Home » Mailing list archives » openbsd-misc » 2008 » April » 19

Re: timeouts on http connects outbound

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Moe Sizlak <sizlak1@...>
To: <misc@...>
Subject: Re: timeouts on http connects outbound
Date: Saturday, April 19, 2008 - 12:31 pm

To followup on this question I have updated my sysctl settings, changed

pf.conf and added the scrub out line recommended.


Also my dist is 4.3 openbsd flashdist. (not 4.2)


Result of all changes proposed:  No change.


Pages like http://marc.info etc still time out.


updated settings are:

------------------------------------------------------------------------------------

#       $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $

#

# See pf.conf(5) and /usr/share/pf for syntax and examples.

# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1

# in /etc/sysctl.conf if packets are to be forwarded between interfaces.


ext_if="pppoe0"

int_if1="vr1"

int_if2="vr2"

int_if3="vr3"

out_net="192.168.11.0/16"


# Private networks, we are going to block incoming traffic from them

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"


netbios_ports = "{ 135, 137, 138, 139, 445, 1433 }"

#table  persist

#table  persist


set block-policy return


scrub in all

scrub out on pppoe0 max-mss 1440


nat on $ext_if from $int_if1:network to any -> ($ext_if)

nat on $ext_if from $int_if2:network to any -> ($ext_if)

nat on $ext_if from $int_if3:network to any -> ($ext_if)


#

block all


# block incoming traffic from private networks on external interface

block drop in quick on $ext_if from $priv_nets to any


# block outgoing traffic to private networks on external interface

block drop out quick on $ext_if from any to $priv_nets


pass quick on lo0 all


pass out on $ext_if proto tcp all keep state

pass out on $ext_if proto { udp, icmp } all keep state


pass in inet proto icmp all icmp-type echoreq  keep state

pass out inet proto icmp all icmp-type echoreq  keep state


pass in on $int_if1 from $int_if1:network to any keep state

pass in on $int_if2 from $int_if2:network to any keep state

pass in on $int_if3 from $int_if3:network to any keep state

pass out on $int_if1 from any to $int_if1:network keep state

pass out on $int_if2 from any to $int_if2:network keep state

pass out on $int_if3 from any to $int_if3:network keep state


#----------------------------------------------------------------

#DEFAULT openbsd flashdist sysctl values

#----------------------------------------------------------------

sysctl -w net.inet.ip.forwarding=1

sysctl -w net.inet.tcp.mssdflt=512

sysctl -w net.inet.tcp.recvspace=16384

sysctl -w net.inet.tcp.sendspace=16384

sysctl -w net.inet.udp.recvspace=41600

sysctl -w net.inet.udp.sendspace=9216

---------------------------------------------------------------------------

MISC STARTUP SCRIPT

---------------------------------------------------------------------------


pfctl -d

ifconfig pppoe0 inet 0.0.0.0 netmask 255.255.255.255 broadcast 0.0.0.1pppoedev

vr0 \

     authproto pap authname USERNAME authkey PASSWORD up

route add default 0.0.0.1

echo pppoe setup done

#

#nics

#

ifconfig vr0 up

ifconfig vr1 inet 10.0.0.1 netmask 255.255.255.0

ifconfig vr2 inet 172.16.0.1 netmask 255.255.255.0

ifconfig vr3 inet 1.2.3.1 netmask 255.255.255.0
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
Re: timeouts on http connects outbound, Moe Sizlak, (Sat Apr 19, 12:31 pm)
Re: timeouts on http connects outbound, Vadim Zhukov, (Sun Apr 20, 7:28 pm)