[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some problems with pf losing state information in



> I added the second line because I would watch the pf device using
> tcpdump and see a small number of packets blocked that were coming from
> the web server on port 80 or port 443 to an outside machine. My
> understanding of pf is that the "keep state" condition on the incoming
> traffic rule should allow reply packets through. One poster on
> deadly.org simply suggested increasing timeouts, which could well
> address this issue.
Solaris or HP/UX web servers?  Their TCP stack sometimes send the
infamous spurious ACK|FIN's long after the connection closes.  The
default PF state code tries to account for some of those but I have
seen the ACK|FIN arrive many minutes after the state was deleted.
You could add a rule to drop those in the proverbial bit bucket:
  block in quick on $ext_if all flags AF/AF
 
.mike