Re: keep state in pf

Thu, 17 May 2007 15:26:57 -0700

That seems logical. A little bit of "pfctl -s state | egrep [regex]" should be revealing. Also pfctl -x loud if you can test during a low-volume timeframe ~BAS 

On Wed, 9 Jun 2004, Lawren Quigley-Jones wrote:


I recently tracked down the cause of a problem we have been having in our
building with file transfers that travel out of our OpenBSD firewall and
then back in.  The tcp transfer would time out if and only if the transfer
went cross subnet, and therefor had to pass the firewall twice as it went
to the building's router and then back in to the receiving machine.  This
occurred on both our old 3.3 system and our replacement 3.5 system with
the same pf rules and net configuration.

It didn't seem to drop all transfers.  SMTP transfers with mail
attachments would fail every time.  Transfers of certain files via FTP and
SCP would fail every time and yet most files had not problems.  Because
most of our traffic isn't cross-subnet, we didn't see enough of the errors
to track down exactly what the variables were.

In the pf rules, our default action was to pass everything, "pass all keep
state".  The solution was to remove the keep state from this rule.  Once
removed it read "pass all" and the time outs stopped occurring.

Not surprisingly, the following rules produced the timeouts as well:
        pass out on $ext_if all keep state
        pass in on $ext_if all keep state
        pass out on $int_if all
        pass in on $int_if all

A hypothesis is that because the "keep state" rules are seeing two
transfers with the same session IDs (the transfer as it exits and then the
identical transfer as it enters again), at some point during the transfer
PF balks at the sequence as if there was an intruding packet trying to
hijack the transfer.  This is not substantiated at all though.

Has anyone else experienced this problem or seen documentation on it?

If there is no documentation, I'm going to submit it as a bug.

Thanks...

-Lawren



l8*
        -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
               http://www.spiritual-machines.org/

    "Guilty? Yeah. But he knows it. I mean, you're guilty.
    You just don't know it. So who's really in jail?"
    ~James Maynard Keenan

Reply via email to