Date: Sun, 7 Dec 2014 10:39:41 +0100 From: Michele Mazzucchi <m.mazzucchi@keencons.com> To: freebsd-pf@freebsd.org Subject: TCP retransmission on rdr pass or nat pass Message-ID: <632B9CC6-AF5D-45A2-A26F-C50220F36A56@keencons.com>
next in thread | raw e-mail | index | archive | help
Hello folks, A few weeks ago I noticed random resets in ssh connections. Commands generating short response sequences were unaffected, while those producing much output (e.g. scp or cat) would reset the ssh connection. Log messages going "pf: BAD state: TCP in wire” helped tracking the issue down to PF. I broke down a “rdr” rule from rdr pass proto tcp from any to $jail2_pubip port $jail2_tcpports -> $jail2_privip to rdr proto tcp from any to $jail2_pubip port $jail2_tcpports -> $jail2_privip [… ; block in log ; pass out quick] pass in quick proto tcp from any to $jail2_privip port $jail2_tcpports This surprisingly solved the issue. I’m not clear here: “pass” rules now default to “keep state”, but this seems to only apply when they belong to the “Filtering” region. What’s their behavior when they decorate RDR rules? Also, why does the lack of a state produce such unpredictable resets? cheers -m
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?632B9CC6-AF5D-45A2-A26F-C50220F36A56>