From owner-freebsd-pf@FreeBSD.ORG Tue Apr 29 22:31:14 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D67CB106564A for ; Tue, 29 Apr 2008 22:31:14 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 8C1968FC14 for ; Tue, 29 Apr 2008 22:31:14 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m3TL9e4h017348 for ; Tue, 29 Apr 2008 17:09:40 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject; b=nghAEENuhVj6rbR05GeWzyaYqAXnuy/o/Pv0SvYOsABXyDBsWnHaR+JgZ/92MXsaW Jj1WW+tD8cqArMYbAVY/w== Message-ID: <48179DA2.10303@uffner.com> Date: Tue, 29 Apr 2008 18:13:54 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080404 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Tue, 29 Apr 2008 17:09:40 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/6982/Tue Apr 29 03:49:34 2008 on eris.uffner.com X-Virus-Status: Clean Subject: nfs send errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2008 22:31:15 -0000 my kernel is logging errors like these: Apr 26 04:15:13 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music Apr 27 23:20:21 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music Apr 29 15:35:07 xiombarg kernel: nfs send error 1 for server 10.69.69.21:/data0/music NFS does not seem to be affected. it appears to retry the send w/ a new connection. all of my nfs mounts are affected, not just the one shown above. it looks as if firewall is blocking packets due to state timeouts, but states should persist for up to 86400 seconds depending upon state table size and although i am nowhere near the max table size a state appears to have gone away in less than 2469 seconds: 14:53:58.835812 rule 45/0(match): pass out on rl0: xiombarg.uffner.com.713 > 10.69.69.21.nfsd: S 1077685507:1077685507(0) win 65535 15:35:07.667381 rule 0/0(match): block out on rl0: xiombarg.uffner.com.713 > 10.69.69.21.nfsd: P 1077857136:1077857240(104) ack 1091504052 win 16588 15:35:07.667571 rule 45/0(match): pass out on rl0: xiombarg.uffner.com.1023 > 10.69.69.21.nfsd: S 772434453:772434453(0) win 65535 this is the pf config for the firewall between my desktop (xiombarg) and a mostly trusted DMZ where the nfs server lives (10.69.69.0/24). (it also contains rules controlling traffic to & from the internet which duplicate the ones on my exterior firewall) ext_if = "rl0" local_ip = "{ 127.0.0.1 10.69.69.60 71.162.143.94 207.245.121.212 }" local_tcp_services ="{ 111 143 587 993 4949 5432 }" #sunrpc, imap, submission, imaps, munin, postgres global_tcp_services ="{ 22 25 53 80 143 443 993 }" #ssh, smtp, domain, http, imap, https, imaps local_udp_services ="{ 111 514 }" #sunrpc, syslog global_udp_services ="{ 53 123 }" #domain, ntp icmp_types = "echoreq" table persist file "/var/db/ssh-bruteforce" # options set block-policy return set loginterface $ext_if # scrub scrub in on $ext_if all fragment reassemble # filter rules block log all pass quick on lo0 all block drop in log quick proto tcp from to any port ssh pass in log on $ext_if inet proto tcp from any to ($ext_if) \ port $global_tcp_services pass in log on $ext_if inet proto tcp from $local_ip to ($ext_if) \ port $local_tcp_services pass in log on $ext_if inet proto tcp from 10.69.69.21 port 2049 to ($ext_if) pass in log on $ext_if inet proto udp from any to ($ext_if) \ port $global_udp_services pass in log on $ext_if inet proto udp from $local_ip to ($ext_if) \ port $local_udp_services pass out log on $ext_if all any suggestions on how to resolve or at least further debug this?