Date: Wed, 1 Aug 2007 23:57:29 +0200 From: Patrick Proniewski <patpro@patpro.net> To: "Greg Hennessy" <Greg.Hennessy@nviz.net> Cc: freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection Message-ID: <8CA48FBF-A30E-41C8-BABD-28050BCA5038@patpro.net> In-Reply-To: <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> References: <DE71F511-8553-401A-A16C-DF4CAA5DA6E3@patpro.net> <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01 ao=FBt 2007, at 18:21, Greg Hennessy wrote: >> pass quick on lo0 all > > Change this to > > set skip on lo0 thanks >> block drop in log quick on $ext_if from $priv_nets to any >> block drop out log quick on $ext_if from any to $priv_nets > > Superfluous, a default block policy should catch these. ok >> pass in on $ext_if inet proto tcp from any to ($ext_if) port >> $tcp_services flags S/SA keep state >> pass in on $ext_if inet proto udp from any to ($ext_if) port >> $udp_services keep state > > I tend to avoid using 'any' as a source, use !<LAN-Subnets> instead. I'm going to try this >> Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0` >> Only a bunch of blocks for rule "0": > > You need to enable logging on the pass rules to identify which rule =20= > number > the throughput test traffic is matching against. > Then use pfctl -vsr to identify the precise one. > > Looks like someone has compiled out inet6. > >> 000000 rule 0/0(match): block in on fxp0: 82.235.245.158 > >> 82.235.12.223: [|tcp] > > You need to increase the snap size. Change the tcpdump on pflog0 =20 > whilst > testing to > > tcpdump -s 160 -l -e -tttt -i pflog0 > > This will give you far more meaningful firewall logs to identify =20 > potential > out of state drops. I'm afraid it's not better : 2007-08-01 23:46:28.845093 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.56404 > dns2.proxad.net.domain: 41734+ PTR? =20 23.219.98.87.in-addr.arpa. (43) 2007-08-01 23:46:31.677123 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.62879 > dns2.proxad.net.domain: 55363+ A? test-=20 debit.free.fr. (36) 2007-08-01 23:46:31.728994 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.56732 > dns2.proxad.net.domain: 55364+ AAAA? =20 test-debit.free.fr. (36) 2007-08-01 23:46:31.781738 rule 45/0(match): pass out on fxp0: =20 boleskine.patpro.net.63557 > test-debit-f12.proxad.net.http: S =20 3953257962:3953257962(0) win 65535 <mss 1460,nop,wscale =20 1,nop,nop,timestamp 87477621 0,sackOK,eol> 2007-08-01 23:46:39.701327 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK> 2007-08-01 23:46:39.925942 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61629 > dns2.proxad.net.domain: 41735+ PTR? =20 94.210.235.82.in-addr.arpa. (44) 2007-08-01 23:46:40.237802 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK> 2007-08-01 23:46:40.785610 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK> 2007-08-01 23:46:42.790998 rule 0/0(match): block in on fxp0: =20 bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc-=20= srv: S 3621124191:3621124191(0) win 53760 <mss 1460,nop,wscale =20 3,nop,nop,timestamp 0 0,nop,nop,sackOK> 2007-08-01 23:46:42.978867 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61813 > dns2.proxad.net.domain: 41736+ PTR? =20 206.241.235.82.in-addr.arpa. (45) 2007-08-01 23:46:43.243787 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:46:43.243807 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.59333 > ns2.securitbox.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:46:43.341997 rule 0/0(match): block in on fxp0: =20 bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc-=20= srv: S 3621124191:3621124191(0) win 53760 <mss 1460,nop,wscale =20 3,nop,nop,timestamp 0 0,nop,nop,sackOK> 2007-08-01 23:46:44.029868 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61406 > dns2.proxad.net.domain: 41737+ PTR? =20 184.12.191.88.in-addr.arpa. (44) 2007-08-01 23:46:44.095790 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.55154 > dns2.proxad.net.domain: 41738+ PTR? =20 71.183.1.194.in-addr.arpa. (43) 2007-08-01 23:47:28.858010 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.55632 > dns2.proxad.net.domain: 39554+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:47:31.338705 rule 41/0(match): pass in on em0: =20 192.168.0.2.50122 > 192.168.0.1.domain: 9746+ A? www.adobe.com. (31) 2007-08-01 23:47:31.338946 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.domain > dns3.proxad.net.domain: 29295+ [1au] =20 A? www.wip3.adobe.com. (47) 2007-08-01 23:47:32.170346 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49612 > dns2.proxad.net.domain: 41739+ PTR? =20 252.53.27.212.in-addr.arpa. (44) 2007-08-01 23:47:44.398133 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.62936 > chihiro.bleu-pastel.org.ntp: NTPv4, =20 Client, length 48 2007-08-01 23:47:47.462629 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.59646 > a5.iliad.fr.ntp: NTPv4, Client, length 48 2007-08-01 23:48:01.521465 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49673 > ns1.kamino.fr.ntp: NTPv4, Client, length 48 2007-08-01 23:48:02.448834 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:02.957259 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:03.655702 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:09.581381 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49631 > roxane.home-dn.net.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:17.145432 rule 0/0(match): block in on fxp0: =20 she13-1-82-235-225-106.fbx.proxad.net.2730 > boleskine.patpro.net.loc-=20= srv: S 3888078071:3888078071(0) win 64240 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:20.753804 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.53980 > cerber.obs.coe.int.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:29.902616 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.57907 > dns2.proxad.net.domain: 18671+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:48:32.844683 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.58931 > mail1.vetienne.net.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:50.138103 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:56.174302 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:56.187805 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:56.268230 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54083 > dns2.proxad.net.domain: 41740+ PTR? =20 216.167.235.82.in-addr.arpa. (45) 2007-08-01 23:48:56.745779 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:56.747746 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:57.253912 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 <mss 1460,nop,nop,sackOK> 2007-08-01 23:48:57.253923 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK> 2007-08-01 23:49:00.942064 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54689 > dns2.proxad.net.domain: 54137+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:49:01.362800 rule 41/0(match): pass in on em0: =20 192.168.0.2.50123 > 192.168.0.1.domain: 18301+ A? www.adobe.com. (31) 2007-08-01 23:49:01.363043 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.domain > dns3.proxad.net.domain: 11699+ [1au] =20 A? www.wip3.adobe.com. (47)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8CA48FBF-A30E-41C8-BABD-28050BCA5038>