From owner-freebsd-questions@FreeBSD.ORG  Mon May 30 18:11:27 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E700916A41C
	for <freebsd-questions@freebsd.org>;
	Mon, 30 May 2005 18:11:27 +0000 (GMT)
	(envelope-from scott@maxify.com)
Received: from vertigo.maxify.com (ns.maxify.com [216.218.213.18])
	by mx1.FreeBSD.org (Postfix) with SMTP id AA4B543D48
	for <freebsd-questions@freebsd.org>;
	Mon, 30 May 2005 18:11:25 +0000 (GMT)
	(envelope-from scott@maxify.com)
Received: (qmail 37938 invoked from network); 30 May 2005 16:33:37 -0000
Received: from unknown (HELO ?66.92.188.147?) (66.92.188.147)
	by ns.maxify.com with SMTP; 30 May 2005 16:33:37 -0000
Mime-Version: 1.0 (Apple Message framework v728)
Content-Transfer-Encoding: 7bit
Message-Id: <199B60BD-1D20-492E-A278-21BD0CCF3475@maxify.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
To: freebsd-questions@freebsd.org
From: Scott Stevenson <scott@maxify.com>
Date: Mon, 30 May 2005 09:23:12 -0700
X-Mailer: Apple Mail (2.728)
Subject: Clients receive only first 4k (issue with pf.conf) -- ignore others
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2005 18:11:28 -0000

(First, I apologize if there are duplicates sent to the list, but  
that's related to the question.)


I originally asked about this back in February:

     <http://monkey.org/freebsd/archive/freebsd-questions/200502/ 
msg03071.html>

Then just posted again recently with more details:

     <http://monkey.org/freebsd/archive/freebsd-questions/200505/ 
msg00846.html>


Essentially, certain web client only receive the first 4096 bytes of  
the file they request, then a garbage byte, then nothing. I *finally*  
figured out that pf was responsible. Specifically, this line in pf.conf:

     pass  out on $ext_if proto { tcp, udp } all keep state

Everything's fine with Apache if I change it to this:

     pass  out on $ext_if proto { tcp, udp } all


The problem is that if I use the version without "keep state," the  
machine can't send outbound mail, and I see messages like this in  
maillog:

     May 30 09:14:33 vertigo qmail: 1117469673.126013 delivery  
639634: deferral
     Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/

In fact, I tried to send this message to the list twice yesterday,  
but realized that mail packets were being filtered out. I looked at  
pflog0 while mail was being sent, but I wasn't able to find the  
bounced packets. Here's the relevant smtp line:

     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 25


I'm much more familiar with the firewalls bundled with various linux  
distributions, so I'm really stumped. I've read through various  
sections of the PF faq, but I haven't found an answer to this.


Thanks,

    - Scott