pf and http (ebay)?
Max Laier
max at love2party.net
Fri Apr 8 10:15:51 PDT 2005
On Friday 08 April 2005 18:41, Dick Davies wrote:
> I have pf running on my laptop with a config including:
>
> pass out on $ext_if proto { tcp, udp } all keep state
>
> (there's a 'block in log all' and a couple of services allowed in too
> further up, but that's the gist of it.)
>
> which works well for some sites but not all. In particular,
> going to 'my ebay' hangs firefox with a
>
> 'waiting for include.ebaystatic.com'
>
> message on the status bar.
>
> pflog looks like:
>
> root$ tcpdump -r /var/log/pflog|grep ebay
> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> 17:29:56.885697 IP my.intl.ebay.com.http > laptop.ip.60674: R
> 2025419634:2025419634(0) ack 1452466570 win 64240
> 17:30:07.917906 IP search.ebay.co.uk.http > laptop.ip.52293: R
> 1766217212:1766217212(0) ack 1086438034 win 64240
>
>
> My guess is that pf is not letting the responses back from that
> server because firefox didn't request from that server?
> But ipf on the gateway (which has a similar outbound keep state rule)
> never had this problem - any idea what's going on, or how I can debug this?
The blocked packets in your log are RSTs so it's most likely a window
violation - possibly caused by ipf on the gateway?!? Please add an "-e" to
your tcpdump to see the reason for the block. You might also want to enable
debugging (pfctl -x misc) and watch the console for "bad state" messages.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050408/779ae9c5/attachment.bin
More information about the freebsd-stable
mailing list