From owner-freebsd-pf@FreeBSD.ORG Fri Feb 9 18:13:52 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DCFE16A400 for ; Fri, 9 Feb 2007 18:13:52 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.freebsd.org (Postfix) with ESMTP id 7311B13C48D for ; Fri, 9 Feb 2007 18:13:50 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.13.8/8.13.4) with ESMTP id l19IDqk9020700 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 9 Feb 2007 19:13:52 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.8/8.12.10/Submit) id l19IDpG1025554; Fri, 9 Feb 2007 19:13:51 +0100 (MET) Date: Fri, 9 Feb 2007 19:13:51 +0100 From: Daniel Hartmeier To: "Kevin K." Message-ID: <20070209181351.GC30276@insomnia.benzedrine.cx> References: <859855731.20070206155625@mail.ru> <002501c749f3$bb1a1dc0$314e5940$@ca> <45C9C94E.8080806@vwsoft.com> <00cc01c74acc$20d9d8c0$628d8a40$@ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00cc01c74acc$20d9d8c0$628d8a40$@ca> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: PF & Windows Vista X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Feb 2007 18:13:52 -0000 On Wed, Feb 07, 2007 at 10:24:57AM -0500, Kevin K. wrote: > I was hoping that the issue was simple and common, due to Vista's emphasis > on ipv6 among other networking issues. Either way, below is my entire pf > configuration. I hope it helps. I'm afraid you'll have to do the usual debug routine: 1) enable debug logging (pfctl -xm, output in /var/log/messages) 2) run pfctl -si and store the output 3) pick one external host that reliably reproduces the problem 4) on the external interface, run tcpdump -s 1600 -nvvvSpi $ext_if host $ip and tcp 5) reproduce the problem once, from initial SYN to the point where the connection fails 6) run pfctl -vvss, and note any state entries related to the failed connection 7) re-run pfctl -si and store the output (of interest are any counters increasing besides the obvious ones) 8) check /var/log/messages for any output from pf (related to the failed connection, or at least the host $ip) If you provide the output of those steps, that could narrow it down. In case the results are too large, put them on a web page somehwere and post the URL instead. Daniel