pf and mxge
Jeremy Chadwick
koitsu at FreeBSD.org
Fri Aug 29 11:04:01 UTC 2008
On Fri, Aug 29, 2008 at 06:54:23AM -0400, ben wilber wrote:
> I'm trying to use PF on a machine with an mxge(4) interface and am
> having some difficulty. With my ruleset loaded, any TCP session that
> gets a state grinds to a halt.
>
> For example, I can log in via SSH and issue commands that return a
> couple lines, but the output from a command like dmesg(8) comes very
> slowly and sometimes won't finish before SSH times out. MTU on the
> interface is 1500 bytes. This doesn't happen unless states are created
> (e.g., not with "pass no state").
>
> The machine is running -CURRENT for amd64 as of Jul 18th compiled with
> ALTQ, crypto and IPSEC, HZ=1000 and DEVICE_POLLING (though not enabled).
> IP and IPv6 forwarding are enabled, as well as fastforwarding. Only
> filtering; no bridges, ALTQ, NAT or scrubbing.
>
> Any insight?
I've seen this problem on RELENG_6, although the SSH connections
would not "time out" -- after a page or so of 'dmesg' output, they
would immediately get disconnected/severed. I believe the problem was
caused by my use of "modulate state" instead of "keep state" (since on
RELENG_6 "keep state" is not implicit).
Are you using "reassemble tcp", "synproxy state", or "modulate
state" directives?
Does disabling RFC1323 (see sysctl) make a difference at all?
Are you blindly filtering all ICMP traffic and destroying PMTU
negotiation?
Can you provide your pf.conf?
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-pf
mailing list