Date: Sun, 11 Sep 2011 15:27:20 -0700 (PDT) From: Ping Mai <pingmai@yahoo.com> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: slow Message-ID: <1315780040.76570.YahooMailNeo@web121719.mail.ne1.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi, =0A=0AI'm new to pf.=A0 hoping for some help with pf.conf.=0A=0AFreeBSD= 5.5 router.=A0 2 external interfaces, $com_if and $dsl_if.=A0 The default = route is set to $com_if.=0A=0Aincoming smtp to $com_if seems to work fine.= =0A=0A=0Aincoming smtp to $dsl_if is the problem.=A0 connect to tcp/25 is f= ast.=A0 but after I issue a 'ehlo ...'=A0 there's a delay of ~1 minute befo= re the reply comes back.=A0 from that point on the exchange works just fine= .=0AThe problem is most MTA don't wait that long.=A0 they simply drop the c= onnection.=0A=0Atcpdump of pflog0 sees the incoming tcp/25, outgoing from t= cp/25 gets routed to $dsl_if (dc3).=A0 after that, looks like it does an 'i= dent' and a DNS lookup. then it just sits there for minutes.=0A=0Awhat's wr= ong with my pf.conf?=0A=0A#----------------- tcpdump ------------------=0A= =0A000000 rule 16/0(match): pass in on dc3: IP 100.100.100.153.63225 > 12.3= 4.56.40.25: S 743439640:743439640(0) win 65535 <mss 1460,nop,wscale 3,[|tcp= ]>=0A000083 rule 28/0(match): pass out on dc0: IP 12.34.56.40.25 > 100.100.= 100.153.63225: S 2206509942:2206509942(0) ack 743439641 win 65535 <mss 1460= ,nop,wscale 1,[|tcp]>=0A000023 rule 12/0(match): pass out on dc3: IP 12.34.= 56.40.25 > 100.100.100.153.63225: S 2206509942:2206509942(0) ack 743439641 = win 65535 <mss 1460,nop,wscale 1,[|tcp]>=0A080881 rule 28/0(match): pass ou= t on dc0: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:14684815= 50(0) win 65535 <mss 1460,nop,nop,sackOK,[|tcp]>=0A000027 rule 12/0(match):= pass out on dc3: IP 12.34.56.40.64647 > 100.100.100.153.113: S 1468481550:= 1468481550(0) win 65535 <mss 1460,nop,nop,sackOK,[|tcp]>=0A082959 rule 13/0= (match): pass out on dc0: IP 23.45.67.51.62568 > 23.45.57.182.53:=A0 50336+= [1au][|domain]=A0 =0A=0A#------------------ pf.conf ----------------------= --------------------------------=0Aint_if =3D "dc1"=0A=0Adsl_if =3D "dc3"= =0Acom_if =3D "dc0"=0Admz_if =3D "dc2"=0Aint_net =3D "10.1.100.0/24"=0Admz_= net =3D "10.1.101.0/24"=0Adsl_gw=3D"12.34.56.1"=0A=0Acom_gw=3D"23.45.67.1"= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 # default rout= e=0A=0Aiserver=3D"10.1.100.99"=0A=0Atcp_services=3D"{ http https }"=0A=0Aic= mp_types=3D"echoreq"=0A=0Atable <internal> { $int_net, $dmz_net }=0A=0Aset = loginterface $dsl_if=0Aset loginterface $com_if=0Aset optimization normal= =0Aset block-policy return=0Aset require-order yes=0A=0A=0Ascrub in all=0An= at on $dsl_if from <internal> -> $dsl_if=0Anat on $com_if from <internal> -= > $com_if=0A=0Ardr pass on $dsl_if proto tcp from any to $dsl_if port $tcp_= services -> $iserver=0Ardr pass on $com_if proto tcp from any to $com_if po= rt $tcp_services -> $iserver=0A=0Ablock out log all=0Ablock in log all=0Apa= ss quick on lo0=0A=0Aantispoof quick for { lo0 $dsl_if $com_if $dmz_if $int= _if}=0A=0Apass out log on $dsl_if=0Apass out log on $com_if=0A=0Apass log o= n $int_if keep state=0Apass log on $dmz_if from any to ! $int_if:network ke= ep state=0A=0Apass in log on $dsl_if proto tcp to $dsl_if port { smtp, smtp= s }=0Apass in log on $com_if proto tcp to $com_if port { smtp, smtps }=0Apa= ss in on $dsl_if proto { tcp, udp } to $dsl_if port {domain}=0Apass in on $= com_if proto { tcp, udp } to $com_if port {domain}=0Apass in on $com_if pro= to { tcp, udp } to port {bootpc}=0A=0Apass in inet proto icmp all icmp-type= $icmp_types=0A=0Apass out log on $dsl_if route-to ($com_if $com_gw) from $= com_if=0Apass out log on $com_if route-to ($dsl_if $dsl_gw) from $dsl_if=0A= #------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1315780040.76570.YahooMailNeo>