Date: Sun, 7 Dec 2014 10:39:41 +0100 From: Michele Mazzucchi <m.mazzucchi@keencons.com> To: freebsd-pf@freebsd.org Subject: TCP retransmission on rdr pass or nat pass Message-ID: <632B9CC6-AF5D-45A2-A26F-C50220F36A56@keencons.com>
next in thread | raw e-mail | index | archive | help
Hello folks, A few weeks ago I noticed random resets in ssh connections. Commands generating short response sequences were unaffected, while those = producing much output (e.g. scp or cat) would reset the ssh connection. Log messages going "pf: BAD state: TCP in wire=E2=80=9D helped tracking = the issue down to PF. I broke down a =E2=80=9Crdr=E2=80=9D rule from rdr pass proto tcp from any to $jail2_pubip port $jail2_tcpports -> = $jail2_privip to rdr proto tcp from any to $jail2_pubip port $jail2_tcpports -> = $jail2_privip [=E2=80=A6 ; block in log ; pass out quick] pass in quick proto tcp from any to $jail2_privip port $jail2_tcpports This surprisingly solved the issue. I=E2=80=99m not clear here: = =E2=80=9Cpass=E2=80=9D rules now default to =E2=80=9Ckeep state=E2=80=9D, but this seems to only apply when they = belong to the =E2=80=9CFiltering=E2=80=9D region. What=E2=80=99s their behavior when they decorate RDR rules? Also, why does the lack of a state produce such unpredictable resets? cheers -m=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?632B9CC6-AF5D-45A2-A26F-C50220F36A56>