pf and mxge

David DeSimone fox at
Fri Aug 29 15:56:38 UTC 2008

Hash: SHA1

ben wilber <ben at> wrote:
> For example, I can log in via SSH and issue commands that return a
> couple lines, but the output from a command like dmesg(8) comes very
> slowly and sometimes won't finish before SSH times out.  MTU on the
> interface is 1500 bytes.  This doesn't happen unless states are
> created (e.g., not with "pass no state").

This can happen when TCP Window Scaling (RFC1323) is in effect, but PF
is not aware of it.  PF can only capture the window scales in effect if
it sees the "SYN" and "SYN+ACK" packets that begin a connection, as they
are not advertised at any other time.  If the state is built from the
"middle" of a connection, PF enforces a much smaller version of the
expected TCP window, and things slow down tremendously.

This is why PF in FreeBSD 7.0 add the "flags S/SA" and "keep state"
options by default.  Since this is the default, it is surprising to me
that you would see this type of behavior, but it gives you something to
look into.

- -- 
David DeSimone == Network Admin == fox at
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow
Version: GnuPG v1.4.1 (GNU/Linux)


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.

More information about the freebsd-pf mailing list