From owner-freebsd-pf@FreeBSD.ORG Wed Apr 30 08:19:02 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46D0D106564A for ; Wed, 30 Apr 2008 08:19:02 +0000 (UTC) (envelope-from tom@uffner.com) Received: from eris.uffner.com (eris.uffner.com [207.245.121.212]) by mx1.freebsd.org (Postfix) with ESMTP id 0639E8FC19 for ; Wed, 30 Apr 2008 08:19:01 +0000 (UTC) (envelope-from tom@uffner.com) Received: from xiombarg.uffner.com (static-71-162-143-94.phlapa.fios.verizon.net [71.162.143.94]) (authenticated bits=0) by eris.uffner.com (8.14.2/8.14.2) with ESMTP id m3U7EdNN050138 for ; Wed, 30 Apr 2008 03:14:39 -0400 (EDT) (envelope-from tom@uffner.com) DomainKey-Signature: a=rsa-sha1; s=eris; d=uffner.com; c=nofws; q=dns; h=message-id:date:from:to:subject:references:in-reply-to; b=mUG6LyeBlln9vSFhBhF7Mu1cfX9djNQUYaXxJkxR2TuV7IESUsuYSLGg4T42Kurmc E3AI96Y64agxmajEHpvUw== Message-ID: <48182B74.3050700@uffner.com> Date: Wed, 30 Apr 2008 04:19:00 -0400 From: Tom Uffner User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080404 SeaMonkey/1.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <48179DA2.10303@uffner.com> <010601c8aa4b$f067e930$d137bb90$@net> <4817E233.5020200@uffner.com> In-Reply-To: <4817E233.5020200@uffner.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (eris.uffner.com [192.168.1.212]); Wed, 30 Apr 2008 03:14:39 -0400 (EDT) X-Virus-Scanned: ClamAV 0.92.1/6982/Tue Apr 29 03:49:34 2008 on eris.uffner.com X-Virus-Status: Clean Subject: Re: nfs send errors X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2008 08:19:02 -0000 Tom Uffner wrote: > changed my scrub rule to "scrub all no-df fragment reassemble" > > no effect. > > if it makes difference, the nfs server runs debian stable w/ linux 2.6.18 > kernel, and my client is FreeBSD 8.0-CURRENT #160: Tue Apr 8 07:49:18 > EDT 2008 adding random-id as discussed in pf.conf under no-df does not help either. it appears that somebody is seeing a FIN followed by a timeout waiting for an ACK, because if i watch the state table i see this before the state goes away completely: all tcp 10.69.69.60:841 -> 10.69.69.21:2049 ESTABLISHED:FIN_WAIT_2 does this mean the server closed the connection? it can't mean my client did, otherwise it wouldn't be trying to send, right? is there an explanation somewhere of what all the fields in a pfctl -ss (and pfctl -vvv -ss) mean?