pf and http (ebay)?

Max Laier max at
Fri Apr 8 10:15:51 PDT 2005

On Friday 08 April 2005 18:41, Dick Davies wrote:
> I have pf running on my laptop with a config including:
>   pass out on $ext_if proto { tcp, udp } all keep state
> (there's a 'block in log all' and  a couple of services allowed in too
> further up, but that's the gist of it.)
> which works well for some sites but not all. In particular,
> going to 'my ebay' hangs firefox with a
> 'waiting for'
> message on the status bar.
> pflog looks like:
>   root$ tcpdump -r /var/log/pflog|grep ebay
>   reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
>   17:29:56.885697 IP > laptop.ip.60674: R
>     2025419634:2025419634(0) ack 1452466570 win 64240
>   17:30:07.917906 IP > laptop.ip.52293: R 
>     1766217212:1766217212(0) ack 1086438034 win 64240
> My guess is that pf is not letting the responses back from that
> server because firefox didn't request from that server?
> But ipf on the gateway (which has a similar outbound keep state rule)
> never had this problem - any idea what's going on, or how I can debug this?

The blocked packets in your log are RSTs so it's most likely a window 
violation - possibly caused by ipf on the gateway?!?  Please add an "-e" to 
your tcpdump to see the reason for the block.  You might also want to enable 
debugging (pfctl -x misc) and watch the console for "bad state" messages.

/"\  Best regards,                      | mlaier at
\ /  Max Laier                          | ICQ #67774661
 X  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-stable mailing list