On Friday 08 April 2005 18:41, Dick Davies wrote: > I have pf running on my laptop with a config including: > > pass out on $ext_if proto { tcp, udp } all keep state > > (there's a 'block in log all' and a couple of services allowed in too > further up, but that's the gist of it.) > > which works well for some sites but not all. In particular, > going to 'my ebay' hangs firefox with a > > 'waiting for include.ebaystatic.com' > > message on the status bar. > > pflog looks like: > > root$ tcpdump -r /var/log/pflog|grep ebay > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > 17:29:56.885697 IP my.intl.ebay.com.http > laptop.ip.60674: R > 2025419634:2025419634(0) ack 1452466570 win 64240 > 17:30:07.917906 IP search.ebay.co.uk.http > laptop.ip.52293: R > 1766217212:1766217212(0) ack 1086438034 win 64240 > > > My guess is that pf is not letting the responses back from that > server because firefox didn't request from that server? > But ipf on the gateway (which has a similar outbound keep state rule) > never had this problem - any idea what's going on, or how I can debug this?
The blocked packets in your log are RSTs so it's most likely a window violation - possibly caused by ipf on the gateway?!? Please add an "-e" to your tcpdump to see the reason for the block. You might also want to enable debugging (pfctl -x misc) and watch the console for "bad state" messages. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpwF6SMfaU8B.pgp
Description: PGP signature