From owner-freebsd-pf@FreeBSD.ORG Wed Jul 25 05:05:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 372BB106564A for ; Wed, 25 Jul 2012 05:05:41 +0000 (UTC) (envelope-from jmattax@storytotell.org) Received: from mail.clanspum.net (mail.clanspum.net [69.164.206.246]) by mx1.freebsd.org (Postfix) with ESMTP id 138E58FC0C for ; Wed, 25 Jul 2012 05:05:41 +0000 (UTC) Received: from [10.11.10.45] (unknown [63.231.116.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.clanspum.net (Postfix) with ESMTPSA id DA6A222400C; Wed, 25 Jul 2012 00:05:39 -0500 (CDT) Message-ID: <500F7EA2.6050707@storytotell.org> Date: Tue, 24 Jul 2012 23:05:38 -0600 From: Jason Mattax User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: Daniel Hartmeier References: <20120723100521.GC32530@insomnia.benzedrine.cx> <500E1202.20108@storytotell.org> <20120724070700.GF32530@insomnia.benzedrine.cx> <500EB432.6050803@storytotell.org> <20120724171225.GA27107@insomnia.benzedrine.cx> In-Reply-To: <20120724171225.GA27107@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF suddenly malfunctioned X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2012 05:05:41 -0000 On 07/24/2012 11:12 AM, Daniel Hartmeier wrote: > On Tue, Jul 24, 2012 at 08:41:54AM -0600, Jason Mattax wrote: > If the upstream router does HTTP inspection, it might be buggy (since > the thunderstorm? :) and react to different HTTP headers. Or it might > run an (broken) antivirus patterns on the HTTP result? Can you disable > any layer 7 inspection? > I'd tcpdump with -s 1600 -X to capture a working links connection. Then > extract the exact HTTP GET request from the hex dump. Then try to send > that with printf | nc. That should work equally well. If so, remove > headers until you hit the bug again. > > Or just replace the upstream device (router, ISP modem?) and see if it > goes away. > I was going to go through these in order, but decided I could do some of the faster items first. As it turns out I had a "spare" DSL modem around because Qwest told me that it would work the the new faster internet I purchasing from them, plugged that in and it seems to work fine. The thing about my network that I forgot was that the DSL modem is not protected from lightning by a UPS on the phone line, and unfortunately it can't be (protecting it causes it to lose all DSL signal because of the crappy phone lines in my house.) The phone line comes from the wall strait to the DSL modem, then the ethernet comes from the DSL modem to my UPS to protect the rest of the network. Sorry for the long and complicated thread when there wasn't actually an issue with the PF filter. Also, thank you all for donating your time to help resolve this issue. -- Jason Mattax