On 2008-04-19, Moe Sizlak <[EMAIL PROTECTED]> wrote: > Recently I moved from freebsd 6 to openbsd 4.2 but have had some problems. > > I get a lot of timeouts on web pages with a high number of hops and I think > it may be something to do with either pf and/or sysctl. > > Any help in diagnosing these timeouts much appreciated.
> ext_if="pppoe0" > scrub in all Read "MTU/MSS ISSUES" in pppoe(4). This is most likely your problem, but I'll continue with some other things in case it doesn't: > sysctl -w net.inet.tcp.mssdflt=1452 > sysctl -w net.inet.tcp.recvspace=131072 > sysctl -w net.inet.tcp.sendspace=131072 > sysctl -w net.inet.udp.recvspace=139264 > sysctl -w net.inet.udp.sendspace=32768 Does it work any better if you don't touch the knobs? > block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP > block in quick on $ext_if inet proto tcp from any to any flags SF/SFRA > block in quick on $ext_if inet proto tcp from any to any flags /SFRA > block in quick on $ext_if inet proto tcp from any to any flags F/SFRA > block in quick on $ext_if inet proto tcp from any to any flags U/SFRAU > block in quick on $ext_if inet proto tcp from any to any flags P/P These are already covered by "block all", not your problem but they're redundant. > pass out on $ext_if proto tcp all modulate state flags S/SA > pass in inet proto icmp all icmp-type echoreq keep state etc. "keep state" and "flags S/SA" are set by default now, not your problem but leaving them out makes for an easier-to-read ruleset. If you still have problems after fixing MTU then try "keep state" rather than "modulate state". if you still have problems after that, pfctl -x misc, and look at the logs.
