Clients receive only first 4k (issue with pf.conf) -- ignore others

[Scott Stevenson]

(First, I apologize if there are duplicates sent to the list, but  
that's related to the question.)


I originally asked about this back in February:

     <http://monkey.org/freebsd/archive/freebsd-questions/200502/ 
msg03071.html>

Then just posted again recently with more details:

     <http://monkey.org/freebsd/archive/freebsd-questions/200505/ 
msg00846.html>


Essentially, certain web client only receive the first 4096 bytes of  
the file they request, then a garbage byte, then nothing. I *finally*  
figured out that pf was responsible. Specifically, this line in pf.conf:

     pass  out on $ext_if proto { tcp, udp } all keep state

Everything's fine with Apache if I change it to this:

     pass  out on $ext_if proto { tcp, udp } all


The problem is that if I use the version without "keep state," the  
machine can't send outbound mail, and I see messages like this in  
maillog:

     May 30 09:14:33 vertigo qmail: 1117469673.126013 delivery  
639634: deferral
     Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/

In fact, I tried to send this message to the list twice yesterday,  
but realized that mail packets were being filtered out. I looked at  
pflog0 while mail was being sent, but I wasn't able to find the  
bounced packets. Here's the relevant smtp line:

     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 25


I'm much more familiar with the firewalls bundled with various linux  
distributions, so I'm really stumped. I've read through various  
sections of the PF faq, but I haven't found an answer to this.


Thanks,

    - Scott