From owner-freebsd-pf@FreeBSD.ORG Wed Mar 26 09:09:48 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13622106566B for ; Wed, 26 Mar 2008 09:09:48 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from v-smtp-auth-relay-1.gradwell.net (v-smtp-auth-relay-1.gradwell.net [79.135.125.40]) by mx1.freebsd.org (Postfix) with ESMTP id 57F8E8FC2E for ; Wed, 26 Mar 2008 09:09:47 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from 87-194-161-157.bethere.co.uk ([87.194.161.157] helo=[192.168.0.227] country=GB ident=gregh*pop3&nviz$net) by v-smtp-auth-relay-1.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.287) id 47ea12eb.1106.16ed; Wed, 26 Mar 2008 09:10:03 +0000 (envelope-sender ) Message-ID: <47EA12CA.90305@nviz.net> Date: Wed, 26 Mar 2008 09:09:30 +0000 From: Greg Hennessy User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Jeremy Chadwick References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D0290@cetus.dawnsign.com> <20080326025316.GA68607@eos.sc1.parodius.com> In-Reply-To: <20080326025316.GA68607@eos.sc1.parodius.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Bacula File/Storage Connection Woes using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 09:09:48 -0000 Jeremy Chadwick wrote: > This isn't a reply to you (Doug), but -- do not blindly use "keep state" > everywhere! > Hard cases make for bad laws. I have got to point out the error in the above statement. > There's been too many cases I've experienced where using "keep state" > blindly results in state-mismatch increasing at a very fast rate. When > I implemented this mentality on our production servers, our users > started pointing out that scp's between machines would randomly get > severed mis-stream, same with ssh sessions where large TCP windows were > used (such as doing 'dmesg' over and over): > > http://lists.freebsd.org/pipermail/freebsd-pf/2008-January/004050.html > Which (taking a rough guess) looking at your rule set in the above has very little to do with 'keep state' and a lot to do with 'modulate state'. IIRC there is a filed bug which displays all of the aforementioned symptoms when modulate state meets selective acknowledgement (SACK). I'm sure Max has the gory detail, it may even be fixed. > The "use keep state on everything!" attitude seems to stem from people > reading the OpenBSD pf.conf documentation, which states that as of > OpenBSD 4.1, "keep state" is implicit on every rule (meaning it's done > whether you say "keep state" or not). FreeBSD's pf isn't like this. > You miss out the most important bit of the new PF 4.1 state keeping defaults, 'flags S/SA'. Our cousins over the road in the OpenBSD neighbourhood have done this precisely because of the issues caused in prior versions of PF by using stateless rules and/or establishing TCP state on anything other than the 3 way handshake. > > It gets more confusing when you consider the fact that even though UDP > and ICMP are stateless protocols, pf can keep track of their state too, > though I don't know if FreeBSD pf supports that (OpenBSD pf does). > This is not a flame, but if you really do not know that, you really should not be publicly advocating a position on the basis of incomplete information. Regards Greg