From owner-freebsd-pf@FreeBSD.ORG Fri Jun 15 06:52:47 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 52BE516A400 for ; Fri, 15 Jun 2007 06:52:47 +0000 (UTC) (envelope-from gurdiga@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.183]) by mx1.freebsd.org (Postfix) with ESMTP id E0E9013C43E for ; Fri, 15 Jun 2007 06:52:46 +0000 (UTC) (envelope-from gurdiga@gmail.com) Received: by ik-out-1112.google.com with SMTP id c21so824533ika for ; Thu, 14 Jun 2007 23:52:45 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pNRGC5R/9he+qkTK9tJqG59Em/qeKhQ8chhdvqVd/zBcVQm+o7hVU3lnHnR9PQcIjTIJ6PRpLyKX+/GXbXHK5IV2H1MnMQuaK4gIyDtO5xcPwh6c+1b3OKdPjmQKmWtZdEfXLIqR5KKvO5mvItYzMGk+9d14M97jio9WUhJJmG4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZbZotN139ECAhBcWXS1X33N70Y6aQR/TS+j87Rf9o1EVyR4IPDgnU3eoPuFdTy6hB7lCFQ1/8RnD6Zq7buC1Od6UszhviDTMW2cCKXBCF2roQSA+m3OMQf5h+2ceDtV+ScINmZUBY9mGNbCEW+YvY7OeiTwBEwAux7+FfGfRTM4= Received: by 10.78.183.8 with SMTP id g8mr1081899huf.1181888691950; Thu, 14 Jun 2007 23:24:51 -0700 (PDT) Received: by 10.78.194.12 with HTTP; Thu, 14 Jun 2007 23:24:51 -0700 (PDT) Message-ID: Date: Fri, 15 Jun 2007 09:24:51 +0300 From: "Vlad GURDIGA" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: pf(4) + fetch(1) + http://ftp.gnu.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2007 06:52:47 -0000 Hello, There is one strange thing going on with this combination. I saw this many times by now: when fetch(1) is trying to download something from http://ftp.gnu.org, it is hanging after a very small amount of data; sometimes on 0%. After disabling pf(4), fetch(1) is not hanging any more, so I guess that the problem is somewhere in my pf.conf. Here is it: ---- pf.conf -- begin --- ext_if = "em0" icmp_types="echoreq" # don't filter on the loopback interface set skip on lo0 set block-policy return scrub all no-df random-id reassemble tcp # setup a default deny policy block all # activate spoofing protection for the internal interface. antispoof quick for lo0 inet # pass tcp, udp, and icmp out on the external (Internet) interface. # keep state on udp and icmp and modulate state on tcp. pass in on $ext_if proto tcp from any to $ext_if port 65522 keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto {udp, icmp} all keep state ---- pf.conf -- end --- Any idea what's wrong here?