From owner-freebsd-pf@FreeBSD.ORG Mon Jul 23 14:01:19 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E3C891065678 for ; Mon, 23 Jul 2012 14:01:19 +0000 (UTC) (envelope-from jmattax@storytotell.org) Received: from mail.clanspum.net (twopir-2-pt.tunnel.tserv9.chi1.ipv6.he.net [IPv6:2001:470:1f10:1b9::2]) by mx1.freebsd.org (Postfix) with ESMTP id A09E78FC18 for ; Mon, 23 Jul 2012 14:01:19 +0000 (UTC) Received: from mail.clanspum.net (localhost.localdomain [IPv6:::1]) by mail.clanspum.net (Postfix) with ESMTP id 4202A22400C; Mon, 23 Jul 2012 09:01:18 -0500 (CDT) Received: from 63.231.116.1 (SquirrelMail authenticated user jmattax) by mail.clanspum.net with HTTP; Mon, 23 Jul 2012 09:01:18 -0500 Message-ID: <04e3e73987e308c73f65a95e16022573.squirrel@mail.clanspum.net> In-Reply-To: <500D1595.4010405@my.gd> References: <2B5A7CC5-0950-47E9-928F-D5909238052C@my.gd> <500CE1B2.5040303@storytotell.org> <500D1595.4010405@my.gd> Date: Mon, 23 Jul 2012 09:01:18 -0500 From: "Jason Mattax" To: "Damien Fleuriot" User-Agent: SquirrelMail/1.4.22 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: Jason Mattax , freebsd-pf@freebsd.org Subject: Re: PF suddenly malfunctioned X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2012 14:01:20 -0000 On Mon, July 23, 2012 04:12, Damien Fleuriot wrote: > > > On 7/23/12 7:31 AM, Jason Mattax wrote: >> >> based on that I could easily upgrade to 8.3, or possibly 9.0 tomorrow if >> I have the inclination. >> > > I can recommend 8.3, we're using it widely in production. > Thanks. > >>> 2/ When the problem appears. Have you tried disabling PF ? (pfctl -d) >>> Does it help ? >>> >> Since I can consistently reproduce the problem with en.wikipedia.org I >> have a good way to test. When I run pfctl -d on the firewall it looks >> like no traffic is being forwarded, including DNS so I eventually get a >> notice that the web page timed out because I typed the address wrong. >> That is as opposed to the web browser saying waiting for >> en.wikipedia.org (and if I recall correctly occasionally getting the >> redirect to en.wikipedia.org/wiki/Main_Page.) I just tested and got >> stuck at the waiting for en.wikipedia.org for a couple of minutes before >> I called it good enough to report here. >> > > Keep in mind that after disabling PF you don't get NAT anymore from your > workstations through the firewall. > > So any test you run while PF is disabled has to be run from the PF box > itself. > That's what I thought, but the firewall itself can see the outside network just fine whether pf is running or not (I just rechecked that.)