From owner-freebsd-pf@FreeBSD.ORG  Mon Jul 23 10:05:29 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 0417D106566C
	for <freebsd-pf@freebsd.org>; Mon, 23 Jul 2012 10:05:29 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch
	[213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 856748FC0C
	for <freebsd-pf@freebsd.org>; Mon, 23 Jul 2012 10:05:28 +0000 (UTC)
Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1])
	by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q6NA5MjE024903
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 23 Jul 2012 12:05:22 +0200 (MEST)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q6NA5M2m009895;
	Mon, 23 Jul 2012 12:05:22 +0200 (MEST)
Date: Mon, 23 Jul 2012 12:05:21 +0200
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: jmattax@clanspum.net
Message-ID: <20120723100521.GC32530@insomnia.benzedrine.cx>
References: <effb611b289f2b14d345c1cd63c9828a.squirrel@mail.clanspum.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <effb611b289f2b14d345c1cd63c9828a.squirrel@mail.clanspum.net>
User-Agent: Mutt/1.5.12-2006-07-14
Cc: freebsd-pf@freebsd.org
Subject: Re: PF suddenly malfunctioned
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2012 10:05:29 -0000

If you can reliably reproduce the problem with en.wikipedia.org, I
suggest the following:

On the firewall

   1) enable verbose logging with pfctl -xm
   2) save the output of pfctl -si and netstat -s
   3) run the following three tcpdump in parallel, and save the output:
        tcpdump -s 1600 -nvvvpSi xl0 'host 91.198.174.225'
        tcpdump -s 1600 -nvvvpSi re0 'host 91.198.174.225'
        tcpdump -s 1600 -nvvveeepi pflog0

On a client

  4) printf "GET /wiki/Main_Page HTTP/1.1\r\nHost: en.wikipedia.org\r\n\r\n" |
       nc -v 91.198.174.225 80 | wc -c
  5) this should hang until some timout occurs, you need only wait 10s.

Back on the firewall

  6) re-run pfctl -si and netstat -s (again saving the output)
  7) stop the tcpdumps
  8) check /var/log/messages for anything from pf

The post the outputs :)

Daniel