On 01Jun2021 20:43, Stuart Henderson wrote:
>On 2021-06-01, Cameron Simpson wrote:
>> If I had TCP keep alive turned on, both ends might tidy themselves up.
>> I can't enable that on the clients (various mail readers) or,
>> apparently, on the server configuration. I can't do it in PF because PF
On 01Jun2021 11:04, Claudio Jeker wrote:
>Make sure you use 'block return' at least for the imap connections.
I already do:
set block-policy return
[... and the first rule ...]
# reject everything except as detailed below
block return log
>This
>way when the state is dropped
On 01Jun2021 08:53, Dirk Coetzee wrote:
>As a first guess, I would consider changing / implementing "set
>optimization". This made massive difference on our customers satellite
>internet connection.
The customer has a terrestrial ISP connection.
I've got satellite at home, and do indeed use
Hi Irshad,
Assuming I understand your layout correctly, you should be able to use
hostname.if configurations files like the following:
$ cat hostname.em0:
up
$ cat hostname.vlan20
description "Trusted (L2+L3)"
vnetid 20 parent em0
inet aa.bb.cc.dd 255.255.255.0
up
$ cat hostname.vlan10:
On 2021-05-30, Dave Anderson wrote:
> I’m setting up on 6.9-release a (for now) IPv4-only firewall with multiple
> public addresses and multiple subnets behind it, and have a couple of
> questions related to connections originating from the firewall itself to
> which I haven’t found definitive
On 2021-05-30, Denis Fondras wrote:
> Le Fri, May 28, 2021 at 03:30:58PM -0700, Chris Cappuccio a écrit :
>> You might try "set state-defaults pflow, sloppy", also in some scenarios you
>> might need "set state-policy floating"
>>
>> If "sloppy" fixes it, there may be some bugs to hunt.
>>
>
>
On 2021-06-01, Cameron Simpson wrote:
> If I had TCP keep alive turned on, both ends might tidy themselves up.
> I can't enable that on the clients (various mail readers) or,
> apparently, on the server configuration. I can't do it in PF because PF
> just copies packets. I can't seem to do it
> The SAs are ok but the flows are not loaded correctly. Looks like it is an
> actual bug in 6.9. It is triggered by the 'config address' line in your
> configuration, so working around that one line would be one solution.
I tried to assign a static IP address in the Windows VPN connection, but
Denis Fondras [open...@ledeuns.net] wrote:
>
> "sloppy" seems to fix the issue. I will do more tests this week before
> declaring
> victory :)
>
If that really works, then there could be a problem with PF sequence number
tracking. Can you develop a specific sequence of events to reproduce the
On Mon, May 31, 2021 at 02:31:22PM +, Leclerc, Sebastien wrote:
> > > > If that doesn't help you could share the output of 'ipsecctl -sa' to
> > > > find
> > > > out if the IPsec SAs or flows are the problem.
> > >
> > > That may be the problem, there is nothing between 192.168.1.109 and
>
On Tue, Jun 01, 2021 at 10:25:38AM +1000, Cameron Simpson wrote:
> Can I enforce or implement TCP keep alives on a TCP stream via my
> firewall?
>
> Background:
>
> I've got a client with an OpenBSD firewall and a Telstra NBN modem as
> their modem.
>
> Their IMAP server is upstream in the
Hi Cameron,
As a first guess, I would consider changing / implementing "set optimization".
This made massive difference on our customers satellite internet connection.
man pf.conf
set optimization environment
Optimize state timeouts for one of the following network
Can I enforce or implement TCP keep alives on a TCP stream via my
firewall?
Background:
I've got a client with an OpenBSD firewall and a Telstra NBN modem as
their modem.
Their IMAP server is upstream in the cloud (Unbuntu, courier imap). I
have this odd problem which I am beginning to
13 matches
Mail list logo
