Date: Wed, 26 Mar 2008 09:09:30 +0000 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: Jeremy Chadwick <koitsu@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: Bacula File/Storage Connection Woes using PF Message-ID: <47EA12CA.90305@nviz.net> In-Reply-To: <20080326025316.GA68607@eos.sc1.parodius.com> References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0290@cetus.dawnsign.com> <20080326025316.GA68607@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jeremy Chadwick wrote: > This isn't a reply to you (Doug), but -- do not blindly use "keep state" > everywhere! > Hard cases make for bad laws. I have got to point out the error in the above statement. > There's been too many cases I've experienced where using "keep state" > blindly results in state-mismatch increasing at a very fast rate. When > I implemented this mentality on our production servers, our users > started pointing out that scp's between machines would randomly get > severed mis-stream, same with ssh sessions where large TCP windows were > used (such as doing 'dmesg' over and over): > > http://lists.freebsd.org/pipermail/freebsd-pf/2008-January/004050.html > Which (taking a rough guess) looking at your rule set in the above has very little to do with 'keep state' and a lot to do with 'modulate state'. IIRC there is a filed bug which displays all of the aforementioned symptoms when modulate state meets selective acknowledgement (SACK). I'm sure Max has the gory detail, it may even be fixed. > The "use keep state on everything!" attitude seems to stem from people > reading the OpenBSD pf.conf documentation, which states that as of > OpenBSD 4.1, "keep state" is implicit on every rule (meaning it's done > whether you say "keep state" or not). FreeBSD's pf isn't like this. > You miss out the most important bit of the new PF 4.1 state keeping defaults, 'flags S/SA'. Our cousins over the road in the OpenBSD neighbourhood have done this precisely because of the issues caused in prior versions of PF by using stateless rules and/or establishing TCP state on anything other than the 3 way handshake. > > It gets more confusing when you consider the fact that even though UDP > and ICMP are stateless protocols, pf can keep track of their state too, > though I don't know if FreeBSD pf supports that (OpenBSD pf does). > This is not a flame, but if you really do not know that, you really should not be publicly advocating a position on the basis of incomplete information. Regards Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47EA12CA.90305>