From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 16:21:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 004FA16A417 for ; Wed, 1 Aug 2007 16:21:35 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp1.bethere.co.uk (smtp1.betherenow.co.uk [87.194.0.68]) by mx1.freebsd.org (Postfix) with ESMTP id 9A5EF13C461 for ; Wed, 1 Aug 2007 16:21:35 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from thebeast (87-194-161-158.bethere.co.uk [87.194.161.158]) by smtp1.bethere.co.uk (Postfix) with SMTP id 90B579808E; Wed, 1 Aug 2007 17:21:33 +0100 (BST) From: "Greg Hennessy" To: "'Patrick Proniewski'" References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> In-Reply-To: <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> Date: Wed, 1 Aug 2007 17:21:33 +0100 Message-ID: <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcfUTqtPg8S0Q4xCQHaOvbLHTIOavgAB7zvw Content-Language: en-gb X-Antivirus: avast! (VPS 000763-0, 01/08/2007), Outbound message X-Antivirus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: RE: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 16:21:36 -0000 > # filter rules > block log all > block in log quick proto tcp from to any port smtp > block in log quick proto tcp from to any port ssh > block in log quick proto tcp from to any port http > > pass quick on lo0 all Change this to set skip on lo0 > > block drop in log quick on $ext_if from $priv_nets to any > block drop out log quick on $ext_if from any to $priv_nets Superfluous, a default block policy should catch these. > pass in on $ext_if inet proto tcp from any to ($ext_if) port > $tcp_services flags S/SA keep state > pass in on $ext_if inet proto udp from any to ($ext_if) port > $udp_services keep state I tend to avoid using 'any' as a source, use ! instead. > > and trawling the logs for drops around the > > same time as the transfers are underway would be useful. > > Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0` > Only a bunch of blocks for rule "0": You need to enable logging on the pass rules to identify which rule number the throughput test traffic is matching against. Then use pfctl -vsr to identify the precise one. Looks like someone has compiled out inet6. > 000000 rule 0/0(match): block in on fxp0: 82.235.245.158 > > 82.235.12.223: [|tcp] You need to increase the snap size. Change the tcpdump on pflog0 whilst testing to tcpdump -s 160 -l -e -tttt -i pflog0 This will give you far more meaningful firewall logs to identify potential out of state drops. Greg > > > I've found this in /var/log/debug.log: > > ../.. > Aug 1 14:00:01 boleskine pflogd[410]: [priv]: msg PRIV_OPEN_LOG > received > Aug 1 16:00:02 boleskine pflogd[410]: [priv]: msg PRIV_OPEN_LOG > received > ../.. > > But I believe it's not related to my problem at all. > > > regards, > patpro >