From owner-freebsd-pf@FreeBSD.ORG Mon Sep 2 10:23:59 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 18EBDA3A; Mon, 2 Sep 2013 10:23:59 +0000 (UTC) (envelope-from ruben@verweg.com) Received: from erg.verweg.com (erg.verweg.com [IPv6:2a02:898:96::5e8e:f508]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8B3322F92; Mon, 2 Sep 2013 10:23:58 +0000 (UTC) Received: from [192.168.1.202] (helium.xs4all.nl [83.163.52.241]) (authenticated bits=0) by erg.verweg.com (8.14.6/8.14.6) with ESMTP id r82AMCB1060399 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 2 Sep 2013 10:22:16 GMT (envelope-from ruben@verweg.com) X-Authentication-Warning: erg.verweg.com: Host helium.xs4all.nl [83.163.52.241] claimed to be [192.168.1.202] Content-Type: multipart/signed; boundary="Apple-Mail=_36DCE10C-8EC8-471B-A73B-3206B03C788D"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Subject: Re: Stiil a regression with jails/IPv6/pf? From: Ruben van Staveren In-Reply-To: <20130831194951.GC44979@carrick-users.bishnet.net> Date: Mon, 2 Sep 2013 12:22:11 +0200 Message-Id: <8A6CE540-7AF3-4472-B0CC-A222036557C0@verweg.com> References: <20130831194951.GC44979@carrick-users.bishnet.net> To: Tim Bishop X-Mailer: Apple Mail (2.1508) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (erg.verweg.com [94.142.245.8]); Mon, 02 Sep 2013 10:22:18 +0000 (UTC) Cc: bz@FreeBSD.org, freebsd-stable@FreeBSD.org, freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Sep 2013 10:23:59 -0000 --Apple-Mail=_36DCE10C-8EC8-471B-A73B-3206B03C788D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, On 31 Aug 2013, at 21:49, Tim Bishop wrote: > Hi all, >=20 > This is regarding kern/170070 and these two threads from last year: >=20 > = http://lists.freebsd.org/pipermail/freebsd-stable/2012-July/068987.html > = http://lists.freebsd.org/pipermail/freebsd-stable/2012-August/069043.html >=20 > I'm running stable/9 r255017 and I'm seeing the same issue, even with > the fix Bjoern committed in r238876. This is still with "modulate state" in some rules that also hit ipv6 = traffic ? It almost looks like doing this kind of traffic alteration is considered = harmful for IPv6 http://forums.freebsd.org/showthread.php?t=3D36595 If that is the case, then this should be applicable only to ipv4 = traffic, without requiring specific knowledge from the user >=20 > My setup is a dual stack one (IPv6 is done through an IPv4 tunnel) and > the problem is only with IPv6. I have jails with both IPv4 and IPv6 > addresses, and I use pf to rdr certain ports to certain jails. With = IPv6 > I'm seeing failed checksums on the packets coming back out of my = system, > both with UDP and TCP. >=20 > If I connect over IPv6 to the jail host it works fine. If I connect = over > IPv6 to a jail directly (they have routable addresses, but I prefer = them > to all be masked behind the single jail host normally), it works fine. > So the only failure case is when it goes through a rdr rule in pf. >=20 > This system replaces a previous one running stable/8 which worked fine > with the same pf config file. >=20 > Has anyone got any suggestions on what I can do to fix this or to = debug > it further? >=20 > Thanks, >=20 > Tim. >=20 > --=20 > Tim Bishop > http://www.bishnet.net/tim/ > PGP Key: 0x6C226B37FDF38D55 >=20 --Apple-Mail=_36DCE10C-8EC8-471B-A73B-3206B03C788D Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlIkZtMACgkQZ88+mcQxRw2kTgCeOvKE4byQ2ACgcKOSpiWvrjbE 7sAAnihUaLcLBzVXVqOPLzS8I++i0Mp6 =gZJp -----END PGP SIGNATURE----- --Apple-Mail=_36DCE10C-8EC8-471B-A73B-3206B03C788D-- From owner-freebsd-pf@FreeBSD.ORG Mon Sep 2 11:06:49 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E37BF144 for ; Mon, 2 Sep 2013 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D187B23AF for ; Mon, 2 Sep 2013 11:06:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r82B6n1C016120 for ; Mon, 2 Sep 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r82B6nkm016118 for freebsd-pf@FreeBSD.org; Mon, 2 Sep 2013 11:06:49 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 2 Sep 2013 11:06:49 GMT Message-Id: <201309021106.r82B6nkm016118@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Sep 2013 11:06:50 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176763 pf [pf] [patch] Removing pf Source entries locks kernel. o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 55 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Sep 2 19:33:55 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3943D506; Mon, 2 Sep 2013 19:33:55 +0000 (UTC) (envelope-from tdb@carrick.bishnet.net) Received: from carrick.bishnet.net (carrick-mx.bishnet.net [IPv6:2a01:348:132:51::14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id ECF052D2D; Mon, 2 Sep 2013 19:33:54 +0000 (UTC) Received: from carrick-users.bishnet.net ([2a01:348:132:51::10]) by carrick.bishnet.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1VGZsn-0004jO-3O; Mon, 02 Sep 2013 20:33:53 +0100 Received: (from tdb@localhost) by carrick-users.bishnet.net (8.14.7/8.14.7/Submit) id r82JXqDv018189; Mon, 2 Sep 2013 20:33:52 +0100 (BST) (envelope-from tdb) Date: Mon, 2 Sep 2013 20:33:52 +0100 From: Tim Bishop To: Ruben van Staveren Subject: Re: Stiil a regression with jails/IPv6/pf? Message-ID: <20130902193352.GA18004@carrick-users.bishnet.net> References: <20130831194951.GC44979@carrick-users.bishnet.net> <8A6CE540-7AF3-4472-B0CC-A222036557C0@verweg.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G" Content-Disposition: inline In-Reply-To: <8A6CE540-7AF3-4472-B0CC-A222036557C0@verweg.com> X-PGP-Key: 0x6C226B37FDF38D55, http://www.bishnet.net/tim/tim-bishnet-net.asc X-PGP-Fingerprint: 4BD9 5F90 8A50 40E8 D26C D681 6C22 6B37 FDF3 8D55 User-Agent: Mutt/1.5.21 (2010-09-15) Cc: bz@FreeBSD.org, freebsd-stable@FreeBSD.org, freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Sep 2013 19:33:55 -0000 --k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Mon, Sep 02, 2013 at 12:22:11PM +0200, Ruben van Staveren wrote: > On 31 Aug 2013, at 21:49, Tim Bishop wrote: > > This is regarding kern/170070 and these two threads from last year: > >=20 > > http://lists.freebsd.org/pipermail/freebsd-stable/2012-July/068987.html > > http://lists.freebsd.org/pipermail/freebsd-stable/2012-August/069043.ht= ml > >=20 > > I'm running stable/9 r255017 and I'm seeing the same issue, even with > > the fix Bjoern committed in r238876. >=20 > This is still with "modulate state" in some rules that also hit ipv6 > traffic ? No, I'm not using "modulate state". Only "keep state". > It almost looks like doing this kind of traffic alteration is > considered harmful for IPv6 > http://forums.freebsd.org/showthread.php?t=3D36595 So it doesn't look like that's the same problem. It's certainly similar (IPv6 and pf), but doesn't involve the rdr rule or jails. IPv6 is otherwise working fine through pf. Tim. > If that is the case, then this should be applicable only to ipv4 > traffic, without requiring specific knowledge from the user >=20 > >=20 > > My setup is a dual stack one (IPv6 is done through an IPv4 tunnel) and > > the problem is only with IPv6. I have jails with both IPv4 and IPv6 > > addresses, and I use pf to rdr certain ports to certain jails. With IPv6 > > I'm seeing failed checksums on the packets coming back out of my system, > > both with UDP and TCP. > >=20 > > If I connect over IPv6 to the jail host it works fine. If I connect over > > IPv6 to a jail directly (they have routable addresses, but I prefer them > > to all be masked behind the single jail host normally), it works fine. > > So the only failure case is when it goes through a rdr rule in pf. > >=20 > > This system replaces a previous one running stable/8 which worked fine > > with the same pf config file. > >=20 > > Has anyone got any suggestions on what I can do to fix this or to debug > > it further? > >=20 > > Thanks, > >=20 > > Tim. --=20 Tim Bishop http://www.bishnet.net/tim/ PGP Key: 0x6C226B37FDF38D55 --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iQIcBAEBCgAGBQJSJOggAAoJEGwiazf9841VvDIP/1MkJBNLCOAIqoXZQugIhayb RsUXlRryDBnRwkgtlaoO4gjs4LCFCy2ZptIQ1WPtHWK4pkpZ9tlf427R+c5LFaXD YVD3InkzhN83o+YZFoLIhbdjxVirVAC0aTPnnDX/z1vnossk5KBa/yA36ApEeMGK xxWuam70WtD6WgNOAqXe9RDKH3C5jvZhhqt7HwUFLyCPt0ZTK5easlcHf6u6cd9q 22aTwl0NqCvJdPz5j5GbCQjyfIB68Zt4prtTSv9lgEzoFXb9YZ3r3xLrmTmt16mi LtXH2ZC83uLMhZ0YuKuqj1I0FJ/ADKogEobW7Se3qlgR5VFS8hBeS6ywuYdyoYWP Zv9fb/ZDgB02GYY1gmBxz4AIQ39SIJop5vRY0wAVwfbZNtughhN7swiKWNo/+FuQ TontRkcodO6ZDU0GzoEHs3SqOi7ySQfeGNtvG/bZTjWGYdaHxpCBlKz/8FHNFN9Y oxuFL83ENbCa38L3arr+ca9ClkUg+TjVMVLzelxhrnGGx8JbYj9C+2fKo99Xxcpa sdCxVCkQu9/MIB00kLYT4sX09sotC6IKTeB+mzi9pUZCW6zKNKGxvK36iQcrELZy gqO5clAUnI5Y4tC9uE65czsUp1JbsHOift8xeH1ll1OucqjzsVBTdBg8w4psxiWL wg1YCWhPZqpGWgc0o4oS =o6Y7 -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G-- From owner-freebsd-pf@FreeBSD.ORG Thu Sep 5 23:49:51 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3799CD82 for ; Thu, 5 Sep 2013 23:49:51 +0000 (UTC) (envelope-from 34.24.34@gmail.com) Received: from mail-qa0-x22a.google.com (mail-qa0-x22a.google.com [IPv6:2607:f8b0:400d:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F31B12896 for ; Thu, 5 Sep 2013 23:49:50 +0000 (UTC) Received: by mail-qa0-f42.google.com with SMTP id cm18so138571qab.8 for ; Thu, 05 Sep 2013 16:49:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dv198FACZBx1Z/oxOu+WkmFw8CdV8h0nDBRUAXiBmbQ=; b=mj6W7PSl/cXUFhnCxxhuOL8yOjsjuyU3dh25vDawbgTcw3t7KzSjVHSU7vcQbj4rhg O6/4pp+rbP156AmO4ORb1sT5ggssif+43KDjcSh47FBspCUlWqa7hwhV6hjPhg3b2Z6c e11Kdxe7DkzvMv3j/+s1kmwXjIdRzIj17s10id87fU+/j/U1HTjpqR2Yf3ieI9xPPz2T cahBygc2UMxJ4ronFBJb8xO5UtbneyZE4SwkWWlHRV4RpwWf2YZCGI1NrKL3bMjSRQ8x eplKRe3RJmkPxebnGWul69pZY8WdS68pkIvfCPhyAjAR4tqsog7aCvDkJdh4WhXQTNih xYxA== MIME-Version: 1.0 X-Received: by 10.49.18.9 with SMTP id s9mr50024qed.92.1378424990118; Thu, 05 Sep 2013 16:49:50 -0700 (PDT) Received: by 10.49.40.202 with HTTP; Thu, 5 Sep 2013 16:49:50 -0700 (PDT) Date: Fri, 6 Sep 2013 00:49:50 +0100 Message-ID: Subject: pf -v- cached imap connections in Thunderbird on windows From: Lisa Muir <34.24.34@gmail.com> To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Sep 2013 23:49:51 -0000 Guys, Got a problem that I have reproduced on multiple sites, each time with windows clients, xp, win7 and win8, each time with Thunderbird accessing an IMAP server, which I have reproduced on my own site with win 7, but can't reproduce with my debian icedove mail against the same server. symptom - everything works fine initially, but after a period, when a user clicks on a new message, the mail client sits there for a very long time before loading the message. Restarting the mail client in safe mode, or just restarting it resolves the issue. Reducing the number of cached imap connections in the accuont from the default 5 to 1 imrproves the situation but does not cure it. Cannot reproduce the problem on sites using the same mailserver which are not behind a PF gateway. I believe that PF has killed the cached connection, and when TB tries to talk through it, it patiently wait for an answer. I've looked at the set timeout option value directive for pf, but cannot determind it is what I want. Will changing the "interval" or "src.track" likely help my situation if I am correct in thinking that it is PF that is killing the cached connection before TB has finished with it? Lisa. From owner-freebsd-pf@FreeBSD.ORG Fri Sep 6 08:30:40 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 7E200491 for ; Fri, 6 Sep 2013 08:30:40 +0000 (UTC) (envelope-from patfbsd@davenulle.org) Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147]) by mx1.freebsd.org (Postfix) with ESMTP id 47B1527C5 for ; Fri, 6 Sep 2013 08:30:39 +0000 (UTC) Received: from mr129166.localdomain (mr129166.cri.univ-rennes1.fr [129.20.129.166]) by smtp.lamaiziere.net (Postfix) with ESMTPA id C7520A52E; Fri, 6 Sep 2013 10:21:04 +0200 (CEST) Received: from mr129166 (localhost [127.0.0.1]) by mr129166.localdomain (Postfix) with ESMTP id 3BF95A46; Fri, 6 Sep 2013 10:21:04 +0200 (CEST) Date: Fri, 6 Sep 2013 10:21:03 +0200 From: Patrick Lamaiziere To: Lisa Muir <34.24.34@gmail.com> Subject: Re: pf -v- cached imap connections in Thunderbird on windows Message-ID: <20130906102103.6327c323@mr129166> In-Reply-To: References: X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.19; amd64-portbld-freebsd9.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Sep 2013 08:30:40 -0000 Le Fri, 6 Sep 2013 00:49:50 +0100, Lisa Muir <34.24.34@gmail.com> a écrit : Hello, > I believe that PF has killed the cached connection, and when TB tries > to talk through it, it patiently wait for an answer. > > I've looked at the > set timeout option value > directive for pf, but cannot determind it is what I want. Do not change this if you don't know. Instead check the number of states, and increase it. By default the time-out is auto-adaptive and is decreased when the number of free states is low. # pfctl -sinfo Interface Stats for all IPv4 IPv6 Bytes In 23874479976647 412340231 ... State Table Total Rate current entries 191268 <===== # pfctl -smem states hard limit 1000000 src-nodes hard limit 10000 frags hard limit 1536 tables hard limit 1000 table-entries hard limit 200000 (1,000,000 of states limit here)