From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 21:57:25 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B6C2416A474 for ; Wed, 1 Aug 2007 21:57:25 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (smtp1-g19.free.fr [212.27.42.27]) by mx1.freebsd.org (Postfix) with ESMTP id 3AAD613C4D3 for ; Wed, 1 Aug 2007 21:57:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from smtp1-g19.free.fr (localhost.localdomain [127.0.0.1]) by smtp1-g19.free.fr (Postfix) with ESMTP id E0C241AB2D3; Wed, 1 Aug 2007 23:57:21 +0200 (CEST) Received: from boleskine.patpro.net (boleskine.patpro.net [82.235.12.223]) by smtp1-g19.free.fr (Postfix) with ESMTP id 9E99E1AB2C0; Wed, 1 Aug 2007 23:57:21 +0200 (CEST) Received: from [192.168.0.2] (unknown [192.168.0.2]) by boleskine.patpro.net (Postfix) with ESMTP id EF0B11CC2A; Wed, 1 Aug 2007 23:57:20 +0200 (CEST) In-Reply-To: <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> References: <001101c7d441$0f61aa10$2e24fe30$@Hennessy@nviz.net> <569F9080-B78F-400B-B3C5-FCA05F04BF80@patpro.net> <000701c7d458$068f1780$13ad4680$@Hennessy@nviz.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <8CA48FBF-A30E-41C8-BABD-28050BCA5038@patpro.net> Content-Transfer-Encoding: quoted-printable From: Patrick Proniewski Date: Wed, 1 Aug 2007 23:57:29 +0200 To: "Greg Hennessy" X-Mailer: Apple Mail (2.752.2) Cc: freebsd-pf@freebsd.org Subject: Re: strange "throttling" issue with pf on xDSL connection X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2007 21:57:25 -0000 On 01 ao=FBt 2007, at 18:21, Greg Hennessy wrote: >> pass quick on lo0 all > > Change this to > > set skip on lo0 thanks >> block drop in log quick on $ext_if from $priv_nets to any >> block drop out log quick on $ext_if from any to $priv_nets > > Superfluous, a default block policy should catch these. ok >> pass in on $ext_if inet proto tcp from any to ($ext_if) port >> $tcp_services flags S/SA keep state >> pass in on $ext_if inet proto udp from any to ($ext_if) port >> $udp_services keep state > > I tend to avoid using 'any' as a source, use ! instead. I'm going to try this >> Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0` >> Only a bunch of blocks for rule "0": > > You need to enable logging on the pass rules to identify which rule =20= > number > the throughput test traffic is matching against. > Then use pfctl -vsr to identify the precise one. > > Looks like someone has compiled out inet6. > >> 000000 rule 0/0(match): block in on fxp0: 82.235.245.158 > >> 82.235.12.223: [|tcp] > > You need to increase the snap size. Change the tcpdump on pflog0 =20 > whilst > testing to > > tcpdump -s 160 -l -e -tttt -i pflog0 > > This will give you far more meaningful firewall logs to identify =20 > potential > out of state drops. I'm afraid it's not better : 2007-08-01 23:46:28.845093 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.56404 > dns2.proxad.net.domain: 41734+ PTR? =20 23.219.98.87.in-addr.arpa. (43) 2007-08-01 23:46:31.677123 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.62879 > dns2.proxad.net.domain: 55363+ A? test-=20 debit.free.fr. (36) 2007-08-01 23:46:31.728994 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.56732 > dns2.proxad.net.domain: 55364+ AAAA? =20 test-debit.free.fr. (36) 2007-08-01 23:46:31.781738 rule 45/0(match): pass out on fxp0: =20 boleskine.patpro.net.63557 > test-debit-f12.proxad.net.http: S =20 3953257962:3953257962(0) win 65535 2007-08-01 23:46:39.701327 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 2007-08-01 23:46:39.925942 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61629 > dns2.proxad.net.domain: 41735+ PTR? =20 94.210.235.82.in-addr.arpa. (44) 2007-08-01 23:46:40.237802 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 2007-08-01 23:46:40.785610 rule 0/0(match): block in on fxp0: =20 lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-=20 srv: S 3837388923:3837388923(0) win 16384 2007-08-01 23:46:42.790998 rule 0/0(match): block in on fxp0: =20 bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc-=20= srv: S 3621124191:3621124191(0) win 53760 2007-08-01 23:46:42.978867 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61813 > dns2.proxad.net.domain: 41736+ PTR? =20 206.241.235.82.in-addr.arpa. (45) 2007-08-01 23:46:43.243787 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:46:43.243807 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.59333 > ns2.securitbox.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:46:43.341997 rule 0/0(match): block in on fxp0: =20 bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc-=20= srv: S 3621124191:3621124191(0) win 53760 2007-08-01 23:46:44.029868 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.61406 > dns2.proxad.net.domain: 41737+ PTR? =20 184.12.191.88.in-addr.arpa. (44) 2007-08-01 23:46:44.095790 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.55154 > dns2.proxad.net.domain: 41738+ PTR? =20 71.183.1.194.in-addr.arpa. (43) 2007-08-01 23:47:28.858010 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.55632 > dns2.proxad.net.domain: 39554+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:47:31.338705 rule 41/0(match): pass in on em0: =20 192.168.0.2.50122 > 192.168.0.1.domain: 9746+ A? www.adobe.com. (31) 2007-08-01 23:47:31.338946 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.domain > dns3.proxad.net.domain: 29295+ [1au] =20 A? www.wip3.adobe.com. (47) 2007-08-01 23:47:32.170346 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49612 > dns2.proxad.net.domain: 41739+ PTR? =20 252.53.27.212.in-addr.arpa. (44) 2007-08-01 23:47:44.398133 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.62936 > chihiro.bleu-pastel.org.ntp: NTPv4, =20 Client, length 48 2007-08-01 23:47:47.462629 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.59646 > a5.iliad.fr.ntp: NTPv4, Client, length 48 2007-08-01 23:48:01.521465 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49673 > ns1.kamino.fr.ntp: NTPv4, Client, length 48 2007-08-01 23:48:02.448834 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 2007-08-01 23:48:02.957259 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 2007-08-01 23:48:03.655702 rule 0/0(match): block in on fxp0: =20 gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-=20= srv: S 3190942924:3190942924(0) win 64240 2007-08-01 23:48:09.581381 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.49631 > roxane.home-dn.net.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:17.145432 rule 0/0(match): block in on fxp0: =20 she13-1-82-235-225-106.fbx.proxad.net.2730 > boleskine.patpro.net.loc-=20= srv: S 3888078071:3888078071(0) win 64240 2007-08-01 23:48:20.753804 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.53980 > cerber.obs.coe.int.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:29.902616 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.57907 > dns2.proxad.net.domain: 18671+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:48:32.844683 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.58931 > mail1.vetienne.net.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:50.138103 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client, =20 length 48 2007-08-01 23:48:56.174302 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 2007-08-01 23:48:56.187805 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 2007-08-01 23:48:56.268230 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54083 > dns2.proxad.net.domain: 41740+ PTR? =20 216.167.235.82.in-addr.arpa. (45) 2007-08-01 23:48:56.745779 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 2007-08-01 23:48:56.747746 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 2007-08-01 23:48:57.253912 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3235 > =20 boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535 =20 2007-08-01 23:48:57.253923 rule 0/0(match): block in on fxp0: =20 lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-=20= srv: S 3929104:3929104(0) win 65535 2007-08-01 23:49:00.942064 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.54689 > dns2.proxad.net.domain: 54137+ PTR? =20 223.12.235.82.in-addr.arpa. (44) 2007-08-01 23:49:01.362800 rule 41/0(match): pass in on em0: =20 192.168.0.2.50123 > 192.168.0.1.domain: 18301+ A? www.adobe.com. (31) 2007-08-01 23:49:01.363043 rule 46/0(match): pass out on fxp0: =20 boleskine.patpro.net.domain > dns3.proxad.net.domain: 11699+ [1au] =20 A? www.wip3.adobe.com. (47)