From owner-freebsd-pf@FreeBSD.ORG Fri Sep 17 14:14:00 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E55516A4CE for ; Fri, 17 Sep 2004 14:14:00 +0000 (GMT) Received: from flood.goldengate.net (flood.goldengate.net [209.240.87.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id D33A943D46 for ; Fri, 17 Sep 2004 14:13:59 +0000 (GMT) (envelope-from veldy@veldy.net) Received: from veldy.net (fuggle.veldy.net [209.240.64.129]) by flood.goldengate.net (8.12.8/8.12.8) with ESMTP id i8HEDwXO006551; Fri, 17 Sep 2004 09:13:59 -0500 (CDT) Received: from localhost (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with ESMTP id 72F0B29; Fri, 17 Sep 2004 09:13:58 -0500 (CDT) Received: from veldy.net ([127.0.0.1]) by localhost (fuggle.veldy.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05527-10; Fri, 17 Sep 2004 09:13:54 -0500 (CDT) Received: from [127.0.0.1] (cascade.veldy.net [192.168.1.1]) by veldy.net (Postfix) with ESMTP id 3BB4226; Fri, 17 Sep 2004 09:13:54 -0500 (CDT) Message-ID: <414AF11B.1070806@veldy.net> Date: Fri, 17 Sep 2004 09:13:47 -0500 From: "Thomas T. Veldhouse" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Max Laier References: <414A533A.8000009@veldy.net> <200409171114.05717.max@love2party.net> In-Reply-To: <200409171114.05717.max@love2party.net> X-Enigmail-Version: 0.86.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig9A3ED5F9800366EBFFCC74BD" X-Virus-Scanned: by amavisd-new at veldy.net cc: freebsd-pf@freebsd.org Subject: Re: PF Issue with BETA4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 14:14:00 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9A3ED5F9800366EBFFCC74BD Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Max Laier wrote: >On Friday 17 September 2004 05:00, Thomas T. Veldhouse wrote: > > >>It seems that, at least with the PF devices built into the kernel that >>an issue arises during shutdown. As I was rebooting the server, I >>noticed that the disks were syncing and yet there was a huge amount of >>traffic on my router to the Internet. Upon inspection, packets were >>still passing through the kernel and a large download was still going on >>through a kernel that should have long ago quite passing traffic! In >>other words, it appears that the NAT function of PF does not shutdown as >>it should while the the OS is shutting down. Traffic ceases almost >>immediately with IPFW and IPFILTER. >> >> > >Hmmm? So you are saying that staying up as long as possible is an error? I >don't quite see the point in shutting down early. If you still want to, you >can script it somewhere. "echo block all | pfctl -Fa -f-" > > > Well ... what is the state of the firewall at this time? Is it just stateful connections that are open? IPFW and IPFILTER both close these connections immediately. I am reasonably sure that this should probably behave similar to the other packet filters. Tom Veldhouse --------------enig9A3ED5F9800366EBFFCC74BD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBSvEeARgTFXYf0wARAvIzAKCFQppX2xKaI7V48z/n1uEkc0qdhgCfWpD6 cbHnILHr5QVwCogVsEVslWE= =AU5j -----END PGP SIGNATURE----- --------------enig9A3ED5F9800366EBFFCC74BD--