On 06/15/07 08:24, Vlad GURDIGA wrote: > Hello, > > There is one strange thing going on with this combination. I saw this > many times by now: when fetch(1) is trying to download something from > http://ftp.gnu.org, it is hanging after a very small amount of data; > sometimes on 0%. After disabling pf(4), fetch(1) is not hanging any > more, so I guess that the problem is somewhere in my pf.conf. Here is > it: > > ---- pf.conf -- begin --- > ext_if = "em0" > icmp_types="echoreq" > > # don't filter on the loopback interface > set skip on lo0 > set block-policy return > > scrub all no-df random-id reassemble tcp > > # setup a default deny policy > block all > > # activate spoofing protection for the internal interface. > antispoof quick for lo0 inet > > # pass tcp, udp, and icmp out on the external (Internet) interface. > # keep state on udp and icmp and modulate state on tcp. > pass in on $ext_if proto tcp from any to $ext_if port 65522 keep state > > pass in inet proto icmp all icmp-type $icmp_types keep state > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto {udp, icmp} all keep state > ---- pf.conf -- end --- > > Any idea what's wrong here?
Vlad, if we're out of ideas, there would be something wrong... ;) My first try is to replace your 'pass out on $ext_if ... modulate state ...' by 'keep state'. modulate state is more of use for incoming connections as you don't want half open connections to your services. HTH Volker _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
