> For example, I can log in via SSH and issue commands that return a
> couple lines, but the output from a command like dmesg(8) comes very
> slowly and sometimes won't finish before SSH times out.  MTU on the
> interface is 1500 bytes.  This doesn't happen unless states are
> created (e.g., not with "pass no state").

This can happen when TCP Window Scaling (RFC1323) is in effect, but PF
is not aware of it.  PF can only capture the window scales in effect if
it sees the "SYN" and "SYN+ACK" packets that begin a connection, as they
are not advertised at any other time.  If the state is built from the
"middle" of a connection, PF enforces a much smaller version of the
expected TCP window, and things slow down tremendously.

This is why PF in FreeBSD 7.0 add the "flags S/SA" and "keep state"
options by default.  Since this is the default, it is surprising to me
that you would see this type of behavior, but it gives you something to
look into.

