Pf Issue with a large number of Packet

Thu, 07 Jun 2007 00:33:45 -0700 

Hi All,

I am sorry to bother the list but I think I may have encountered a bug and I
would like to share with you guys. I have been using OpenBSD to build Firewall
for a long time in solution with VLAN + CARP. When computers in the protected
network downloads a file in HTTP, everything works for the First 15 Mo then it
stops.

When I tcpdump, On the external address, I get the folowing:

08:34:19.343833 mirrors.club-internet.fr.www > so-bo01-std.55692: P
17637121:17638569(1448) ack 174 win 49232 <nop,nop,timestamp 3651037459
313698521> (DF)
08:34:19.343870 so-bo01-std.55692 > mirrors.club-internet.fr.www: . ack
17634225 win 1810 <nop,nop,timestamp 313698522 3651037459> (DF)
08:34:19.614303 mirrors.club-internet.fr.www > so-bo01-std.55692: P
20054337:20055785(1448) ack 174 win 49232 <nop,nop,timestamp 3651037487
313698589> (DF)
08:34:19.614326 so-knox01a-std > mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:20.024189 mirrors.club-internet.fr.www > so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037528
313698589> (DF)
08:34:20.024210 so-knox01a-std > mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:20.844464 mirrors.club-internet.fr.www > so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037610
313698589> (DF)
08:34:20.844485 so-knox01a-std > mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:22.485887 mirrors.club-internet.fr.www > so-bo01-std.55692: .
20009449:20010897(1448) ack 174 win 49232 <nop,nop,timestamp 3651037774
313698589> (DF)
08:34:22.485907 so-knox01a-std > mirrors.club-internet.fr: icmp: host
so-bo01-std unreachable
08:34:24.234738 so-bo01-std.55692 > mirrors.club-internet.fr.www: F 174:174(0)
ack 20009449 win 1851 <nop,nop,timestamp 313699744 3651037482> (DF)
08:34:24.235872 mirrors.club-internet.fr.www > so-bo01-std.55692: . ack 175
win 49232 <nop,nop,timestamp 3651037949 313699744> (DF)

On the internal interfaces, I see nothing related to the host unreachable,
just a Reset after a while from the server.

- If I pfctl -d, everything works
- If I remove all the blocks statement in the pf.conf, it do not work
- If I rate limit the download to 50 ko/s, then I still have unreachable but
it able to recover, above and up to 100Mo, it would fail and the transfer
stall.
- If I create an empty rules file, then it works

Here are the two rules:
# Production Firewall vers le Second FireWall
service_granted="{domain, ntp, smtp, snmp, http}"
block out log on $if_interco all label "Protection vers le Back"
pass in on $if_interco proto {tcp, udp} from {$net_back, $net_interco} to any
port $service_granted keep state label "Back Office vers l'Internet"

Please advise

Regarde

Lio
Alionis

Reply via email to