Bacula File/Storage Connection Woes using PF

Greg Hennessy Greg.Hennessy at nviz.net
Wed Mar 26 09:09:48 UTC 2008


Jeremy Chadwick wrote:
> This isn't a reply to you (Doug), but -- do not blindly use "keep state"
> everywhere!
>   
Hard cases make for bad laws. I have got to point out the error in the 
above statement.
> There's been too many cases I've experienced where using "keep state"
> blindly results in state-mismatch increasing at a very fast rate.  When
> I implemented this mentality on our production servers, our users
> started pointing out that scp's between machines would randomly get
> severed mis-stream, same with ssh sessions where large TCP windows were
> used (such as doing 'dmesg' over and over):
>
> http://lists.freebsd.org/pipermail/freebsd-pf/2008-January/004050.html
>   

Which (taking a rough guess) looking at your rule set in the above has 
very little to do with 'keep state' and a lot to do with 'modulate 
state'. IIRC there is a filed bug which displays all of the 
aforementioned symptoms when modulate state meets selective 
acknowledgement (SACK). I'm sure Max has the gory detail, it may even be 
fixed.


> The "use keep state on everything!" attitude seems to stem from people
> reading the OpenBSD pf.conf documentation, which states that as of
> OpenBSD 4.1, "keep state" is implicit on every rule (meaning it's done
> whether you say "keep state" or not).  FreeBSD's pf isn't like this.
>   
You miss out the most important bit of the new PF 4.1 state keeping 
defaults, 'flags S/SA'.
Our cousins over the road in the OpenBSD neighbourhood have done this 
precisely because of the issues caused in prior versions of PF by using 
stateless rules and/or establishing TCP state on anything other than the 
3 way handshake.

>
> It gets more confusing when you consider the fact that even though UDP
> and ICMP are stateless protocols, pf can keep track of their state too,
> though I don't know if FreeBSD pf supports that (OpenBSD pf does).
>   
This is not a flame, but if you really do not know that, you really 
should not be publicly advocating a position on the basis of incomplete 
information.


Regards

Greg




More information about the freebsd-pf mailing list