Hi all,
Recently I moved from freebsd 6 to openbsd 4.2 but have had some problems.
I get a lot of timeouts on web pages with a high number of hops and I think
it may be something to do with either pf and/or sysctl.
Any help in diagnosing these timeouts much appreciated.
(box is soekris net5501 with three internal lans nat'd outbound.)
------------------------------------------------------------------------------------
sysctl -w net.inet.ip.forwarding=1
sysctl -w net.inet.tcp.mssdflt=1452
sysctl -w net.inet.tcp.recvspace=131072
sysctl -w net.inet.tcp.sendspace=131072
sysctl -w net.inet.udp.recvspace=139264
sysctl -w net.inet.udp.sendspace=32768
----------------------------------------------------------
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if="pppoe0"
int_if1="vr1"
int_if2="vr2"
int_if3="vr3"
out_net="192.168.11.0/16"
# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
netbios_ports = "{ 135, 137, 138, 139, 445, 1433 }"
#table <spamd> persist
#table <spamd-white> persist
set block-policy return
scrub in all
nat on $ext_if from $int_if1:network to any -> ($ext_if)
nat on $ext_if from $int_if2:network to any -> ($ext_if)
nat on $ext_if from $int_if3:network to any -> ($ext_if)
#
block all
# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any
# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in quick on $ext_if inet proto tcp from any to any flags /SFRA
block in quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in quick on $ext_if inet proto tcp from any to any flags P/P
pass quick on lo0 all
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#pass in on $ext_if proto udp to any port domain
pass in inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type echoreq keep state
pass in on $int_if1 from $int_if1:network to any keep state
pass in on $int_if2 from $int_if2:network to any keep state
pass in on $int_if3 from $int_if3:network to any keep state
pass out on $int_if1 from any to $int_if1:network keep state
pass out on $int_if2 from any to $int_if2:network keep state
pass out on $int_if3 from any to $int_if3:network keep state
#pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }
--------------------------------------------------------------
