On 2020-03-03, Chris Cappuccio <ch...@nmedia.net> wrote: > Jyri Hovila [Turvamies.fi] [jyri.hov...@turvamies.fi] wrote: >> Hello everyone! >> >> Now here's a mysterious one -- I've been working on this for weeks and still >> have no clue what's causing it. >> >> "client_loop: send disconnect: Broken pipe >> >> As soon as I disable pf entirely, the problem goes away. >> >> Any ideas on how to debug this further? >> > > Figure out which exact part of your pf config is causing this. Try disabling > everything line-by-line. > >
Look at pfctl -ss -v. Do you have "wscale" values printed for most TCP connections? If not then you are likely creating state on intermediate rather than ACK packets (window scaling values are not present in most packets, only the initial handshake). If that is the case, make sure you don't have anything passed by the implicit default rule which is equivalent to "pass all flags any no state", I like to make sure I don't hit this by starting my ruleset with "block log". Note the paragraph starting "Where more than one firewall might actively handle packets" in pfsync(4) if this might apply to you. You can also try bumping up the PF debug level (pfctl -x; the default is "err"), be careful doing this on a busy system (take it up one notch at a time and make sure it doesn't create insane amounts of logging, be ready to knock back to a previous level if needed). Be extra careful with this if you have serial console.
