|
List Info
Thread: Re: pf and keep/modulate state on 6.2
|
|
| Re: pf and keep/modulate state on 6.2 |
 
Germany |
2007-07-25 13:55:40 |
|
On Saturday 21 July 2007, Jordan Gordeev wrote:
> J.D. Bronson wrote:
> > At 02:52 AM 02/26/2007, you wrote:
> >> Wow, this fixed my FTP-over-DSL-to-6.2 problem too. With modulate
> >> state, I was getting ~30K/sec. With just keep state, I'm now getting
> >> more like what my connection is capable of. This is between two 6.2
> >> hosts on opposite sides of the Atlantic.
> >>
> >> Ted, I use pf because I like the format of the configuration file, I
> >> like the logging and pftop, and like how it's harder to lock
> >> yourself out of a remote machine by accident 
> >>
> >> /JMS
> >
> > I use pf since its newer (I think?) and I came from openbsd..pf just
> > works and the config file is nice and sweet.
> >
> > I had thought that modulate state would put a load on my proc, but
> > sheesh, its a p4-3.06 - thats more than robust for a router.
> >
> > I wonder if we should file a bug on this?
> >
> > I am glad my post helped here. I still use modulate state for any
> > INCOMING connections though (www/smtp/etc).
>
> I'm replying to an old and long-forgotten thread to report my recent
> findings.
> There's a bug in PF with modulate/synproxy state. Modulate/synproxy
> state modulate sequence numbers, but don't modulate sequence numbers in
> TCP SACK options. Some firewalls block TCP segments with sequence
> numbers in the SACK option pointing outside the window, which causes
> connection stalls. The bug was fixed in OpenBSD with revision 1.509 of
> src/sys/net/pf.c about an year and a half ago. The bug is present in
> FreeBSD-STABLE. A fix for the bug was imported in FreeBSD-CURRENT with
> the big import of PF from OpenBSD 4.1.
> I'm CC-ing Max to notify him of the bug present in -STABLE and to ask
> him to deal with the issue by either porting the fix from OpenBSD, or
> by documenting that modulate/synproxy state is broken.
Good catch - sorry for the delay. Here is the diff (almost verbatim from
OPENBSD_3_8). Please test and report back. I plan to commit this to
RELENG_6 in a bit.
--
/" Best regards, | mlaier freebsd.org
/ Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaierEFnet
/ ASCII Ribbon Campaign | Against HTML Mail and News
|
 Approximate file size 3856 bytes |
| Re: pf and keep/modulate state on 6.2 |
 
Bulgaria |
2007-07-26 15:21:58 |
Max Laier wrote:
>On Saturday 21 July 2007, Jordan Gordeev wrote:
>
>>I'm replying to an old and long-forgotten thread to
report my recent
>>findings.
>>There's a bug in PF with modulate/synproxy state.
Modulate/synproxy
>>state modulate sequence numbers, but don't modulate
sequence numbers in
>>TCP SACK options. Some firewalls block TCP segments
with sequence
>>numbers in the SACK option pointing outside the
window, which causes
>>connection stalls. The bug was fixed in OpenBSD with
revision 1.509 of
>>src/sys/net/pf.c about an year and a half ago. The
bug is present in
>>FreeBSD-STABLE. A fix for the bug was imported in
FreeBSD-CURRENT with
>>the big import of PF from OpenBSD 4.1.
>>I'm CC-ing Max to notify him of the bug present in
-STABLE and to ask
>>him to deal with the issue by either porting the fix
from OpenBSD, or
>>by documenting that modulate/synproxy state is
broken.
>>
>>
>
>Good catch - sorry for the delay. Here is the diff
(almost verbatim from
>OPENBSD_3_8). Please test and report back. I plan to
commit this to
>RELENG_6 in a bit.
>
>
>
The patch fixed the problem I was having with modulate state
and SACK on
my lightly loaded personal NAT box.
_______________________________________________
freebsd-pffreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
|
[1-2]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|