strange "throttling" issue with pf on xDSL connection
Patrick Proniewski
patpro at patpro.net
Wed Aug 1 21:57:25 UTC 2007
On 01 août 2007, at 18:21, Greg Hennessy wrote:
>> pass quick on lo0 all
>
> Change this to
>
> set skip on lo0
thanks
>> block drop in log quick on $ext_if from $priv_nets to any
>> block drop out log quick on $ext_if from any to $priv_nets
>
> Superfluous, a default block policy should catch these.
ok
>> pass in on $ext_if inet proto tcp from any to ($ext_if) port
>> $tcp_services flags S/SA keep state
>> pass in on $ext_if inet proto udp from any to ($ext_if) port
>> $udp_services keep state
>
> I tend to avoid using 'any' as a source, use !<LAN-Subnets> instead.
I'm going to try this
>> Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0`
>> Only a bunch of blocks for rule "0":
>
> You need to enable logging on the pass rules to identify which rule
> number
> the throughput test traffic is matching against.
> Then use pfctl -vsr to identify the precise one.
>
> Looks like someone has compiled out inet6.
>
>> 000000 rule 0/0(match): block in on fxp0: 82.235.245.158 >
>> 82.235.12.223: [|tcp]
>
> You need to increase the snap size. Change the tcpdump on pflog0
> whilst
> testing to
>
> tcpdump -s 160 -l -e -tttt -i pflog0
>
> This will give you far more meaningful firewall logs to identify
> potential
> out of state drops.
I'm afraid it's not better :
2007-08-01 23:46:28.845093 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.56404 > dns2.proxad.net.domain: 41734+ PTR?
23.219.98.87.in-addr.arpa. (43)
2007-08-01 23:46:31.677123 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.62879 > dns2.proxad.net.domain: 55363+ A? test-
debit.free.fr. (36)
2007-08-01 23:46:31.728994 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.56732 > dns2.proxad.net.domain: 55364+ AAAA?
test-debit.free.fr. (36)
2007-08-01 23:46:31.781738 rule 45/0(match): pass out on fxp0:
boleskine.patpro.net.63557 > test-debit-f12.proxad.net.http: S
3953257962:3953257962(0) win 65535 <mss 1460,nop,wscale
1,nop,nop,timestamp 87477621 0,sackOK,eol>
2007-08-01 23:46:39.701327 rule 0/0(match): block in on fxp0:
lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-
srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK>
2007-08-01 23:46:39.925942 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.61629 > dns2.proxad.net.domain: 41735+ PTR?
94.210.235.82.in-addr.arpa. (44)
2007-08-01 23:46:40.237802 rule 0/0(match): block in on fxp0:
lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-
srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK>
2007-08-01 23:46:40.785610 rule 0/0(match): block in on fxp0:
lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc-
srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK>
2007-08-01 23:46:42.790998 rule 0/0(match): block in on fxp0:
bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc-
srv: S 3621124191:3621124191(0) win 53760 <mss 1460,nop,wscale
3,nop,nop,timestamp 0 0,nop,nop,sackOK>
2007-08-01 23:46:42.978867 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.61813 > dns2.proxad.net.domain: 41736+ PTR?
206.241.235.82.in-addr.arpa. (45)
2007-08-01 23:46:43.243787 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client,
length 48
2007-08-01 23:46:43.243807 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.59333 > ns2.securitbox.com.ntp: NTPv4, Client,
length 48
2007-08-01 23:46:43.341997 rule 0/0(match): block in on fxp0:
bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc-
srv: S 3621124191:3621124191(0) win 53760 <mss 1460,nop,wscale
3,nop,nop,timestamp 0 0,nop,nop,sackOK>
2007-08-01 23:46:44.029868 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.61406 > dns2.proxad.net.domain: 41737+ PTR?
184.12.191.88.in-addr.arpa. (44)
2007-08-01 23:46:44.095790 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.55154 > dns2.proxad.net.domain: 41738+ PTR?
71.183.1.194.in-addr.arpa. (43)
2007-08-01 23:47:28.858010 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.55632 > dns2.proxad.net.domain: 39554+ PTR?
223.12.235.82.in-addr.arpa. (44)
2007-08-01 23:47:31.338705 rule 41/0(match): pass in on em0:
192.168.0.2.50122 > 192.168.0.1.domain: 9746+ A? www.adobe.com. (31)
2007-08-01 23:47:31.338946 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.domain > dns3.proxad.net.domain: 29295+ [1au]
A? www.wip3.adobe.com. (47)
2007-08-01 23:47:32.170346 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.49612 > dns2.proxad.net.domain: 41739+ PTR?
252.53.27.212.in-addr.arpa. (44)
2007-08-01 23:47:44.398133 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.62936 > chihiro.bleu-pastel.org.ntp: NTPv4,
Client, length 48
2007-08-01 23:47:47.462629 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.59646 > a5.iliad.fr.ntp: NTPv4, Client, length 48
2007-08-01 23:48:01.521465 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.49673 > ns1.kamino.fr.ntp: NTPv4, Client, length 48
2007-08-01 23:48:02.448834 rule 0/0(match): block in on fxp0:
gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-
srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:02.957259 rule 0/0(match): block in on fxp0:
gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-
srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:03.655702 rule 0/0(match): block in on fxp0:
gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc-
srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:09.581381 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.49631 > roxane.home-dn.net.ntp: NTPv4, Client,
length 48
2007-08-01 23:48:17.145432 rule 0/0(match): block in on fxp0:
she13-1-82-235-225-106.fbx.proxad.net.2730 > boleskine.patpro.net.loc-
srv: S 3888078071:3888078071(0) win 64240 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:20.753804 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.53980 > cerber.obs.coe.int.ntp: NTPv4, Client,
length 48
2007-08-01 23:48:29.902616 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.57907 > dns2.proxad.net.domain: 18671+ PTR?
223.12.235.82.in-addr.arpa. (44)
2007-08-01 23:48:32.844683 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.58931 > mail1.vetienne.net.ntp: NTPv4, Client,
length 48
2007-08-01 23:48:50.138103 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client,
length 48
2007-08-01 23:48:56.174302 rule 0/0(match): block in on fxp0:
lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-
srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:56.187805 rule 0/0(match): block in on fxp0:
lju91-3-82-235-167-216.fbx.proxad.net.3235 >
boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535
<mss 1460,nop,nop,sackOK>
2007-08-01 23:48:56.268230 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.54083 > dns2.proxad.net.domain: 41740+ PTR?
216.167.235.82.in-addr.arpa. (45)
2007-08-01 23:48:56.745779 rule 0/0(match): block in on fxp0:
lju91-3-82-235-167-216.fbx.proxad.net.3235 >
boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535
<mss 1460,nop,nop,sackOK>
2007-08-01 23:48:56.747746 rule 0/0(match): block in on fxp0:
lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-
srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:57.253912 rule 0/0(match): block in on fxp0:
lju91-3-82-235-167-216.fbx.proxad.net.3235 >
boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535
<mss 1460,nop,nop,sackOK>
2007-08-01 23:48:57.253923 rule 0/0(match): block in on fxp0:
lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc-
srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK>
2007-08-01 23:49:00.942064 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.54689 > dns2.proxad.net.domain: 54137+ PTR?
223.12.235.82.in-addr.arpa. (44)
2007-08-01 23:49:01.362800 rule 41/0(match): pass in on em0:
192.168.0.2.50123 > 192.168.0.1.domain: 18301+ A? www.adobe.com. (31)
2007-08-01 23:49:01.363043 rule 46/0(match): pass out on fxp0:
boleskine.patpro.net.domain > dns3.proxad.net.domain: 11699+ [1au]
A? www.wip3.adobe.com. (47)
More information about the freebsd-pf
mailing list