Clients receive only first 4k (issue with pf.conf) -- ignore others

[Scott Stevenson]

On May 30, 2005, at 9:23 AM, Scott Stevenson wrote:

> The problem is that if I use the version without "keep state," the  
> machine can't send outbound mail, and I see messages like this in  
> maillog:
>
>     May 30 09:14:33 vertigo qmail: 1117469673.126013 delivery  
> 639634: deferral
>     Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
>
> In fact, I tried to send this message to the list twice yesterday,  
> but realized that mail packets were being filtered out. I looked at  
> pflog0 while mail was being sent, but I wasn't able to find the  
> bounced packets. Here's the relevant smtp line:
>
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
> port 25
>
>
> I'm much more familiar with the firewalls bundled with various  
> linux distributions, so I'm really stumped. I've read through  
> various sections of the PF faq, but I haven't found an answer to this.


Sorry to post *yet again* on this, but I think I finally figured out  
what was wrong. I want to post a follow-up for the archives. The  
solution to "partial page" Apache problem was to balance the "keep  
state" directives.


Originally, the httpd line looked like this:

     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 80

And the "out" line looked like this:

     pass  out on $ext_if proto { tcp, udp } all keep state


The solution was to change the httpd line to this:

     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 80 keep state


Does it make sense that I'd need "keep state" for both in and out, or  
is this a PF bug? Should I add it to these as well?

     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 25
     pass  in  quick on $ext_if proto { tcp, udp } from any to any  
port 53


Thanks, and sorry again for the duplicate messages.

     - Scott