login
Login / Register
Header Space

 
 

Home » Mailing list archives » openbsd-misc » 2008 » April » 19

Re: timeouts on http connects outbound

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Moe Sizlak <sizlak1@...>
To: <misc@...>
Subject: Re: timeouts on http connects outbound
Date: Saturday, April 19, 2008 - 12:31 pm

To followup on this question I have updated my sysctl settings, changed
pf.conf and added the scrub out line recommended.

Also my dist is 4.3 openbsd flashdist. (not 4.2)


Result of all changes proposed:  No change.

Pages like http://marc.info etc still time out.


updated settings are:
------------------------------------------------------------------------------------
#       $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="pppoe0"
int_if1="vr1"
int_if2="vr2"
int_if3="vr3"
out_net="192.168.11.0/16"

# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

netbios_ports = "{ 135, 137, 138, 139, 445, 1433 }"
#table <spamd> persist
#table <spamd-white> persist

set block-policy return

scrub in all
scrub out on pppoe0 max-mss 1440

nat on $ext_if from $int_if1:network to any -> ($ext_if)
nat on $ext_if from $int_if2:network to any -> ($ext_if)
nat on $ext_if from $int_if3:network to any -> ($ext_if)


#
block all

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

pass quick on lo0 all

pass out on $ext_if proto tcp all keep state
pass out on $ext_if proto { udp, icmp } all keep state

pass in inet proto icmp all icmp-type echoreq  keep state
pass out inet proto icmp all icmp-type echoreq  keep state

pass in on $int_if1 from $int_if1:network to any keep state
pass in on $int_if2 from $int_if2:network to any keep state
pass in on $int_if3 from $int_if3:network to any keep state
pass out on $int_if1 from any to $int_if1:network keep state
pass out on $int_if2 from any to $int_if2:network keep state
pass out on $int_if3 from any to $int_if3:network keep state

#----------------------------------------------------------------
#DEFAULT openbsd flashdist sysctl values
#----------------------------------------------------------------
sysctl -w net.inet.ip.forwarding=1
sysctl -w net.inet.tcp.mssdflt=512
sysctl -w net.inet.tcp.recvspace=16384
sysctl -w net.inet.tcp.sendspace=16384
sysctl -w net.inet.udp.recvspace=41600
sysctl -w net.inet.udp.sendspace=9216
---------------------------------------------------------------------------
MISC STARTUP SCRIPT
---------------------------------------------------------------------------

pfctl -d
ifconfig pppoe0 inet 0.0.0.0 netmask 255.255.255.255 broadcast 0.0.0.1pppoedev
vr0 \
     authproto pap authname USERNAME authkey PASSWORD up
route add default 0.0.0.1
echo pppoe setup done
#
#nics
#
ifconfig vr0 up
ifconfig vr1 inet 10.0.0.1 netmask 255.255.255.0
ifconfig vr2 inet 172.16.0.1 netmask 255.255.255.0
ifconfig vr3 inet 1.2.3.1 netmask 255.255.255.0
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
Re: timeouts on http connects outbound, Moe Sizlak, (Sat Apr 19, 12:31 pm)
Re: timeouts on http connects outbound, Vadim Zhukov, (Sun Apr 20, 7:28 pm)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Colocation donated by:
Who's online
There are currently 4 users and 1338 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary