On 4/3/2007 2:42 PM Michael Proto wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Drew Tomlinson wrote: > >> I run Bacula v1.38 on my home network. Both the director and the client >> with which I am having trouble are running FreeBSD 6.1. Things worked >> flawlessly until I changed my firewall from ipfw2 to pf, backups fail >> intermittently on my router due to "broken network pipes" usually after >> somewhere around 10 MB - 12 MB has been transfered. Thus small >> incremental backups are successful but larger full backups are not. I >> do not have this problem when I disable pf on the router, nor do I have >> problems when completing backups with other machines on my internal >> network. My setup looks like this: >> >> bacula director --------- router (client) >> 192.168.1.4 (fxp0) 192.168.1.2 (dc0) >> >> Communication takes place on ports 9102 and 9103. I captured this >> output from pflog0 after starting a backup: >> >> blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb ) >> and ( port 9102 or port 9103 )" >> tcpdump: WARNING: pflog0: no IPv4 address assigned >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size >> 96 bytes >> 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0: >> 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win >> 65535 <mss 1460,nop,wscale 1,[|tcp]> >> 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0: >> 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win >> 65535 <mss 1460,nop,wscale 1,[|tcp]> >> 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0: >> 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack >> 2265048452 win 65535 <mss 1460,nop,wscale 1,[|tcp]> >> >> And the rules are: >> >> @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any modulate >> state queue(std_out, ack_out) >> @13 pass out log on dc0 inet all >> >> > > Well, here's my thought. You are keeping state on inbound connections > but not on outbound, so your outbound connection from the router to your > director (which carries the bulk of the data) may be hitting the time > limit for tcp connections. I'd try adding a rule above rule 13 as such: > > pass out log on dc0 inet proto tcp to 192.168.1.4 keep state > > Or something similar and see if that resolves the problem. > > Generally speaking, if you're using stateful inspection in a pf ruleset, > its a good idea to use stateful-ness on all rules, as things like return > traffic will often bite you. >
Thanks for your suggestion. I don't have keep state on rule 13 because it messes up my attempts at queuing (which is another concept I don't understand and have posted about on the FreeBSD pf list). However, I will add it and see if it resolves this problem. Thanks, Drew -- Be a Great Magician! Visit The Alchemist's Warehouse http://www.alchemistswarehouse.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
