; Wed, 1 Aug 2007 16:21:35 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp1.bethere.co.uk (smtp1.betherenow.co.uk [87.194.0.68]) by mx1.freebsd.org (Postfix) with ESMTP id 9A5EF13C461 for ; Wed, 1 Aug 2007 16:21:35 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from thebeast (87-194-161-158.bethere.co.uk [87.194.161.158]) by smtp1.bethere.co.uk (Postfix) with SMTP id 90B579808E; Wed, 1 Aug 2007 17:21:33 +0100 (BST) From: "Greg Hennessy" To: "'Patrick Proniewski'" References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> In-Reply-To: <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> Date: Wed, 1 Aug 2007 17:21:33 +0100 Message-ID: <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcfUTqtPg8S0Q4xCQHaOvbLHTIOavgAB7zvw Content-Language: en-gb X-Antivirus: avast! (VPS 000763-0, 01/08/2007), Outbound message X-Antivirus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: RE: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 16:21:36 -0000 > # filter rules > block log all > block in log quick proto tcp from to any port smtp > block in log quick proto tcp from to any port ssh > block in log quick proto tcp from to any port http > > pass quick on lo0 all Change this to set skip on lo0 > > block drop in log quick on $ext_if from $priv_nets to any > block drop out log quick on $ext_if from any to $priv_nets Superfluous, a default block policy should catch these. > pass in on $ext_if inet proto tcp from any to ($ext_if) port > $tcp_services flags S/SA keep state > pass in on $ext_if inet proto udp from any to ($ext_if) port > $udp_services keep state I tend to avoid using 'any' as a source, use ! instead. > > and trawling the logs for drops around the > > same time as the transfers are underway would be useful. > > Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0` > Only a bunch of blocks for rule "0": You need to enable logging on the pass rules to identify which rule number the throughput test traffic is matching against. Then use pfctl -vsr to identify the precise one. Looks like someone has compiled out inet6. > 000000 rule 0/0(match): block in on fxp0: 82.235.245.158 > > 82.235.12.223: [|tcp] You need to increase the snap size. Change the tcpdump on pflog0 whilst testing to tcpdump -s 160 -l -e -tttt -i pflog0 This will give you far more meaningful firewall logs to identify potential out of state drops. Greg > > > I've found this in /var/log/debug.log: > > ../.. > Aug 1 14:00:01 boleskine pflogd[410]: [priv]: msg PRIV_OPEN_LOG > received > Aug 1 16:00:02 boleskine pflogd[410]: [priv]: msg PRIV_OPEN_LOG > received > ../.. > > But I believe it's not related to my problem at all. > > > regards, > patpro > From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 21:57:25 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6C2416A474 for ; Wed, 1 Aug 2007 21:57:25 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id 3AAD613C4D3 for ; Wed, 1 Aug 2007 21:57:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id E0C241AB2D3; Wed, 1 Aug 2007 23:57:21 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 9E99E1AB2C0; Wed, 1 Aug 2007 23:57:21 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id EF0B11CC2A; Wed, 1 Aug 2007 23:57:20 +0200 (CEST) In-Reply-To: <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <8CA48FBF-A30E-41C8-BABD-28050BCA5038@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Wed, 1 Aug 2007 23:57:29 +0200 To: "Greg Hennessy" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 21:57:25 -0000 On 01 ao=FBt 2007, at 18:21, Greg Hennessy wrote: >> pass quick on lo0 all > > Change this to > > set skip on lo0 thanks >> block drop in log quick on $ext_if from $priv_nets to any >> block drop out log quick on $ext_if from any to $priv_nets > > Superfluous, a default block policy should catch these. ok >> pass in on $ext_if inet proto tcp from any to ($ext_if) port >> $tcp_services flags S/SA keep state >> pass in on $ext_if inet proto udp from any to ($ext_if) port >> $udp_services keep state > > I tend to avoid using 'any' as a source, use ! instead. I'm going to try this >> Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0` >> Only a bunch of blocks for rule "0": > > You need to enable logging on the pass rules to identify which rule =20= > number > the throughput test traffic is matching against. > Then use pfctl -vsr to identify the precise one. > > Looks like someone has compiled out inet6. > >> 000000 rule 0/0(match): block in on fxp0: 82.235.245.158 > >> 82.235.12.223: [|tcp] > > You need to increase the snap size. Change the tcpdump on pflog0 =20 > whilst > testing to > > tcpdump -s 160 -l -e -tttt -i pflog0 > > This will give you far more meaningful firewall logs to identify =20 > potential > out of state drops. I'm afraid it's not better : 2007-08-01 23:46:28.845093 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.56404 > dns2.proxad.net.domain: 41734+ PTR? =20 23.219.98.87.in-addr.arpa. (43) 2007-08-01 23:46:31.677123 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.62879 > dns2.proxad.net.domain: 55363+ A? test-=20 debit.free.fr. (36) 2007-08-01 23:46:31.728994 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.56732 > dns2.proxad.net.domain: 55364+ AAAA? =20 test-debit.free.fr. (36) 2007-08-01 23:46:31.781738 rule 45/0(match): pass out on fxp0: =20 boleskine.patpro.net.63557 > test-debit-f12.proxad.net.http: S =20 3953257962:3953257962(0) win 65535 2007-08-01 23:46:39.701327 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 2007-08-01 23:46:39.925942 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61629 > dns2.proxad.net.domain: 41735+ PTR? =20 94.210.235.82.in-addr.arpa. (44) 2007-08-01 23:46:40.237802 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 2007-08-01 23:46:40.785610 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 2007-08-01 23:46:42.790998 rule 0/0(match): block in on fxp0: =20 bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc-=20= srv: S 3621124191:3621124191(0) win 53760 2007-08-01 23:46:42.978867 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61813 > dns2.proxad.net.domain: 41736+ PTR? =20 206.241.235.82.in-addr.arpa. (45) 2007-08-01 23:46:43.243787 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:46:43.243807 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.59333 > ns2.securitbox.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:46:43.341997 rule 0/0(match): block in on fxp0: =20 bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc-=20= srv: S 3621124191:3621124191(0) win 53760 2007-08-01 23:46:44.029868 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61406 > dns2.proxad.net.domain: 41737+ PTR? =20 184.12.191.88.in-addr.arpa. (44) 2007-08-01 23:46:44.095790 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.55154 > dns2.proxad.net.domain: 41738+ PTR? =20 71.183.1.194.in-addr.arpa. (43) 2007-08-01 23:47:28.858010 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.55632 > dns2.proxad.net.domain: 39554+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:47:31.338705 rule 41/0(match): pass in on em0: =20 192.168.0.2.50122 > 192.168.0.1.domain: 9746+ A? www.adobe.com. (31) 2007-08-01 23:47:31.338946 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.domain > dns3.proxad.net.domain: 29295+ [1au] =20 A? www.wip3.adobe.com. (47) 2007-08-01 23:47:32.170346 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49612 > dns2.proxad.net.domain: 41739+ PTR? =20 252.53.27.212.in-addr.arpa. (44) 2007-08-01 23:47:44.398133 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.62936 > chihiro.bleu-pastel.org.ntp: NTPv4, =20 Client, length 48 2007-08-01 23:47:47.462629 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.59646 > a5.iliad.fr.ntp: NTPv4, Client, length 48 2007-08-01 23:48:01.521465 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49673 > ns1.kamino.fr.ntp: NTPv4, Client, length 48 2007-08-01 23:48:02.448834 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 2007-08-01 23:48:02.957259 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 2007-08-01 23:48:03.655702 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 2007-08-01 23:48:09.581381 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49631 > roxane.home-dn.net.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:17.145432 rule 0/0(match): block in on fxp0: =20 she13-1-82-235-225-106.fbx.proxad.net.2730 > boleskine.patpro.net.loc-=20= srv: S 3888078071:3888078071(0) win 64240 2007-08-01 23:48:20.753804 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.53980 > cerber.obs.coe.int.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:29.902616 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.57907 > dns2.proxad.net.domain: 18671+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:48:32.844683 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.58931 > mail1.vetienne.net.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:50.138103 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:56.174302 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 2007-08-01 23:48:56.187805 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 2007-08-01 23:48:56.268230 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54083 > dns2.proxad.net.domain: 41740+ PTR? =20 216.167.235.82.in-addr.arpa. (45) 2007-08-01 23:48:56.745779 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 2007-08-01 23:48:56.747746 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 2007-08-01 23:48:57.253912 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 2007-08-01 23:48:57.253923 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 2007-08-01 23:49:00.942064 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54689 > dns2.proxad.net.domain: 54137+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:49:01.362800 rule 41/0(match): pass in on em0: =20 192.168.0.2.50123 > 192.168.0.1.domain: 18301+ A? www.adobe.com. (31) 2007-08-01 23:49:01.363043 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.domain > dns3.proxad.net.domain: 11699+ [1au] =20 A? www.wip3.adobe.com. (47) From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 05:34:42 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 149CF16A418 for ; Thu, 2 Aug 2007 05:34:42 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id CAA5713C48E for ; Thu, 2 Aug 2007 05:34:41 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id B2C511AB2C9; Thu, 2 Aug 2007 07:34:40 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 98F041AB2C7; Thu, 2 Aug 2007 07:34:40 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id 0295F1CC0E; Thu, 2 Aug 2007 07:34:40 +0200 (CEST) In-Reply-To: <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: <84F1F457-8D05-4872-A24A-EC40482F90A8@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Thu, 2 Aug 2007 07:34:57 +0200 To: "Greg Hennessy" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 05:34:42 -0000 On 01 ao=FBt 2007, at 18:21, Greg Hennessy wrote: > Looks like someone has compiled out inet6. my make.conf reads "NO_INET6=3D true" my kernel config file reads "#options INET6" so I should have no inet6 at all patpro From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 06:24:15 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C06A016A41F for ; Thu, 2 Aug 2007 06:24:15 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6C74A13C4A6 for ; Thu, 2 Aug 2007 06:24:14 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l726OEV3020294 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 2 Aug 2007 08:24:14 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l726OD1L029003; Thu, 2 Aug 2007 08:24:14 +0200 (MEST) Date: Thu, 2 Aug 2007 08:24:13 +0200 From: Daniel Hartmeier To: Patrick Proniewski Message-ID: <20070802062413.GB32306@insomnia.benzedrine.cx> References: <611A93D3-A392-493B-80ED-4C5AC77AA77A@patpro.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <611A93D3-A392-493B-80ED-4C5AC77AA77A@patpro.net> User-Agent: Mutt/1.5.12-2006-07-14 Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 06:24:15 -0000 On Wed, Aug 01, 2007 at 05:42:19PM +0200, Patrick Proniewski wrote: > While playing around with systat I've discovered that the transfer > rate can be as low as 20 KB/s and as high as 850 KB/s on a single > download from http://test-debit.free.fr, but the mean value will > always be around 120-150 KB/s when pf is active. From one sample to > another (every second), the transfer rate is very erratic. > If I disable pf on ext_if (set skip on $ext_if), the transfer rate > reaches quickly 850 KB/s and is almost stable. It decreases to > 400-450 KB/s for 1 or 2 seconds, 3 or 4 times per minute. Enable pf debug logging (pfctl -xm), note output of pfctl -si, reproduce the problem. Then run pfctl -si again. See /var/log/messages for lines from pf. Post all three outputs ;) Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 06:52:51 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 861BA16A418 for ; Thu, 2 Aug 2007 06:52:51 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id 45E0113C48D for ; Thu, 2 Aug 2007 06:52:51 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id 78B5F1AB2CD for ; Thu, 2 Aug 2007 08:52:50 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 5CB861AB2D3 for ; Thu, 2 Aug 2007 08:52:50 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id A60971CC0E for ; Thu, 2 Aug 2007 08:52:49 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v752.2) In-Reply-To: <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <09A5E345-D13D-4F70-B40D-BECB13AD03D2@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Thu, 2 Aug 2007 08:53:08 +0200 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.752.2) Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 06:52:51 -0000 On 01 ao=FBt 2007, at 18:21, Greg Hennessy wrote: >> block drop in log quick on $ext_if from $priv_nets to any >> block drop out log quick on $ext_if from any to $priv_nets > > Superfluous, a default block policy should catch these. Well, I've just tried a very light rule set: ext_if =3D "fxp0" int_if =3D "em0" scrub in all nat on $ext_if from 192.168.0.1/24 to any -> $ext_if pass quick log all keep state with this, my transfer rate reaches 700-750 KB/s, so I think there is =20= something wrong with my full rule set. patpro= From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 07:03:29 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C21F16A41F for ; Thu, 2 Aug 2007 07:03:29 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id CE99713C47E for ; Thu, 2 Aug 2007 07:03:28 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id 02CEC1AB2DF; Thu, 2 Aug 2007 09:03:28 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id C70831AB2DD; Thu, 2 Aug 2007 09:03:27 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id 545AE1CC0E; Thu, 2 Aug 2007 09:03:27 +0200 (CEST) In-Reply-To: <20070802062413.GB32306@insomnia.benzedrine.cx> References: <611A93D3-A392-493B-80ED-4C5AC77AA77A@patpro.net> <20070802062413.GB32306@insomnia.benzedrine.cx> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Thu, 2 Aug 2007 09:03:26 +0200 To: Daniel Hartmeier X-Mailer: Apple Mail (2.752.2) Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 07:03:29 -0000 Hi, On 02 ao=FBt 2007, at 08:24, Daniel Hartmeier wrote: > Enable pf debug logging (pfctl -xm), note output of pfctl -si, =20 > reproduce > the problem. Then run pfctl -si again. See /var/log/messages for lines > from pf. Post all three outputs ;) before reproducing the problem: Interface Stats for fxp0 IPv4 IPv6 Bytes In 1317430142 0 Bytes Out 37184782 0 Packets In Passed 952956 0 Blocked 13070 0 Packets Out Passed 627949 0 Blocked 51 0 State Table Total Rate current entries 67 searches 6108082 50.7/s inserts 18628 0.2/s removals 18561 0.2/s Counters match 40003 0.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 35 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s after reproducing the problem: Interface Stats for fxp0 IPv4 IPv6 Bytes In 1328709722 0 Bytes Out 37542784 0 Packets In Passed 960543 0 Blocked 13076 0 Packets Out Passed 634137 0 Blocked 51 0 State Table Total Rate current entries 52 searches 6124426 50.8/s inserts 18636 0.2/s removals 18584 0.2/s Counters match 40017 0.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 35 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s nothing in /var/log/message nor in /var/log/debug.log regards, patpro From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 11:16:59 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71AE016A419 for ; Thu, 2 Aug 2007 11:16:59 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: from seaholm.caamora.com.au (seaholm.caamora.com.au [203.7.226.5]) by mx1.freebsd.org (Postfix) with ESMTP id 86A9413C45A for ; Thu, 2 Aug 2007 11:16:57 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: (from jon@localhost) by seaholm.caamora.com.au (8.11.1/8.11.1) id l72AhEB08838; Thu, 2 Aug 2007 20:43:14 +1000 (EST) Message-ID: <20070802204314.23724@caamora.com.au> Date: Thu, 2 Aug 2007 20:43:14 +1000 From: jonathan michaels To: patrick proniewski References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> <84F1F457-8D05-4872-A24A-EC40482F90A8@patpro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.84e In-Reply-To: <84F1F457-8D05-4872-A24A-EC40482F90A8@patpro.net>; from Patrick Proniewski on Thu, Aug 02, 2007 at 07:34:57AM +0200 Organisation: Caamora, PO Box 144, Rosebery NSW 1445 Australia Cc: volker werth , Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 11:16:59 -0000 On Thu, Aug 02, 2007 at 07:34:57AM +0200, Patrick Proniewski wrote: > On 01 août 2007, at 18:21, Greg Hennessy wrote: > > > Looks like someone has compiled out inet6. > > my make.conf reads "NO_INET6= true" > my kernel config file reads "#options INET6" > > so I should have no inet6 at all greetings peoples on freebsd-pf i am just starting to use pf, today is my first time .. i use freebsd some 10 years now start with 2.0.5 stop on 2.2.5/7 till two months ago when i upgrade hardware (intel 386dx33/486dx33 machines for compaq proliant 5500 (4 cpu, 4 gb, dram scsi raid) x2 a compaq proliant 1850r and a couple of 233/800/1g4 intel boxen. i used to run fidonet/usenet gateway (mail/news file xfers and all the usual "internet stuff" by electronic mail) this has been running for 20 25 years now. i have just been asked to run a web hosting task fro a friend for which i will be tasking freebsd. also the script kiddes have become a real nuisance which is why i started on ipfw a year or two ago. that has let me down and i cannot seem to make it work so i asked a friend for some help (hi volker, i'm awake now .. grin). i'm just started up his authored "/etc/pc.conf" file and i saw the error messages that patrick reported a few days ago .. i/m still trying to sort out my ?machine-room" i had my last 486dx50 die on me and its modem (14kb v32 - some 20 years service) i now have v32.vbis (33k6/33k6) modem on a 16550 uart running on a pentium (p5-133 mhx) machine some 10 years old with 64 mb dram scsi hdd an old reliabe 6 gb ide with freebsd v6.2-release from a freebsdmall (thanks gusys for yor help over the years) cdrom set. i didnot notice much when i started pf at 1145 pm but this morning and now more nociceably the netwprk is getting more sluggish esp' whenever i do ssh based connection, or sudo "channeled" for root priv's software, admin tasks. i had a look in logs, and saw what patrick described (i cannot recal teh exact error message.. it is all pretty much as patric describes but i am not on xdsl, i runing userland ppp for a permanently connected dial (on demand, but permenant connected) ppp account to my isp. i do my own dns/mail/http and so on .. in essance i am my own isp directly connected (by dialup ppp) to the australian backbone, whod a though an invalid pensioner, grin) just an aside .. i am in invalid pensioner (disabled man) i was born with brain damage (caused during gestation some time) i live with learning disabilities and language skill, motor skill impearment. my typing is not he best and i find comprehending written text some (ok most of teh )time hard and at times very hard. due to many motot vehicle smashup (motorcycle, yamaha xs1100g and car several ford fairlanes, currently a 1978 zh beautifull teal blue inside and out) i take large quantities of serious analgesics to help with the pain and other hrt type stuff to cope witht her brain damage and its fall out. well thats me, if you guys want see teh pf config files i can make that happen .. post to list or off list just show where .. ok i am new to pf, i know virtuall nothing and because of my learning disabilities i am a bit slow as tehy say, about us "special" kind of people/childern. most kind regards and very much appreciations cheers jonathan -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ==== From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 11:29:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6133716A41F for ; Thu, 2 Aug 2007 11:29:47 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (unknown [IPv6:2a01:170:1023:0:211:2fff:fec9:c52d]) by mx1.freebsd.org (Postfix) with ESMTP id A4BF513C457 for ; Thu, 2 Aug 2007 11:29:46 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from [192.168.20.32] (sun.behrens [192.168.20.32]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l72BTcSQ007351 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO) for ; Thu, 2 Aug 2007 13:29:38 +0200 (CEST) (envelope-from frank@pinky.sax.de) Message-Id: <200708021129.l72BTcSQ007351@pinky.frank-behrens.de> From: "Frank Behrens" To: freebsd-pf@freebsd.org Date: Thu, 02 Aug 2007 13:29:36 +0200 MIME-Version: 1.0 Priority: normal In-reply-to: <200708011233.l71CX4Od082534@pinky.frank-behrens.de> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:070802:freebsd-pf@freebsd.org::UQ0G7jz5XLwTUA68:00000000000xrWG Subject: Re: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 11:29:47 -0000 With the help of an email in another thread I could get more information... Frank Behrens wrote on 1 Aug 2007 14:33: >.... > When I try to connect from internal (NATed) host to an external address I see a delay, > because the 1st SYN is resent (on internal interface): > 13:55:30.256823 IP (tos 0x0, ttl 128, id 35958, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.2923 > 193.99.144.85.80: S, cksum 0x3f22 (correct), 1489020152:1489020152(0) win 65535 > 13:55:33.266554 IP (tos 0x0, ttl 128, id 35967, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.2923 > 193.99.144.85.80: S, cksum 0x3f22 (correct), 1489020152:1489020152(0) win 65535 > 13:55:33.325734 IP (tos 0x0, ttl 249, id 7928, offset 0, flags [DF], proto: TCP (6), length: 52) 193.99.144.85.80 > 192.168.50.02.2923: S, cksum 0xc2b3 (correct), 3368657865:3368657865(0) ack 1489020153 win 4320 > 13:55:33.325857 IP (tos 0x0, ttl 128, id 35968, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.50.02.2923 > 193.99.144.85.80: ., cksum 0x6b49 (correct), ack 1 win 43008 > 13:55:33.326854 IP (tos 0x0, ttl 128, id 35969, offset 0, flags [DF], proto: TCP (6), length: 137) 192.168.50.02.2923 > 193.99.144.85.80: P 1:98(97) ack 1 win 43008 > > then the traffic is normal, without any anomaly. > > On outgoing interface tun2 I see: > 13:55:33.266603 IP (tos 0x0, ttl 127, id 35967, offset 0, flags [DF], proto: TCP (6), length: 52) 84.182.234.162.58104 > 193.99.144.85.80: S, cksum 0xfd03 (correct), 1489020152:148902015 2(0) win 65535 > 13:55:33.325695 IP (tos 0x0, ttl 250, id 7928, offset 0, flags [DF], proto: TCP (6), length: 52) 193.99.144.85.80 > 84.182.234.162.58104: S, cksum 0x8095 (correct), 3368657865:3368657865 (0) ack 1489020153 win 4320 > 13:55:33.325880 IP (tos 0x0, ttl 127, id 35968, offset 0, flags [DF], proto: TCP (6), length: 40) 84.182.234.162.58104 > 193.99.144.85.80: ., cksum 0x292b (correct), ack 1 win 43008 > 13:55:33.326872 IP (tos 0x0, ttl 127, id 35969, offset 0, flags [DF], proto: TCP (6), length: 137) 84.182.234.162.58104 > 193.99.144.85.80: P 1:98(97) ack 1 win 43008 > > > So the 1st SYN packet seems to disappear, that creates an additional delay on every > connection. Daniel Hartmeier wrote on 2 Aug 2007 8:24 in another thread: > Enable pf debug logging (pfctl -xm), note output of pfctl -si, reproduce > the problem. Then run pfctl -si again. See /var/log/messages for lines > from pf. Post all three outputs ;) Thanks for this hint! I got: Aug 2 13:17:26 moon kernel: pf: state insert failed: tree_ext_gwy lan: 84.182.237.27:50517 gwy: 84.182.237.27:50517 ext: 193.99.144.85:80 When the traffic on LAN interface was: 13:17:26.808052 IP (tos 0x0, ttl 128, id 50604, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.3130 > 193.99.144.85.80: S, cksum 0x30c1 (correct), 2327609486:2327609486(0) win 65535 13:17:29.732017 IP (tos 0x0, ttl 128, id 50616, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.3130 > 193.99.144.85.80: S, cksum 0x30c1 (correct), 2327609486:2327609486(0) win 65535 13:17:29.792689 IP (tos 0x0, ttl 249, id 4758, offset 0, flags [DF], proto: TCP (6), length: 52) 193.99.144.85.80 > 192.168.50.02.3130: S, cksum 0x815c (correct), 435389846:435389846(0) ack 2327609487 win 4320 So a possible reason is detected. Does anybody know, why the state insert failed? Otherwise I believe it's time to create a PR. Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 11:34:14 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF31716A418 for ; Thu, 2 Aug 2007 11:34:14 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id 6FCAD13C46B for ; Thu, 2 Aug 2007 11:34:14 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id 7CDE71AB2E6; Thu, 2 Aug 2007 13:34:13 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id DDCC41AB2E0; Thu, 2 Aug 2007 13:34:11 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id EB2141CC0E; Thu, 2 Aug 2007 13:34:10 +0200 (CEST) In-Reply-To: <20070802204314.23724@caamora.com.au> References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> <84F1F457-8D05-4872-A24A-EC40482F90A8@patpro.net> <20070802204314.23724@caamora.com.au> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <8BB113D7-FBCD-45A5-A7D9-F3A7F4E36771@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Thu, 2 Aug 2007 13:34:10 +0200 To: jonathan michaels X-Mailer: Apple Mail (2.752.2) Cc: volker werth , Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 11:34:14 -0000 On 02 ao=FBt 2007, at 12:43, jonathan michaels wrote: > i'm just started up his authored "/etc/pc.conf" file and i saw the > error messages that patrick reported a few days ago .. do you mean that kind of message: "pflogd[410]: [priv]: msg =20 PRIV_OPEN_LOG received" ? I don't think it's an error message. It's a debug message. Depending =20 on the traffic, it will show up every hours or every two/three/four =20 hours... > i didnot notice much when i started pf at 1145 pm but this morning and > now more nociceably the netwprk is getting more sluggish esp' whenever > i do ssh based connection, or sudo "channeled" for root priv's > software, admin tasks. > it is all pretty much as patric describes but i am not on xdsl it looks like it's not the same problem. Your connection become =20 sluggish with time, mine is throttled from the beginning and regain =20 full speed when I disable pf. May be your computer is swamped in swap ? may be your pf config makes =20= you log too many things and your HD is full ?, ... patpro From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 12:54:49 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C9F3D16A420 for ; Thu, 2 Aug 2007 12:54:49 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: from seaholm.caamora.com.au (seaholm.caamora.com.au [203.7.226.5]) by mx1.freebsd.org (Postfix) with ESMTP id DDBD913C46A for ; Thu, 2 Aug 2007 12:54:47 +0000 (UTC) (envelope-from jon@seaholm.caamora.com.au) Received: (from jon@localhost) by seaholm.caamora.com.au (8.11.1/8.11.1) id l72Cspd09138; Thu, 2 Aug 2007 22:54:51 +1000 (EST) Message-ID: <20070802225451.48351@caamora.com.au> Date: Thu, 2 Aug 2007 22:54:51 +1000 From: jonathan michaels To: Patrick Proniewski References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> <84F1F457-8D05-4872-A24A-EC40482F90A8@patpro.net> <20070802204314.23724@caamora.com.au> <8BB113D7-FBCD-45A5-A7D9-F3A7F4E36771@patpro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.84e In-Reply-To: <8BB113D7-FBCD-45A5-A7D9-F3A7F4E36771@patpro.net>; from Patrick Proniewski on Thu, Aug 02, 2007 at 01:34:10PM +0200 Organisation: Caamora, PO Box 144, Rosebery NSW 1445 Australia Cc: volker werth , jonathan michaels , Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 12:54:50 -0000 patrick, thank you fro the prompt reply, hope its not too late in your part of teh world.. its just gone 9:45 pm here in australia. On Thu, Aug 02, 2007 at 01:34:10PM +0200, Patrick Proniewski wrote: > On 02 août 2007, at 12:43, jonathan michaels wrote: > > > i'm just started up his authored "/etc/pc.conf" file and i saw the > > error messages that patrick reported a few days ago .. > > do you mean that kind of message: "pflogd[410]: [priv]: msg > PRIV_OPEN_LOG received" ? yes, patrick, as best as i can tell it is the same, except, for teh [410] mine says [336] i've gone back over teh last few days of tehis thread and all that you have described is happening here. > I don't think it's an error message. It's a debug message. Depending > on the traffic, it will show up every hours or every two/three/four > hours... yes it does that, 'cept min is every 2 hours, some times it it only an hour betwwen log entries. > > i didnot notice much when i started pf at 1145 pm but this morning and > > now more nociceably the netwprk is getting more sluggish esp' whenever > > i do ssh based connection, or sudo "channeled" for root priv's > > software, admin tasks. > > > it is all pretty much as patric describes but i am not on xdsl > > it looks like it's not the same problem. Your connection become > sluggish with time, mine is throttled from the beginning and regain > full speed when I disable pf. i just stoppped pf and restarted it after an hour or so (you should have seen teh sshd storm in like there is no tomorrow, not so grin) and on restarting pf the same slugishness was instantly there.. it was there. last night well it was a long day after lots, lots of of computer, system related trouble after three weeks and the medication it was hard to notices how things were going on. > May be your computer is swamped in swap ? may be your pf config makes > you log too many things and your HD is full ?, ... top reports load as "0 .1 .2" the hard drive is local 56 scsi RAID with a compaq 4200 RAID box attached with 64/80 wire cable it has 14 SCSI3 UW 10Krpm drives of 18 Gb (soon to be replaced with new fujitsu drives of 147 Gb or 300 Gb .. as soon as i can determine network load / requirements). the machine has several gb swap and 4 gb of dram now that pf seems to be doing a reasonable job of keepimg teh nasties on teh right side of teh firewall i can start to make plans. thanks patrick -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ==== From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 15:02:34 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0C5B16A418 for ; Thu, 2 Aug 2007 15:02:34 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (unknown [IPv6:2a01:170:1023:0:211:2fff:fec9:c52d]) by mx1.freebsd.org (Postfix) with ESMTP id 4051B13C49D for ; Thu, 2 Aug 2007 15:02:34 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from [192.168.20.32] (sun.behrens [192.168.20.32]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l72F2PCu004207 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO) for ; Thu, 2 Aug 2007 17:02:25 +0200 (CEST) (envelope-from frank@pinky.sax.de) Message-Id: <200708021502.l72F2PCu004207@pinky.frank-behrens.de> From: "Frank Behrens" To: freebsd-pf@freebsd.org Date: Thu, 02 Aug 2007 17:02:25 +0200 MIME-Version: 1.0 Priority: normal In-reply-to: <200708021129.l72BTcSQ007351@pinky.frank-behrens.de> References: <200708011233.l71CX4Od082534@pinky.frank-behrens.de> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:070802:freebsd-pf@freebsd.org::rQLKSjgcYTKzImqY:0000000000002I8V Subject: Re: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 15:02:34 -0000 Frank Behrens wrote on 2 Aug 2007 13:29: >.... > Aug 2 13:17:26 moon kernel: pf: state insert failed: tree_ext_gwy lan: 84.182.237.27:50517 gwy: 84.182.237.27:50517 ext: 193.99.144.85:80 The new pf(4) from http://people.freebsd.org/~mlaier/PF41/ on FreeBSD 6.2-STABLE-200708021147 i386 shows the same problem. :-( Is this a problem for pf(4) on FreeBSD or should the report be sent to OpenBSD? Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 15:14:25 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 963BF16A417 for ; Thu, 2 Aug 2007 15:14:25 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 2EB2613C46A for ; Thu, 2 Aug 2007 15:14:25 +0000 (UTC) (envelope-from max@love2party.net) Received: from [88.66.63.66] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1IGcNE0B29-00059Z; Thu, 02 Aug 2007 17:14:00 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 2 Aug 2007 17:15:17 +0200 User-Agent: KMail/1.9.7 References: <200708011233.l71CX4Od082534@pinky.frank-behrens.de> <200708021502.l72F2PCu004207@pinky.frank-behrens.de> In-Reply-To: <200708021502.l72F2PCu004207@pinky.frank-behrens.de> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1408523.uZKQp927Sn"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200708021715.25167.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/aAqqxoBc22HqTuI7B5TN7XbBuXgiZVC91b3E Krdgd4vb7HiW3SRImw3laxTsueus5w/jNhvyWymnA0bGeMwanm 0uEwgr3Cq5UuuDZFL1/0O3wRT3S9Xk9kNWPPTiFeic= Cc: Subject: Re: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 15:14:25 -0000 --nextPart1408523.uZKQp927Sn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 02 August 2007, Frank Behrens wrote: > Frank Behrens wrote on 2 Aug 2007 13:29: > >.... > > Aug 2 13:17:26 moon kernel: pf: state insert failed: > > tree_ext_gwy lan: 84.182.237.27:50517 gwy: 84.182.237.27:50517 ext: > > 193.99.144.85:80 > > The new pf(4) from > http://people.freebsd.org/~mlaier/PF41/ > on FreeBSD 6.2-STABLE-200708021147 i386 shows the same problem. :-( > > Is this a problem for pf(4) on FreeBSD or should the report be sent to > OpenBSD? Can you follow up with the complete pf.conf you are using? The "state=20 insert failed" error suggests a logic problem in your config (or a missed=20 PF_TAG_GENERATED somewhere). It seems that the same packet is run=20 through the firewall twice, generating state on the first run, but not=20 matching it on the second ... somehow strange. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1408523.uZKQp927Sn Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBGsfUNXyyEoT62BG0RAjGSAJ9DGuZcbqbY8e/c7cFDsl74vIUqDwCfQytz mTeiUFGyCcHKQftcQ7hBKRU= =yFYD -----END PGP SIGNATURE----- --nextPart1408523.uZKQp927Sn-- From owner-freebsd-pf@FreeBSD.ORG Thu Aug 2 15:37:25 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 104B916A419 for ; Thu, 2 Aug 2007 15:37:25 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (unknown [IPv6:2a01:170:1023:0:211:2fff:fec9:c52d]) by mx1.freebsd.org (Postfix) with ESMTP id 5F75B13C4A7 for ; Thu, 2 Aug 2007 15:37:24 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from [192.168.20.32] (sun.behrens [192.168.20.32]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l72Fb69k004919 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Thu, 2 Aug 2007 17:37:06 +0200 (CEST) (envelope-from frank@pinky.sax.de) Message-Id: <200708021537.l72Fb69k004919@pinky.frank-behrens.de> From: "Frank Behrens" To: Max Laier Date: Thu, 02 Aug 2007 17:37:06 +0200 MIME-Version: 1.0 Priority: normal In-reply-to: <200708021715.25167.max@love2party.net> References: <200708021502.l72F2PCu004207@pinky.frank-behrens.de> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:070802:freebsd-pf@freebsd.org::9R+10+qvsEDzTBlN:0000000000019YUw X-Hashcash: 1:24:070802:max@love2party.net::Bhl9MYKYuKiPZ6qc:M8Rt Cc: freebsd-pf@freebsd.org Subject: Re: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 15:37:25 -0000 Max Laier wrote on 2 Aug 2007 17:15: > Can you follow up with the complete pf.conf you are using? The "state I'll send you the complete file in a personal mail. > insert failed" error suggests a logic problem in your config (or a missed > PF_TAG_GENERATED somewhere). It seems that the same packet is run > through the firewall twice, generating state on the first run, but not > matching it on the second ... somehow strange. As I wrote in my 1st message the following statements may produce the problem: nat inet from !tun2-address to any port = http -> tun2-address nat on tun0 inet from to any -> tun0-address .... pass out quick on tun0 route-to (tun2 tun2-peer) inet from tun2-address to any keep state pass out quick on tun2 route-to (tun0 tun0-peer) inet from tun0-address to any keep state The reason for this setup is, that I want to use policy based routing. The http port ist an easy to test example. I have 2 DSL/pppoe connections with NAT and tun0 has the default route assigned. I want - route some traffic from LAN (NATed) to tun2 - route some traffic from gateway to tun2 May be there is a better solution? Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From owner-freebsd-pf@FreeBSD.ORG Fri Aug 3 07:52:20 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0DA0C16A41A for ; Fri, 3 Aug 2007 07:52:20 +0000 (UTC) (envelope-from aftaha@cirp.usp.br) Received: from quartzo.cirp.usp.br (quartzo.cirp.usp.br [143.107.200.45]) by mx1.freebsd.org (Postfix) with ESMTP id 73C2B13C459 for ; Fri, 3 Aug 2007 07:52:19 +0000 (UTC) (envelope-from aftaha@cirp.usp.br) Received: from quartzo.cirp.usp.br (localhost.cirp.usp.br [127.0.0.1]) by quartzo.cirp.usp.br (8.12.11/8.12.11) with ESMTP id l737aGCG040006 for ; Fri, 3 Aug 2007 04:36:16 -0300 (BRT) (envelope-from aftaha@quartzo.cirp.usp.br) Received: (from aftaha@localhost) by quartzo.cirp.usp.br (8.12.11/8.12.11/Submit) id l737aAqL040005 for freebsd-pf@freebsd.org; Fri, 3 Aug 2007 04:36:10 -0300 (BRT) (envelope-from aftaha) Date: Fri, 3 Aug 2007 04:36:10 -0300 From: Ali Faiez Taha To: freebsd-pf@freebsd.org Message-ID: <20070803073610.GA39968@quartzo.cirp.usp.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: by amavisd-new Subject: Block WWW.ORKUT.COM X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 07:52:20 -0000 Dear Sirs. What I need to do to block the access to www.orkut.com, via webproxy, anonymizer sites and direct access ? I am using FreeBSD with PF, without Proxy server, 2 NICs (one for Iternet and one for Intranet). Actually I use a table with a lot of IP address blocked. Thanks From owner-freebsd-pf@FreeBSD.ORG Fri Aug 3 08:06:19 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0666416A419 for ; Fri, 3 Aug 2007 08:06:19 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id ACFD513C4CA for ; Fri, 3 Aug 2007 08:06:18 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id 756B91AB2F0; Fri, 3 Aug 2007 10:06:17 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 59F211AB2E8; Fri, 3 Aug 2007 10:06:16 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id 48ECB1CC40; Fri, 3 Aug 2007 10:06:16 +0200 (CEST) In-Reply-To: <20070803073610.GA39968@quartzo.cirp.usp.br> References: <20070803073610.GA39968@quartzo.cirp.usp.br> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Fri, 3 Aug 2007 10:06:15 +0200 To: Ali Faiez Taha X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: Block WWW.ORKUT.COM X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 08:06:19 -0000 Hi, On 03 ao=FBt 2007, at 09:36, Ali Faiez Taha wrote: > What I need to do to block the access to www.orkut.com, via =20 > webproxy, anonymizer sites and direct access ? > I am using FreeBSD with PF, without Proxy server, 2 NICs (one for =20 > Iternet and one for Intranet). > Actually I use a table with a lot of IP address blocked. This is just impossible, unless may be you have as much money and =20 power as the chinese government. What you want to do is layer 7 firewalling: ie. looking into the HTTP =20= transmitted, determine if it comes from orkut (directly or via a =20 proxy), and block accordingly. You might want to known: even this =20 won't work if the client uses HTTPS to connect to the proxy/=20 anonymizer (in that case, HTTP transfer is encrypted, and you can't =20 eavesdrop the http content.) patpro= From owner-freebsd-pf@FreeBSD.ORG Fri Aug 3 08:23:40 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11AE816A417 for ; Fri, 3 Aug 2007 08:23:40 +0000 (UTC) (envelope-from fai@g2019.net) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by mx1.freebsd.org (Postfix) with ESMTP id C88D013C45A for ; Fri, 3 Aug 2007 08:23:39 +0000 (UTC) (envelope-from fai@g2019.net) Received: by py-out-1112.google.com with SMTP id a73so1418224pye for ; Fri, 03 Aug 2007 01:23:38 -0700 (PDT) Received: by 10.64.179.12 with SMTP id b12mr4590684qbf.1186127970732; Fri, 03 Aug 2007 00:59:30 -0700 (PDT) Received: by 10.65.230.10 with HTTP; Fri, 3 Aug 2007 00:59:30 -0700 (PDT) Message-ID: <4a33a74a0708030059t7ed335ebxf739e2958d1549f6@mail.gmail.com> Date: Fri, 3 Aug 2007 15:59:30 +0800 From: "Fai Cheng" To: freebsd-pf@freebsd.org In-Reply-To: <20070803073610.GA39968@quartzo.cirp.usp.br> MIME-Version: 1.0 References: <20070803073610.GA39968@quartzo.cirp.usp.br> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Block WWW.ORKUT.COM X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 08:23:40 -0000 Hi Ali, There are many ways to block site. If you don't want to setup a web proxy, u can setup a DNS server, add the www.orkut.com record, so the client cannot resolve that host. But please make sure all of your client are pointing to your DNS server. For a better web access control, implementing a proxy is a better choice. Using squid + squidguard should be good enough for your environment if you are looking for freeware. Regards, Fai On 8/3/07, Ali Faiez Taha wrote: > > Dear Sirs. > > What I need to do to block the access to www.orkut.com, via webproxy, > anonymizer sites and direct access ? > I am using FreeBSD with PF, without Proxy server, 2 NICs (one for Iternet > and one for Intranet). > Actually I use a table with a lot of IP address blocked. > > Thanks > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 3 08:31:38 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EFE8716A41B for ; Fri, 3 Aug 2007 08:31:37 +0000 (UTC) (envelope-from fai@g2019.net) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.freebsd.org (Postfix) with ESMTP id B01E713C46E for ; Fri, 3 Aug 2007 08:31:37 +0000 (UTC) (envelope-from fai@g2019.net) Received: by py-out-1112.google.com with SMTP id a73so1421237pye for ; Fri, 03 Aug 2007 01:31:36 -0700 (PDT) Received: by 10.64.181.12 with SMTP id d12mr4689098qbf.1186129896660; Fri, 03 Aug 2007 01:31:36 -0700 (PDT) Received: by 10.65.230.10 with HTTP; Fri, 3 Aug 2007 01:31:36 -0700 (PDT) Message-ID: <4a33a74a0708030131p7024453ekcd73f4d55972a0bd@mail.gmail.com> Date: Fri, 3 Aug 2007 16:31:36 +0800 From: "Fai Cheng" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 References: <20070803073610.GA39968@quartzo.cirp.usp.br> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Block WWW.ORKUT.COM X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 08:31:38 -0000 I don't think this is impossible. depends on how you could configure the firewall. If you can block all traffics but allow those only you need. (e.g= . to your partner site only, deny all outgoing traffic) Modify the DNS / hosts files is a trick way but its work. but you have to know what is behind the host. e.g. they can use orkut.l.google.com instead of www.orkut.com. So the white list approach is easier to handle. (If you can) Of course different proxy (e.g. running proxy in 80 or 443 port) is hard to block, this case you need to monitor the traffic and see any ppl go to specific host with large amount of traffic. So you may notice the problems. Fai On 8/3/07, Patrick Proniewski wrote: > > Hi, > > On 03 ao=FBt 2007, at 09:36, Ali Faiez Taha wrote: > > > What I need to do to block the access to www.orkut.com, via > > webproxy, anonymizer sites and direct access ? > > I am using FreeBSD with PF, without Proxy server, 2 NICs (one for > > Iternet and one for Intranet). > > Actually I use a table with a lot of IP address blocked. > > This is just impossible, unless may be you have as much money and > power as the chinese government. > What you want to do is layer 7 firewalling: ie. looking into the HTTP > transmitted, determine if it comes from orkut (directly or via a > proxy), and block accordingly. You might want to known: even this > won't work if the client uses HTTPS to connect to the proxy/ > anonymizer (in that case, HTTP transfer is encrypted, and you can't > eavesdrop the http content.) > > patpro_______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Aug 3 08:54:23 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 87A0E16A41B for ; Fri, 3 Aug 2007 08:54:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id 46BEE13C46E for ; Fri, 3 Aug 2007 08:54:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id 4EECB1AB2DB; Fri, 3 Aug 2007 10:54:22 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 0A5FA1AB2EA; Fri, 3 Aug 2007 10:54:21 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id 7E0371CC40; Fri, 3 Aug 2007 10:54:21 +0200 (CEST) In-Reply-To: <4a33a74a0708030131p7024453ekcd73f4d55972a0bd@mail.gmail.com> References: <20070803073610.GA39968@quartzo.cirp.usp.br> <4a33a74a0708030131p7024453ekcd73f4d55972a0bd@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <69794025-47B6-4DC5-891D-E0A8454CD69C@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Fri, 3 Aug 2007 10:54:20 +0200 To: "Fai Cheng" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: Block WWW.ORKUT.COM X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 08:54:23 -0000 On 03 ao=FBt 2007, at 10:31, Fai Cheng wrote: > I don't think this is impossible. depends on how you could =20 > configure the > firewall. If you can block all traffics but allow those only you =20 > need. (e.g. > to your partner site only, deny all outgoing traffic) this is a good solution (technically speaking), but unless your =20 working in a very tight security environment, you might prefer =20 education over extensive blocking. > Modify the DNS / hosts files is a trick way but its work. as long as the user won't put is own hosts file on his system. > but you have to > know what is behind the host. e.g. they can use orkut.l.google.com =20 > instead > of www.orkut.com. So the white list approach is easier to handle. =20 > (If you > can) sure. > Of course different proxy (e.g. running proxy in 80 or 443 port) is =20= > hard to > block, this case you need to monitor the traffic and see any ppl go to > specific host with large amount of traffic. So you may notice the =20 > problems. not hard, just impossible (in a blacklist context), because there is =20 no way you can know every proxy/anonymizer. It's exactly the same a =20 fighting spam. You block something, the spammer will find his way in =20 again, you block it again, etc. patpro From owner-freebsd-pf@FreeBSD.ORG Fri Aug 3 09:52:50 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E07AF16A41A for ; Fri, 3 Aug 2007 09:52:50 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 4251613C4A3 for ; Fri, 3 Aug 2007 09:52:49 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l739ql5e004175 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 3 Aug 2007 11:52:47 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l739qlcd007858; Fri, 3 Aug 2007 11:52:47 +0200 (MEST) Date: Fri, 3 Aug 2007 11:52:46 +0200 From: Daniel Hartmeier To: Frank Behrens Message-ID: <20070803095246.GC32306@insomnia.benzedrine.cx> References: <200708021502.l72F2PCu004207@pinky.frank-behrens.de> <200708021537.l72Fb69k004919@pinky.frank-behrens.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200708021537.l72Fb69k004919@pinky.frank-behrens.de> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 09:52:51 -0000 On Thu, Aug 02, 2007 at 05:37:06PM +0200, Frank Behrens wrote: > May be there is a better solution? Try adding set state-policy if-bound Daniel From owner-freebsd-pf@FreeBSD.ORG Fri Aug 3 10:14:00 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA7DA16A417 for ; Fri, 3 Aug 2007 10:14:00 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from pinky.frank-behrens.de (unknown [IPv6:2a01:170:1023:0:211:2fff:fec9:c52d]) by mx1.freebsd.org (Postfix) with ESMTP id 353A513C46B for ; Fri, 3 Aug 2007 10:13:59 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from [192.168.20.32] (sun.behrens [192.168.20.32]) by pinky.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l73ADlHF027701 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Fri, 3 Aug 2007 12:13:47 +0200 (CEST) (envelope-from frank@pinky.sax.de) Message-Id: <200708031013.l73ADlHF027701@pinky.frank-behrens.de> From: "Frank Behrens" To: Daniel Hartmeier Date: Fri, 03 Aug 2007 12:13:47 +0200 MIME-Version: 1.0 Priority: normal In-reply-to: <20070803095246.GC32306@insomnia.benzedrine.cx> References: <200708021537.l72Fb69k004919@pinky.frank-behrens.de> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:070803:freebsd-pf@freebsd.org::ck6vzXLDUXT8wNZW:0000000000007aTY X-Hashcash: 1:24:070803:daniel@benzedrine.cx::CRvEUCvADrSN+RpM:0YKa Cc: freebsd-pf@freebsd.org Subject: Re: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 10:14:01 -0000 Daniel, thanks for your response and your hint. Daniel Hartmeier wrote on 3 Aug 2007 11:52: > Try adding > > set state-policy if-bound Unfortunately it does not help. I still get pf: state insert failed: tree_ext_gwy lan: 84.182.247.135:55130 gwy: 84.182.247.135:55130 ext: 193.99.144.85:80 On the other hand this change blocks other traffic from/to jails. Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available. From owner-freebsd-pf@FreeBSD.ORG Sat Aug 4 05:40:51 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 355F316A417 for ; Sat, 4 Aug 2007 05:40:51 +0000 (UTC) (envelope-from nicolas.cornu@ch-st-julien.fr) Received: from smtp2f.orange.fr (smtp2f.orange.fr [80.12.242.152]) by mx1.freebsd.org (Postfix) with ESMTP id C6A5913C468 for ; Sat, 4 Aug 2007 05:40:50 +0000 (UTC) (envelope-from nicolas.cornu@ch-st-julien.fr) Received: from smtp2f.orange.fr (mwinf2f23 [10.232.18.123]) by mwinf2f20.orange.fr (SMTP Server) with ESMTP id 84B661D71B42 for ; Fri, 3 Aug 2007 09:38:37 +0200 (CEST) Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf2f23.orange.fr (SMTP Server) with ESMTP id 2E5467000089 for ; Fri, 3 Aug 2007 09:38:36 +0200 (CEST) Received: from relais.ch-st-julien.fr (LNeuilly-152-21-111-175.w193-253.abo.wanadoo.fr [193.253.48.175]) by mwinf2f23.orange.fr (SMTP Server) with ESMTP id E9C887000086 for ; Fri, 3 Aug 2007 09:38:35 +0200 (CEST) X-ME-UUID: 20070803073835957.E9C887000086@mwinf2f23.orange.fr Received: from relais.ch-st-julien.fr (localhost [127.0.0.1]) by relais-back.ch-st-julien.fr (Postfix::smtpd) with ESMTP id 06DFC126F68 for ; Fri, 3 Aug 2007 10:38:32 +0200 (CEST) Received: from [172.16.0.41] (unknown [172.16.0.41]) by relais.ch-st-julien.fr (Postfix::smtpd) with ESMTP id D75B0126F67 for ; Fri, 3 Aug 2007 10:38:31 +0200 (CEST) Message-ID: <46B2DB78.7090001@ch-st-julien.fr> Date: Fri, 03 Aug 2007 09:38:32 +0200 From: "nicolas.cornu" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070608 SeaMonkey/1.1.2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on relais.ch-st-julien.fr X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled version=3.0.3 Subject: PF and proxytunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Aug 2007 05:40:51 -0000 Hi, I'm quite new in the PF experience. I'm trying to set a rule which can permit me to log on my home machine from work by using ssh and proxytunnel (http://proxytunnel.sourceforge.net/) I can't make it work. Each time the firewall is up, my ssh connection is broken. I think it's a flag problem but I can't make it work. So, this is my rule (And I'm blocking everuthing by default) : " pass in quick log on $ext_if proto tcp from to $ext_if port 443 flags S/SA keep state " The thing is in a forum, a guy asked me to try with the flag S/SA but it doesn't work. i tried some other fags without any succes. I also got a log of the packets which are blocked : 16:10:12.437424 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 0:112(112) ack 1 win 32844 16:10:12.437433 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 1:112(111) ack 1 win 32844 16:10:12.497175 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: . ack 4294967056 win 32767 16:10:12.506673 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: . ack 4294967104 win 32767 16:10:12.516765 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: . ack 4294967200 win 32767 16:10:12.524137 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: . ack 0 win 32767 16:10:12.698154 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:12.879724 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:13.086087 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:13.174156 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:13.661987 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:13.761762 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:14.613849 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:14.937784 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:16.317606 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:17.289307 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:17.381429 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:19.309147 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:21.992459 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:22.964584 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:29.280630 rule 0/0(match): block in on tun0: [work_ip_address].58926 > [home_ip_address].443: S 3840383586:3840383586(0) win 5840 16:10:30.075509 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:31.399531 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:32.279624 rule 0/0(match): block in on tun0: [work_ip_address].58926 > [home_ip_address].443: S 3840383586:3840383586(0) win 5840 16:10:38.278752 rule 0/0(match): block in on tun0: [work_ip_address].58926 > [home_ip_address].443: S 3840383586:3840383586(0) win 5840 16:10:44.097373 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:50.211598 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:50.277124 rule 0/0(match): block in on tun0: [work_ip_address].58926 > [home_ip_address].443: S 3840383586:3840383586(0) win 5840 16:10:51.796096 rule 0/0(match): block in on tun0: [work_ip_address].58951 > [home_ip_address].443: S 3848980265:3848980265(0) win 5840 16:10:54.795329 rule 0/0(match): block in on tun0: [work_ip_address].58951 > [home_ip_address].443: S 3848980265:3848980265(0) win 5840 16:10:58.119242 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:14:05.064569 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58951: P 939245923:939246035(112) ack 3848991638 win 32844 I hope someone can help me. Regards, Nicolas