Date: Fri, 8 Apr 2005 19:15:39 +0200 From: Max Laier <max@love2party.net> To: freebsd-stable@freebsd.org, Dick Davies <rasputnik@hellooperator.net> Subject: Re: pf and http (ebay)? Message-ID: <200504081915.46824.max@love2party.net> In-Reply-To: <20050408164149.GG61775@eris.tenfour> References: <20050408164149.GG61775@eris.tenfour>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart16873411.j1zpQdlTtU
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Friday 08 April 2005 18:41, Dick Davies wrote:
> I have pf running on my laptop with a config including:
>
> pass out on $ext_if proto { tcp, udp } all keep state
>
> (there's a 'block in log all' and a couple of services allowed in too
> further up, but that's the gist of it.)
>
> which works well for some sites but not all. In particular,
> going to 'my ebay' hangs firefox with a
>
> 'waiting for include.ebaystatic.com'
>
> message on the status bar.
>
> pflog looks like:
>
> root$ tcpdump -r /var/log/pflog|grep ebay
> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> 17:29:56.885697 IP my.intl.ebay.com.http > laptop.ip.60674: R
> 2025419634:2025419634(0) ack 1452466570 win 64240
> 17:30:07.917906 IP search.ebay.co.uk.http > laptop.ip.52293: R=20
> 1766217212:1766217212(0) ack 1086438034 win 64240
>
>
> My guess is that pf is not letting the responses back from that
> server because firefox didn't request from that server?
> But ipf on the gateway (which has a similar outbound keep state rule)
> never had this problem - any idea what's going on, or how I can debug thi=
s?
The blocked packets in your log are RSTs so it's most likely a window=20
violation - possibly caused by ipf on the gateway?!? Please add an "-e" to=
=20
your tcpdump to see the reason for the block. You might also want to enabl=
e=20
debugging (pfctl -x misc) and watch the console for "bad state" messages.
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart16873411.j1zpQdlTtU
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQBCVrxCXyyEoT62BG0RAsVdAJ9yb8GSlEU0c3GDhYCGd1Wlt66DHACeLLSp
MF3t8DgllHc4iZSN0nKYs8c=
=4rYQ
-----END PGP SIGNATURE-----
--nextPart16873411.j1zpQdlTtU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504081915.46824.max>