Re: keep state in pf
That seems logical. A little bit of pfctl -s state | egrep [regex] should be revealing. Also pfctl -x loud if you can test during a low-volume timeframe ~BAS On Wed, 9 Jun 2004, Lawren Quigley-Jones wrote: I recently tracked down the cause of a problem we have been having in our building with file transfers that travel out of our OpenBSD firewall and then back in. The tcp transfer would time out if and only if the transfer went cross subnet, and therefor had to pass the firewall twice as it went to the building's router and then back in to the receiving machine. This occurred on both our old 3.3 system and our replacement 3.5 system with the same pf rules and net configuration. It didn't seem to drop all transfers. SMTP transfers with mail attachments would fail every time. Transfers of certain files via FTP and SCP would fail every time and yet most files had not problems. Because most of our traffic isn't cross-subnet, we didn't see enough of the errors to track down exactly what the variables were. In the pf rules, our default action was to pass everything, pass all keep state. The solution was to remove the keep state from this rule. Once removed it read pass all and the time outs stopped occurring. Not surprisingly, the following rules produced the timeouts as well: pass out on $ext_if all keep state pass in on $ext_if all keep state pass out on $int_if all pass in on $int_if all A hypothesis is that because the keep state rules are seeing two transfers with the same session IDs (the transfer as it exits and then the identical transfer as it enters again), at some point during the transfer PF balks at the sequence as if there was an intruding packet trying to hijack the transfer. This is not substantiated at all though. Has anyone else experienced this problem or seen documentation on it? If there is no documentation, I'm going to submit it as a bug. Thanks... -Lawren l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~James Maynard Keenan
Re: keep state and PF Queues
I was just curious if any of the developers (or experts) would care to articulate officially :} ~BAS On Wed, 19 Oct 2005, William Bloom wrote: The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: keep state and PF Queues
well, I did numerous times in the past. th emisunderstanding most of you have is that queue assignment and th actual queueing are sepearate things. you assign a queue with the name X somewhere, be it by a rule in the inbound path or the outbound, or a state in either direction, and when we hit the enqueuing on the outbound interface we check wether the packet in question is tagged to be put in a specific queue. if so, and a queue by the desired name exists on the given interface, we do so, otherwise it goes to the default queue. * Brian A. Seklecki [EMAIL PROTECTED] [2005-10-21 17:59]: I was just curious if any of the developers (or experts) would care to articulate officially :} ~BAS On Wed, 19 Oct 2005, William Bloom wrote: The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: keep state and PF Queues
If a TCP flow is egressing an interface at 2000k/s (17-18mbps), it might be causing as much as 300kbps of ACK traffic. That traffic really doesn't get queued on return at the same inteface it's egressing. However, I have noticed that, if a traffic flow is passing through a router (say, the same flow as before, egressing an upstream inteface at 2000k/s) and a rule set exists on the interface the flow is inressing from (on it's way through to the previously mentioned egress interface), the ACK traffic will get queued leaving that sender facing interface, on its way back to the sender. So really, keep state has no impact? ~BAS On Fri, 21 Oct 2005, Henning Brauer wrote: well, I did numerous times in the past. th emisunderstanding most of you have is that queue assignment and th actual queueing are sepearate things. you assign a queue with the name X somewhere, be it by a rule in the inbound path or the outbound, or a state in either direction, and when we hit the enqueuing on the outbound interface we check wether the packet in question is tagged to be put in a specific queue. if so, and a queue by the desired name exists on the given interface, we do so, otherwise it goes to the default queue. * Brian A. Seklecki [EMAIL PROTECTED] [2005-10-21 17:59]: I was just curious if any of the developers (or experts) would care to articulate officially :} ~BAS On Wed, 19 Oct 2005, William Bloom wrote: The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records. l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
keep state and PF Queues
Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS
Re: keep state and PF Queues
The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that seems to nicely clarify the pf.conf man page. I recall that the FAQ contains an example much as you describe (as I recall, specifying a queue for -incoming- traffic will indeed cause that traffic to be processed through the named queue as it is -outgoing-). Bill Brian A. Seklecki wrote: Would anyone like to elaborate on the impacts of using keep state on conjunction with pass rules that assign traffic to queues? One might assume that inverted traffic flows would also be queued, however that would break the traffic can only be queued egress an interface rule... There should be some remarks on this in pf.conf(5) TIA, ~BAS -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by this e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records.
