From owner-freebsd-questions@FreeBSD.ORG Sat Jul 21 12:30:08 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C9DB716A41A for ; Sat, 21 Jul 2007 12:30:08 +0000 (UTC) (envelope-from jbronson@sixcompanies.com) Received: from ms-smtp-03.rdc-kc.rr.com (ms-smtp-03.rdc-kc.rr.com [24.94.166.129]) by mx1.freebsd.org (Postfix) with ESMTP id 839A613C45E for ; Sat, 21 Jul 2007 12:30:08 +0000 (UTC) (envelope-from jbronson@sixcompanies.com) Received: from ns2.sixcompanies.com (CPE-72-128-113-230.wi.res.rr.com [72.128.113.230]) by ms-smtp-03.rdc-kc.rr.com (8.13.6/8.13.6) with ESMTP id l6LCQcnT026959; Sat, 21 Jul 2007 07:26:38 -0500 (CDT) Received: from coors.sixcompanies.com (coors.sixcompanies.com [10.43.82.5]) by ns2.sixcompanies.com (8.14.1/8.14.1) with ESMTP id l6LCTqiL001484; Sat, 21 Jul 2007 07:29:52 -0500 (CDT) Message-Id: <200707211229.l6LCTqiL001484@ns2.sixcompanies.com> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Sat, 21 Jul 2007 07:29:53 -0500 To: Jordan Gordeev From: JD Bronson In-Reply-To: <46A1EA91.5000306@dir.bg> References: <200702252202.l1PM2r46003312@cheyenne.sixcompanies.com> <720051dc0702260052v8e4d2b2v9bbca164bfe87a4b@mail.gmail.com> <720051dc0702260052v8e4d2b2v9bbca164bfe87a4b@mail.gmail.com > <200702261159.l1QBx46X006755@cheyenne.sixcompanies.com> <46A1EA91.5000306@dir.bg> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: Symantec AntiVirus Scan Engine Cc: max@love2party.net, freebsd-questions@freebsd.org Subject: Re: pf and keep/modulate state on 6.2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2007 12:30:08 -0000 thanks for the update on this. I had forgot about it since I just stopped using modulate state (is it really needed anymore?). Then, the beginning of this month I moved my firewall/router back over to OpenBSD 4.1 to stay more current with pf instead of running -CURRENT within FreebSD. This fix really should be incorporated into 6.2-STABLE or even 6.2-STANDARD I think. I wonder how many people use this and don't even know its messed up? -JD At 02:14 PM 7/21/2007 +0300, Jordan Gordeev wrote: >J.D. Bronson wrote: >>At 02:52 AM 02/26/2007, you wrote: >> >>>Wow, this fixed my FTP-over-DSL-to-6.2 problem too. With modulate >>>state, I was getting ~30K/sec. With just keep state, I'm now getting >>>more like what my connection is capable of. This is between two 6.2 >>>hosts on opposite sides of the Atlantic. >>> >>>Ted, I use pf because I like the format of the configuration file, I >>>like the logging and pftop, and like how it's harder to lock yourself >>>out of a remote machine by accident :) >>> >>>/JMS >> >>I use pf since its newer (I think?) and I came from openbsd..pf >>just works and the config file is nice and sweet. >>I had thought that modulate state would put a load on my proc, but >>sheesh, its a p4-3.06 - thats more than robust for a router. >>I wonder if we should file a bug on this? >>I am glad my post helped here. I still use modulate state for any >>INCOMING connections though (www/smtp/etc). > > >I'm replying to an old and long-forgotten thread to report my recent findings. >There's a bug in PF with modulate/synproxy state. Modulate/synproxy >state modulate sequence numbers, but don't modulate sequence numbers >in TCP SACK options. Some firewalls block TCP segments with sequence >numbers in the SACK option pointing outside the window, which causes >connection stalls. The bug was fixed in OpenBSD with revision 1.509 >of src/sys/net/pf.c about an year and a half ago. The bug is present >in FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT >with the big import of PF from OpenBSD 4.1. >I'm CC-ing Max to notify him of the bug present in -STABLE and to >ask him to deal with the issue by either porting the fix from >OpenBSD, or by documenting that modulate/synproxy state is broken. >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"