Clients receive only first 4k (issue with pf.conf) -- ignore others

Giorgos Keramidas keramida at ceid.upatras.gr
Mon May 30 12:11:22 PDT 2005 

On 2005-05-30 11:31, Scott Stevenson <scott at maxify.com> wrote:
> On May 30, 2005, at 9:23 AM, Scott Stevenson wrote:
> >The problem is that if I use the version without "keep state," the
> >machine can't send outbound mail, and I see messages like this in
> >maillog:
> >
> >    May 30 09:14:33 vertigo qmail: 1117469673.126013 delivery 639634: deferral
> >    Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
> >
> >In fact, I tried to send this message to the list twice yesterday,
> >but realized that mail packets were being filtered out. I looked at
> >pflog0 while mail was being sent, but I wasn't able to find the
> >bounced packets. Here's the relevant smtp line:
> >
> >    pass  in  quick on $ext_if proto { tcp, udp } from any to any port 25
> >
> >
> >I'm much more familiar with the firewalls bundled with various linux
> >distributions, so I'm really stumped. I've read through various
> >sections of the PF faq, but I haven't found an answer to this.
>
> Sorry to post *yet again* on this, but I think I finally figured out
> what was wrong. I want to post a follow-up for the archives. The
> solution to "partial page" Apache problem was to balance the "keep
> state" directives.
>
>
> Originally, the httpd line looked like this:
>
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any port 80
>
> And the "out" line looked like this:
>
>     pass  out on $ext_if proto { tcp, udp } all keep state
>
> The solution was to change the httpd line to this:
>
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any port 80 keep state
>
> Does it make sense that I'd need "keep state" for both in and out, or
> is this a PF bug?

Yes, it makes sense.  This is the correct way to do it.

> Should I add it to these as well?
>
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any port 25
>     pass  in  quick on $ext_if proto { tcp, udp } from any to any port 53

Yes, if you want those services visible from the outside.

More information about the freebsd-questions mailing list