PF and stalled connections

From: Abdul Rehman Gani <abdulg(at)eastcoast.co.za>
Date: Mon Dec 30 2002 - 08:55:39 EST

Hi,

I have just upgraded a working OBSD 2.9 + IPF firewall to OBSD 3.2 and PF. Rules syntax changes have been made, checked and successfully applied - all

works as expected. Generic kernel from the 3.2 CD - tried with no patches and 
with the kernel patches from the errata page.  Only additional software is 
dnscache on 192.168.0.1 and tinydns on 127.0.0.1 (both from djbdns) to 

provide a split horizon DNS.

However, connections (from the inside) tend to stall for brief periods of time, then resume. For instance, if I connect to the firewall via ssh from an internal host the connection will stall for a time, then resume and all entries made at the prompt during the stall will be processed as soon as the stall is over. If I ping the firewall's internal iface from an internal host using -c 200 I will see between 5% and 28% packet loss. Connections through the firewall also suffer from stalls, ie via a browser to a web site.

A ping from an external host to the firewall's external iface does not suffer any packet loss.

I am open to all suggestions/opinions.

Thanks,

Abdul

Dmesg.boot included below and I have reduced the rules to:-

---------------pf.conf----------------

# Define the interfaces

int=fxp0
ext=fxp1

# normalise all packets

scrub in on $int all fragment reassemble scrub in on $ext all fragment reassemble

# translate outgoing packets

nat on $ext from 192.168.0.0/24 to any -> 196.33.34.240

# pass all packets

pass in on $ext all keep state
pass out on $ext all keep state
pass in on $int all keep state
pass out on $int all keep state

---------------pf.conf----------------


---------------dmesg.boot----------------

OpenBSD 3.2 (GENERIC) #25: Thu Oct 3 19:51:53 MDT 2002

    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 399 MHz cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SYS,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 133791744 (130656K)
avail mem = 118448128 (115672K)
using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root)
bios0 at mainbus0: AT/286+(9f) BIOS, date 05/19/99, BIOS32 rev. 0 @ 0xfd7a0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xfd7a0/0x860

pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB PCI-ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus

bios0: ROM list: 0xc0000/0xc000 0xe0000/0x4000! 0xe4000/0xc000 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX PCI-AGP" rev 0x03 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03 pci1 at ppb0 bus 1
vga1 at pci1 dev 1 function 0 "Trident 3DImage 9750" rev 0xf3 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02 pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: <ST34311A> wd0: 16-sector PIO, LBA, 4126MB, 8944 cyl, 15 head, 63 sec, 8452080 sectors atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <ATAPI, 48X CDROM, 3.30> SCSI0 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 9 usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered "Intel 82371AB Power Mgmt" rev 0x02 at pci0 dev 7 function 3 not configured yds0 at pci0 dev 12 function 0 "Yamaha 740C" rev 0x03: irq 10 ac97: codec id 0x41445303 (Analog Devices AD1819) ac97: codec features Analog Devices Phat Stereo audio0 at yds0
fxp0 at pci0 dev 14 function 0 "Intel 82557" rev 0x05: irq 11, address 00:90:27:35:14:8a
inphy0 at fxp0 phy 1: i82555 10/100 media interface, rev. 0 fxp1 at pci0 dev 15 function 0 "Intel 82557" rev 0x05: irq 10, address 00:a0:c9:ea:28:86
inphy1 at fxp1 phy 1: i82555 10/100 media interface, rev. 0 isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec opl0 at yds0: model OPL3
midi1 at opl0: <DS-1 integrated Yamaha OPL3> mpu at yds0 not configured
mpu at yds0 not configured
mpu at yds0 not configured
mpu at yds0 not configured
biomask 4240 netmask 4e40 ttymask 4ec2
pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

---------------dmesg.boot----------------

-- 
http://www.eastcoast.co.za
Tel: +27-31-566-8080
Fax: +27-31-566-8010
Email: support@eastcoast.co.za

Received on Mon Dec 30 08:52:34 2002