From owner-freebsd-pf@FreeBSD.ORG  Mon Sep 12 04:03:06 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9BF791065670
	for <freebsd-pf@freebsd.org>; Mon, 12 Sep 2011 04:03:06 +0000 (UTC)
	(envelope-from pingmai@yahoo.com)
Received: from nm28-vm2.bullet.mail.ne1.yahoo.com
	(nm28-vm2.bullet.mail.ne1.yahoo.com [98.138.91.128])
	by mx1.freebsd.org (Postfix) with SMTP id 41C2D8FC1B
	for <freebsd-pf@freebsd.org>; Mon, 12 Sep 2011 04:03:05 +0000 (UTC)
Received: from [98.138.90.56] by nm28.bullet.mail.ne1.yahoo.com with NNFMP;
	12 Sep 2011 04:03:05 -0000
Received: from [98.138.89.254] by tm9.bullet.mail.ne1.yahoo.com with NNFMP;
	12 Sep 2011 04:03:05 -0000
Received: from [127.0.0.1] by omp1046.mail.ne1.yahoo.com with NNFMP;
	12 Sep 2011 04:03:05 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 38815.68586.bm@omp1046.mail.ne1.yahoo.com
Received: (qmail 46664 invoked by uid 60001); 12 Sep 2011 04:03:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
	t=1315800184; bh=K98TMVvO+aw52AqchAZlpXAmTZZs76MloEJW16vrkU4=;
	h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
	b=T7GexM5GGykkFGbQ3ZfabQygYmQ4x1732fQHj3T0MtUCqKOMK8Zt0D1g0vjAET3OqVP5epg0NIZFDyyw30t1MGuHAV7gJmFJldefBYhHGNIYGgDkvn+dxLrxGBIUn7kbjIhKKCJZgSm1jhEtjc9Tm27FMYaYPZ5/WXp7ui4PoSU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
	h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
	b=n9HOcV2sOL81SoCjgzfKo00H4Mmoqlvg1d+mRXqySTGoKV0X+s9nXMo9dktT/iMZqTKLS3xfmnMobtgXMnQ1pRqeFMPMSUAppQPKhJ7guXkTpT/Z/wylocj9BJ8pLYS05Vs657g15NN0ERY77H5mN+ejJlXnDIU3/8I/LVUTLs8=;
X-YMail-OSG: 0PL.ReMVM1n_3lxEPQgel4a57PigZudVYLfaWsiOWtxigpz
	fUZsiGYSq3o7BoWjPmCeCfZ4ELamItMvzFsfkwZZqKYl7ippkFylBUzdBrg4
	ZcmzoR658baajXapCfDzUsasPPVYkNpqCD9XIOx8adec27Cw.anvtWbXf.AY
	6Fu4kdRFG3lPikRCQAVayAcwFaVz4QtASnf.9FZy8_0aDkCEN342LuTt_tAQ
	F6qNDZB6cSROf53sIqRh8Y0VRU_hzBIHWb2rTPBGVhVLncZuD40rqRLjFiEw
	dEZ3tDly6dz.ybtz5cwndgqwUKOwO.WA7H80aCUEzpPffplglwWZmf6NlLuQ
	iCnKaYBv3nGPR7Xhi9Oxlp2q3g15JXk2VGJ.spHGu15Sn.qdzHSUkUvD9nwm
	m7iTA.PfCGRw5LFavb5ti_WMkTGjliJeTaw83l4Ao6AJ6.ZWDWkWeocChrPs
	B572s_JxTP2nLIVCima5RgtbPb_BOEK_gp9l1HJ8iLQwm_.2AJeAH2dbjNR6
	zndPK8AElfCWhH8QgdUF1990fNbiIpkT.kJJg25PG6ezvVSxj7yL2.eNQWBI
	2vjFQWwkgTOcpzpgFQaL10GfCgsdT4ZbAzUX5I2Drnxn74pDfAuDNBJpiSA- -
Received: from [67.180.178.51] by web121718.mail.ne1.yahoo.com via HTTP;
	Sun, 11 Sep 2011 21:03:04 PDT
X-Mailer: YahooMailWebService/0.8.113.315625
References: <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com>
	<1315794923.94330.YahooMailNeo@web121718.mail.ne1.yahoo.com>
Message-ID: <1315800184.36016.YahooMailNeo@web121718.mail.ne1.yahoo.com>
Date: Sun, 11 Sep 2011 21:03:04 -0700 (PDT)
From: Ping Mai <pingmai@yahoo.com>
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
In-Reply-To: <1315794923.94330.YahooMailNeo@web121718.mail.ne1.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Re: pf slow connect on smtp
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Ping Mai <pingmai@yahoo.com>
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2011 04:03:06 -0000

the problem was SYN was coming in at one ext IF and ACK going out another.=
=A0 thanks to my friend tcpdump.=0A=0Athis is not as restrictive as i would=
 like but at least access to internal services is working on both ext IF.=
=A0 =0A=0Anow i want to configure load balancing on outbound traffic.=A0 he=
lp anyone?=0A=0A=0A#----------- pf.conf ----------------=0A=0Aset require-o=
rder yes=0Ascrub in all=0Anat on $dsl_if from <internal> -> $dsl_if=0Anat o=
n $com_if from <internal> -> $com_if=0Ardr on $dsl_if proto tcp from any to=
 $dsl_if port $tcp_services -> $iserver=0Ardr pass on $com_if proto tcp fro=
m any to $com_if port $tcp_services -> $iserver=0Ablock out log all=0Ablock=
 in log all=0Apass quick on lo0=0Aantispoof quick for { lo0 $dsl_if $com_if=
 $dmz_if $int_if}=0Apass out log on $dsl_if keep state=0Apass out log on $c=
om_if keep state=0Apass log on $int_if keep state=0Apass log on $dmz_if fro=
m any to ! $int_if:network keep state=0Apass in log on $dsl_if proto tcp to=
 $dsl_if port { smtp, smtps }=0Apass in log on $com_if proto tcp to $com_if=
 port { smtp, smtps }=0Apass in on $dsl_if proto { tcp, udp } to $dsl_if po=
rt {domain}=0Apass in on $com_if proto { tcp, udp } to $com_if port {domain=
}=0Apass in on $com_if proto { tcp, udp } to port {bootpc}=0Apass in inet p=
roto icmp all icmp-type $icmp_types=0Apass out log on $dsl_if route-to ($co=
m_if $com_gw) from $com_if=0Apass out log on $com_if route-to ($dsl_if $dsl=
_gw) from $dsl_if keep state=0Apass in quick on $dsl_if reply-to ($dsl_if $=
dsl_gw ) flags S/SA keep state=0A=0A=0A=0A________________________________=
=0AFrom: Ping Mai <pingmai@yahoo.com>=0ATo: "freebsd-pf@freebsd.org" <freeb=
sd-pf@freebsd.org>=0ASent: Sunday, September 11, 2011 7:35 PM=0ASubject: pf=
 slow connect on smtp=0A=0A=0Aadded this line at the end and incoming smtp =
is working on both external interfaces:=0A=0Apass in quick on $dsl_if reply=
-to ($dsl_if $dsl_gw ) flags S/SA keep state=0A=0A=0A______________________=
__________=0AFrom: Ping Mai <pingmai@yahoo.com>=0ATo: "freebsd-pf@freebsd.o=
rg" <freebsd-pf@freebsd.org>=0ASent: Sunday, September 11, 2011 3:27 PM=0AS=
ubject: slow=0A=0A=0AHi, =0A=0AI'm new to pf.=A0 hoping for some help with =
pf.conf.=0A=0AFreeBSD 5.5 router.=A0 2 external interfaces, $com_if and $ds=
l_if.=A0 The default route is set to $com_if.=0A=0Aincoming smtp to $com_if=
 seems to work fine.=0A=0A=0Aincoming smtp to $dsl_if is the problem.=A0 co=
nnect to tcp/25 is fast.=A0 but after I issue a 'ehlo ...'=A0 there's a del=
ay of ~1 minute before the reply comes back.=A0 from that point on the exch=
ange works just fine.=0AThe problem is most MTA don't wait that long.=A0 th=
ey simply drop the connection.=0A=0Atcpdump of pflog0 sees the incoming tcp=
/25, outgoing from tcp/25 gets routed to $dsl_if (dc3).=A0 after that, look=
s like it does an 'ident' and a DNS lookup. then it just sits there for min=
utes.=0A=0Awhat's wrong with my pf.conf?=0A=0A#----------------- tcpdump --=
----------------=0A=0A000000 rule 16/0(match): pass in on dc3: IP 100.100.1=
00.153.63225 > 12.34.56.40.25: S 743439640:743439640(0) win 65535 <mss 1460=
,nop,wscale 3,[|tcp]>=0A000083 rule 28/0(match): pass out on dc0: IP 12.34.=
56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 =
win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A000023 rule 12/0(match): pass ou=
t on dc3: IP 12.34.56.40.25 > 100.100.100.153.63225: S 2206509942:220650994=
2(0) ack 743439641 win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A080881 rule 2=
8/0(match): pass out on dc0: IP 12.34.56.40.64647 > 100.100.100.153.113: S =
1468481550:1468481550(0) win 65535 <mss 1460,nop,nop,sackOK,[|tcp]>=0A00002=
7 rule 12/0(match): pass out on dc3: IP 12.34.56.40.64647 > 100.100.100.153=
.113: S 1468481550:1468481550(0) win 65535 <mss=0A 1460,nop,nop,sackOK,[|tc=
p]>=0A082959 rule 13/0(match): pass out on dc0: IP 23.45.67.51.62568 > 23.4=
5.57.182.53:=A0 50336+ [1au][|domain]=A0 =0A=0A#------------------ pf.conf =
------------------------------------------------------=0Aint_if =3D "dc1"=
=0A=0Adsl_if =3D "dc3"=0Acom_if =3D "dc0"=0Admz_if =3D "dc2"=0Aint_net =3D =
"10.1.100.0/24"=0Admz_net =3D "10.1.101.0/24"=0Adsl_gw=3D"12.34.56.1"=0A=0A=
com_gw=3D"23.45.67.1"=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0 # default route=0A=0Aiserver=3D"10.1.100.99"=0A=0Atcp_services=3D"{ =
http https }"=0A=0Aicmp_types=3D"echoreq"=0A=0Atable <internal> { $int_net,=
 $dmz_net }=0A=0Aset loginterface $dsl_if=0Aset loginterface $com_if=0Aset =
optimization normal=0Aset block-policy return=0Aset require-order yes=0A=0A=
=0Ascrub in all=0Anat on $dsl_if from <internal> -> $dsl_if=0Anat on $com_i=
f from <internal> -> $com_if=0A=0Ardr pass on $dsl_if proto tcp from any to=
 $dsl_if port $tcp_services -> $iserver=0Ardr pass on $com_if proto=0A tcp =
from any to $com_if=0A port $tcp_services -> $iserver=0A=0Ablock out log al=
l=0Ablock in log all=0Apass quick on lo0=0A=0Aantispoof quick for { lo0 $ds=
l_if $com_if $dmz_if $int_if}=0A=0Apass out log on $dsl_if=0Apass out log o=
n $com_if=0A=0Apass log on $int_if keep state=0Apass log on $dmz_if from an=
y to ! $int_if:network keep state=0A=0Apass in log on $dsl_if proto tcp to =
$dsl_if port { smtp, smtps }=0Apass in log on $com_if proto tcp to $com_if =
port { smtp, smtps }=0Apass in on $dsl_if proto { tcp, udp } to $dsl_if por=
t {domain}=0Apass in on $com_if proto { tcp, udp } to $com_if port {domain}=
=0Apass in on $com_if proto { tcp, udp } to port {bootpc}=0A=0Apass in inet=
 proto icmp all icmp-type $icmp_types=0A=0Apass out log on $dsl_if route-to=
 ($com_if $com_gw) from $com_if=0Apass out log on $com_if route-to ($dsl_if=
 $dsl_gw) from=0A $dsl_if=0A#----------------------------------------------=
--------------------------