-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ben wilber <[EMAIL PROTECTED]> wrote: > > For example, I can log in via SSH and issue commands that return a > couple lines, but the output from a command like dmesg(8) comes very > slowly and sometimes won't finish before SSH times out. MTU on the > interface is 1500 bytes. This doesn't happen unless states are > created (e.g., not with "pass no state").
This can happen when TCP Window Scaling (RFC1323) is in effect, but PF is not aware of it. PF can only capture the window scales in effect if it sees the "SYN" and "SYN+ACK" packets that begin a connection, as they are not advertised at any other time. If the state is built from the "middle" of a connection, PF enforces a much smaller version of the expected TCP window, and things slow down tremendously. This is why PF in FreeBSD 7.0 add the "flags S/SA" and "keep state" options by default. Since this is the default, it is surprising to me that you would see this type of behavior, but it gives you something to look into. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIuBwuFSrKRjX5eCoRAj70AJ0UIEt5TXIalIWHYWywYMWocHj/8gCfdJrD 8t8KYLSPL1VlLIWuda5v3/U= =Gk8w -----END PGP SIGNATURE----- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
