-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Drew Tomlinson wrote: > I run Bacula v1.38 on my home network. Both the director and the client > with which I am having trouble are running FreeBSD 6.1. Things worked > flawlessly until I changed my firewall from ipfw2 to pf, backups fail > intermittently on my router due to "broken network pipes" usually after > somewhere around 10 MB - 12 MB has been transfered. Thus small > incremental backups are successful but larger full backups are not. I > do not have this problem when I disable pf on the router, nor do I have > problems when completing backups with other machines on my internal > network. My setup looks like this: > > bacula director --------- router (client) > 192.168.1.4 (fxp0) 192.168.1.2 (dc0) > > Communication takes place on ports 9102 and 9103. I captured this > output from pflog0 after starting a backup: > > blacksheep# tcpdump -netttti pflog0 "( host blacksheep or blacklamb ) > and ( port 9102 or port 9103 )" > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size > 96 bytes > 2007-04-02 13:57:21.021122 rule 7/0(match): pass in on dc0: > 192.168.1.4.52295 > 192.168.1.2.9102: S 2822997678:2822997678(0) win > 65535 <mss 1460,nop,wscale 1,[|tcp]> > 2007-04-02 13:57:23.532037 rule 13/0(match): pass out on dc0: > 192.168.1.2.64955 > 192.168.1.4.9103: S 2265048451:2265048451(0) win > 65535 <mss 1460,nop,wscale 1,[|tcp]> > 2007-04-02 13:57:23.532323 rule 7/0(match): pass in on dc0: > 192.168.1.4.9103 > 192.168.1.2.64955: S 3452777266:3452777266(0) ack > 2265048452 win 65535 <mss 1460,nop,wscale 1,[|tcp]> > > And the rules are: > > @7 pass in log on dc0 inet proto tcp from 192.168.1.0/24 to any modulate > state queue(std_out, ack_out) > @13 pass out log on dc0 inet all >
Well, here's my thought. You are keeping state on inbound connections but not on outbound, so your outbound connection from the router to your director (which carries the bulk of the data) may be hitting the time limit for tcp connections. I'd try adding a rule above rule 13 as such: pass out log on dc0 inet proto tcp to 192.168.1.4 keep state Or something similar and see if that resolves the problem. Generally speaking, if you're using stateful inspection in a pf ruleset, its a good idea to use stateful-ness on all rules, as things like return traffic will often bite you. - -Proto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGEso4OLq/wl1XW74RAkAHAJ9es2oM0fpIX8eVqsAIYMZ0nIzIZQCfakIx xCA38HtUyaxaeC8lJ/2OS9Q= =Opvk -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
