pf & NAT issue
Warren Block
wblock at wonkity.com
Mon Jan 23 02:43:51 UTC 2017
On Fri, 20 Jan 2017, Kristof Provost wrote:
> On 20 Jan 2017, at 22:12, Ermal Luçi wrote:
>> Most probably your timeouts are aggressive on states garbage collection.
>> Give a look to those state limit teardown it might improve things.
>>
> Less than 30 seconds seems extremely quick to time out.
> I also wouldn’t expect pf to set up NAT state in the middle of a TCP
> connection.
>
> It’s certainly worth a try to play with the timeouts though.
>
> It might be interesting to see what they’re set to right now. `pfctl -s all`
> should show them.
I had the defaults as shown by others, except src.track was zero by
default. Setting this to 30 suddenly let some static content sites
work, like img.bbstatic.com for BestBuy's website.
More information about the freebsd-net
mailing list