Re: strange "throttling" issue with pf on xDSL connection

Wed, 01 Aug 2007 15:04:14 -0700 

On 01 août 2007, at 18:21, Greg Hennessy wrote:


pass quick on lo0 all


Change this to

        set skip on lo0


thanks



block drop in  log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets


Superfluous, a default block policy should catch these.


ok



pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port
$udp_services keep state


I tend to avoid using 'any' as a source, use !<LAN-Subnets> instead.


I'm going to try this



Absolutely nothing interesting out of `tcpdump -n -e -ttt -i pflog0`
Only a bunch of blocks for rule "0":



You need to enable logging on the pass rules to identify which rule  
number

the throughput test traffic is matching against.
Then use pfctl -vsr to identify the precise one.

Looks like someone has compiled out inet6.


000000 rule 0/0(match): block in on fxp0: 82.235.245.158 >
82.235.12.223: [|tcp]



You need to increase the snap size. Change the tcpdump on pflog0  
whilst

testing to

        tcpdump -s 160 -l -e -tttt -i pflog0


This will give you far more meaningful firewall logs to identify  
potential

out of state drops.


I'm afraid it's not better :


2007-08-01 23:46:28.845093 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.56404 > dns2.proxad.net.domain:  41734+ PTR?  
23.219.98.87.in-addr.arpa. (43)
2007-08-01 23:46:31.677123 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.62879 > dns2.proxad.net.domain:  55363+ A? test- 
debit.free.fr. (36)
2007-08-01 23:46:31.728994 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.56732 > dns2.proxad.net.domain:  55364+ AAAA?  
test-debit.free.fr. (36)
2007-08-01 23:46:31.781738 rule 45/0(match): pass out on fxp0:  
boleskine.patpro.net.63557 > test-debit-f12.proxad.net.http: S  
3953257962:3953257962(0) win 65535 <mss 1460,nop,wscale  
1,nop,nop,timestamp 87477621 0,sackOK,eol>
2007-08-01 23:46:39.701327 rule 0/0(match): block in on fxp0:  
lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc- 
srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK>
2007-08-01 23:46:39.925942 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.61629 > dns2.proxad.net.domain:  41735+ PTR?  
94.210.235.82.in-addr.arpa. (44)
2007-08-01 23:46:40.237802 rule 0/0(match): block in on fxp0:  
lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc- 
srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK>
2007-08-01 23:46:40.785610 rule 0/0(match): block in on fxp0:  
lon92-5-82-235-210-94.fbx.proxad.net.3536 > boleskine.patpro.net.loc- 
srv: S 3837388923:3837388923(0) win 16384 <mss 1460,nop,nop,sackOK>
2007-08-01 23:46:42.790998 rule 0/0(match): block in on fxp0:  
bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc- 
srv: S 3621124191:3621124191(0) win 53760 <mss 1460,nop,wscale  
3,nop,nop,timestamp 0 0,nop,nop,sackOK>
2007-08-01 23:46:42.978867 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.61813 > dns2.proxad.net.domain:  41736+ PTR?  
206.241.235.82.in-addr.arpa. (45)
2007-08-01 23:46:43.243787 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client,  
length 48
2007-08-01 23:46:43.243807 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.59333 > ns2.securitbox.com.ntp: NTPv4, Client,  
length 48
2007-08-01 23:46:43.341997 rule 0/0(match): block in on fxp0:  
bny93-4-82-235-241-206.fbx.proxad.net.2770 > boleskine.patpro.net.loc- 
srv: S 3621124191:3621124191(0) win 53760 <mss 1460,nop,wscale  
3,nop,nop,timestamp 0 0,nop,nop,sackOK>
2007-08-01 23:46:44.029868 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.61406 > dns2.proxad.net.domain:  41737+ PTR?  
184.12.191.88.in-addr.arpa. (44)
2007-08-01 23:46:44.095790 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.55154 > dns2.proxad.net.domain:  41738+ PTR?  
71.183.1.194.in-addr.arpa. (43)
2007-08-01 23:47:28.858010 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.55632 > dns2.proxad.net.domain:  39554+ PTR?  
223.12.235.82.in-addr.arpa. (44)
2007-08-01 23:47:31.338705 rule 41/0(match): pass in on em0:  
192.168.0.2.50122 > 192.168.0.1.domain:  9746+ A? www.adobe.com. (31)
2007-08-01 23:47:31.338946 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.domain > dns3.proxad.net.domain:  29295+ [1au]  
A? www.wip3.adobe.com. (47)
2007-08-01 23:47:32.170346 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.49612 > dns2.proxad.net.domain:  41739+ PTR?  
252.53.27.212.in-addr.arpa. (44)
2007-08-01 23:47:44.398133 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.62936 > chihiro.bleu-pastel.org.ntp: NTPv4,  
Client, length 48
2007-08-01 23:47:47.462629 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.59646 > a5.iliad.fr.ntp: NTPv4, Client, length 48
2007-08-01 23:48:01.521465 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.49673 > ns1.kamino.fr.ntp: NTPv4, Client, length 48
2007-08-01 23:48:02.448834 rule 0/0(match): block in on fxp0:  
gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc- 
srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:02.957259 rule 0/0(match): block in on fxp0:  
gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc- 
srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:03.655702 rule 0/0(match): block in on fxp0:  
gqp76-2-82-235-245-158.fbx.proxad.net.2488 > boleskine.patpro.net.loc- 
srv: S 3190942924:3190942924(0) win 64240 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:09.581381 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.49631 > roxane.home-dn.net.ntp: NTPv4, Client,  
length 48
2007-08-01 23:48:17.145432 rule 0/0(match): block in on fxp0:  
she13-1-82-235-225-106.fbx.proxad.net.2730 > boleskine.patpro.net.loc- 
srv: S 3888078071:3888078071(0) win 64240 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:20.753804 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.53980 > cerber.obs.coe.int.ntp: NTPv4, Client,  
length 48
2007-08-01 23:48:29.902616 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.57907 > dns2.proxad.net.domain:  18671+ PTR?  
223.12.235.82.in-addr.arpa. (44)
2007-08-01 23:48:32.844683 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.58931 > mail1.vetienne.net.ntp: NTPv4, Client,  
length 48
2007-08-01 23:48:50.138103 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.54854 > dax.tuxfinder.com.ntp: NTPv4, Client,  
length 48
2007-08-01 23:48:56.174302 rule 0/0(match): block in on fxp0:  
lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc- 
srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:56.187805 rule 0/0(match): block in on fxp0:  
lju91-3-82-235-167-216.fbx.proxad.net.3235 >  
boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535  
<mss 1460,nop,nop,sackOK>
2007-08-01 23:48:56.268230 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.54083 > dns2.proxad.net.domain:  41740+ PTR?  
216.167.235.82.in-addr.arpa. (45)
2007-08-01 23:48:56.745779 rule 0/0(match): block in on fxp0:  
lju91-3-82-235-167-216.fbx.proxad.net.3235 >  
boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535  
<mss 1460,nop,nop,sackOK>
2007-08-01 23:48:56.747746 rule 0/0(match): block in on fxp0:  
lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc- 
srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK>
2007-08-01 23:48:57.253912 rule 0/0(match): block in on fxp0:  
lju91-3-82-235-167-216.fbx.proxad.net.3235 >  
boleskine.patpro.net.microsoft-ds: S 4121314:4121314(0) win 65535  
<mss 1460,nop,nop,sackOK>
2007-08-01 23:48:57.253923 rule 0/0(match): block in on fxp0:  
lju91-3-82-235-167-216.fbx.proxad.net.3230 > boleskine.patpro.net.loc- 
srv: S 3929104:3929104(0) win 65535 <mss 1460,nop,nop,sackOK>
2007-08-01 23:49:00.942064 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.54689 > dns2.proxad.net.domain:  54137+ PTR?  
223.12.235.82.in-addr.arpa. (44)
2007-08-01 23:49:01.362800 rule 41/0(match): pass in on em0:  
192.168.0.2.50123 > 192.168.0.1.domain:  18301+ A? www.adobe.com. (31)
2007-08-01 23:49:01.363043 rule 46/0(match): pass out on fxp0:  
boleskine.patpro.net.domain > dns3.proxad.net.domain:  11699+ [1au]  
A? www.wip3.adobe.com. (47)






_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to