From owner-freebsd-stable@FreeBSD.ORG Fri Apr 8 17:15:51 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0335E16A4CE for ; Fri, 8 Apr 2005 17:15:51 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD10843D4C for ; Fri, 8 Apr 2005 17:15:49 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3E9D2.dip.t-dialin.net[84.163.233.210] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKwtQ-1DJx5A30yA-0001x4; Fri, 08 Apr 2005 19:15:48 +0200 From: Max Laier To: freebsd-stable@freebsd.org, Dick Davies Date: Fri, 8 Apr 2005 19:15:39 +0200 User-Agent: KMail/1.8 References: <20050408164149.GG61775@eris.tenfour> In-Reply-To: <20050408164149.GG61775@eris.tenfour> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart16873411.j1zpQdlTtU"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504081915.46824.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: pf and http (ebay)? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2005 17:15:51 -0000 --nextPart16873411.j1zpQdlTtU Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 08 April 2005 18:41, Dick Davies wrote: > I have pf running on my laptop with a config including: > > pass out on $ext_if proto { tcp, udp } all keep state > > (there's a 'block in log all' and a couple of services allowed in too > further up, but that's the gist of it.) > > which works well for some sites but not all. In particular, > going to 'my ebay' hangs firefox with a > > 'waiting for include.ebaystatic.com' > > message on the status bar. > > pflog looks like: > > root$ tcpdump -r /var/log/pflog|grep ebay > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > 17:29:56.885697 IP my.intl.ebay.com.http > laptop.ip.60674: R > 2025419634:2025419634(0) ack 1452466570 win 64240 > 17:30:07.917906 IP search.ebay.co.uk.http > laptop.ip.52293: R=20 > 1766217212:1766217212(0) ack 1086438034 win 64240 > > > My guess is that pf is not letting the responses back from that > server because firefox didn't request from that server? > But ipf on the gateway (which has a similar outbound keep state rule) > never had this problem - any idea what's going on, or how I can debug thi= s? The blocked packets in your log are RSTs so it's most likely a window=20 violation - possibly caused by ipf on the gateway?!? Please add an "-e" to= =20 your tcpdump to see the reason for the block. You might also want to enabl= e=20 debugging (pfctl -x misc) and watch the console for "bad state" messages. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart16873411.j1zpQdlTtU Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCVrxCXyyEoT62BG0RAsVdAJ9yb8GSlEU0c3GDhYCGd1Wlt66DHACeLLSp MF3t8DgllHc4iZSN0nKYs8c= =4rYQ -----END PGP SIGNATURE----- --nextPart16873411.j1zpQdlTtU--