PF suddenly malfunctioned
Jason Mattax
jmattax at storytotell.org
Mon Jul 23 14:01:20 UTC 2012
<SNIP>
On Mon, July 23, 2012 04:12, Damien Fleuriot wrote:
>
>
> On 7/23/12 7:31 AM, Jason Mattax wrote:
>>
>> based on that I could easily upgrade to 8.3, or possibly 9.0 tomorrow if
>> I have the inclination.
>>
>
> I can recommend 8.3, we're using it widely in production.
>
Thanks.
>
>>> 2/ When the problem appears. Have you tried disabling PF ? (pfctl -d)
>>> Does it help ?
>>>
>> Since I can consistently reproduce the problem with en.wikipedia.org I
>> have a good way to test. When I run pfctl -d on the firewall it looks
>> like no traffic is being forwarded, including DNS so I eventually get a
>> notice that the web page timed out because I typed the address wrong.
>> That is as opposed to the web browser saying waiting for
>> en.wikipedia.org (and if I recall correctly occasionally getting the
>> redirect to en.wikipedia.org/wiki/Main_Page.) I just tested and got
>> stuck at the waiting for en.wikipedia.org for a couple of minutes before
>> I called it good enough to report here.
>>
>
> Keep in mind that after disabling PF you don't get NAT anymore from your
> workstations through the firewall.
>
> So any test you run while PF is disabled has to be run from the PF box
> itself.
>
That's what I thought, but the firewall itself can see the outside network
just fine whether pf is running or not (I just rechecked that.)
More information about the freebsd-pf
mailing list