FreeBSD 9.1 EAGAIN with news client and pf rules enabled

Author	All Replies
pf woes @204.45.133.x	FreeBSD 9.1 EAGAIN with news client and pf rules enabled I have a weird problem where if I have my pf rules enabled, with nzbget I see the following errors during fetching of articles: ERROR Thu Feb 28 09:20:42 2013 - Could not receive data on socket: ErrNo 35, Resource temporarily unavailable If I use SSL, I get a different error, but likely the same root cause: ERROR Thu Feb 28 09:30:20 2013 - Could not read from TLS-socket: cannot read from TLS connection: the operation timed out If I disable pf, I do not get these errors. However, monitoring pflog while nzbget is runnig, I do not see any messages from pflog when these errors occur. How can I find out which pf rule is causing this or if it's pf itself? FWIW, the only limiting rule in my pf.conf is the following (which should not apply given I'm limiting it to dst port 22 inbound): pass in on $eif proto tcp from !<allowed> to $nat port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 10/30, overload flush global) Thoughts?
	to forum · permalink · 2013-02-28 16:26:58 ·

Bink Villains... knock off all that evil join:2006-05-14 Denver, CO kudos:4	What’s the output of pfctl –si when this happens?
	to forum · permalink · 2013-02-28 21:27:43 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	I see the same thing as the OP. I disabled pf then enabled it with an empty pf.conf. pfctl -s rules shows nothing: # pfctl -s rules root@pflog:~# pfctl -si just after enabling the empty rules shows: Status: Enabled for 0 days 00:00:19 Debug: Urgent State Table Total Rate current entries 125 searches 890080 46846.3/s inserts 24381 1283.2/s removals 24509 1289.9/s Counters match 29459 1550.5/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 1 0.1/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 4 0.2/s proto-cksum 0 0.0/s state-mismatch 11 0.6/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 7 0.4/s synproxy 0 0.0/s And after I've seen a few errors (I tested with SSL fwiw): Status: Enabled for 0 days 00:02:40 Debug: Urgent State Table Total Rate current entries 59 searches 1524441 9527.8/s inserts 24381 152.4/s removals 24575 153.6/s Counters match 662108 4138.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 1 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 4 0.0/s proto-cksum 0 0.0/s state-mismatch 11 0.1/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 7 0.0/s synproxy 0 0.0/s Don't see anything obvious in there. I'm wondering if it has something to do with socket resuse and a bug in pf? I asked how long this has been going on and it sounded like it may have started for my buddy when he updated to 9.0 (and persists in 9.1). -- "I drank what?" -Socrates
	to forum · permalink · 2013-03-01 11:52:20 ·
pf woes @anonymouse.org	reply to Bink Same as with pflog, no real changes in pfctl -si with all "pass" rules in pf.conf but with pf enabled.
	to forum · permalink · 2013-03-01 14:31:58 ·
koitsu Premium,MVM join:2002-07-16 Mountain View, CA kudos:19	reply to pf woes Submit this entire problem to freebsd-pf@freebsd.org. You will need to contain the following data: 1. `uname -a` 2. Your `pf.conf` 3. `/etc/sysctl.conf` 4. `ifconfig -a` 5. `netstat -m` 6. `netstat -inb` 7. `netstat -s` 8. `dmesg` 9. Full details of your setup, e.g. anything you consider relevant Finally I must stress this: do not modify or hide any information from any of the above output, especially pf.conf -- it matters greatly. I cannot stress this enough. For example, I can see from the single line of the OP's post NAT is involved yet that isn't disclosed anywhere (it matters). The only folks who can help rectify/solve this are on that mailing list. -- Making life hard for others since 1977. I speak for myself and not my employer/affiliates of my employer.
	to forum · permalink · 2013-03-01 19:33:05 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	I can file this if the OP doesn't/can't/won't. I just hope I don't then label myself as a pirate for submitting it! haha Question though. When I reproduced this for my friend, my pf.conf was literally an empty file. I agree that rule shows they're dong nat/rdr of some kind, but it doesn't explain an empty pf.conf causing it if it's nat related does it? -- "I drank what?" -Socrates
	to forum · permalink · 2013-03-01 19:39:31 ·
koitsu Premium,MVM join:2002-07-16 Mountain View, CA kudos:19	I could speculate all day and night about what the problem is, but I'd rather not. I'd rather verbose details be provided to freebsd-pf@ and let the maintainers figure it out. Yes, please be sure (especially at the top) to explain that disabling pf entirely somehow "resolves" the problem. I should note that if someone can provide a full 100% reliable test case for this and provide actual step-by-step reproduction methods, that would be best to provide in the mail as well. For example, the OP's two errors are for two different things (those two errors are completely different) and the latter could be explained by a lot of things unrelated to pf. Gotta use static IPs rather than DNS and hope that whatever the IP is doesn't rely on a network using anycast, else if it's a IP/TCP stack problem (or firewall-related problem) it's hard to track down. I would also strongly suggest you start making use of the `set loginterface {iface}` option in your pf.conf so that you can see the number of passed/blocked packets. Validation: root@omake:~ # pfctl -s info Status: Enabled for 57 days 15:26:05 Debug: Urgent Interface Stats for em0 IPv4 IPv6 Bytes In 4448753616 0 Bytes Out 5546471952 152 Packets In Passed 61899593 0 Blocked 41705 0 Packets Out Passed 61966122 0 Blocked 6 2 State Table Total Rate current entries 22 searches 123901838 24.9/s inserts 2302335 0.5/s removals 2302313 0.5/s Counters match 2340304 0.5/s bad-offset 0 0.0/s fragment 864 0.0/s short 0 0.0/s normalize 19 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 156 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Use that, and if you see dropped being incremented every time you encounter the problem, then there is further debugging that can be done. But again: all this should go to freebsd-pf@freebsd.org. -- Making life hard for others since 1977. I speak for myself and not my employer/affiliates of my employer.
	to forum · permalink · 2013-03-01 21:57:54 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	Well, pf can be ruled out. I put together a little reporting script that would run the commands you requested (and I prepended a timestamp for correlation with the news client's log file). I figured I would grab the logs for the case when pf was disabled for comparison and in doing so I saw the same failures, even with pf disabled. Any idea which list it would go to instead? OP doesn't seem like they are going to do this (although I haven't looked at the pf mailing list archives today yet). -- "I drank what?" -Socrates
	to forum · permalink · 2013-03-02 16:20:21 ·
koitsu Premium,MVM join:2002-07-16 Mountain View, CA kudos:19	Probably freebsd-net@freebsd.org or freebsd-stable@freebsd.org (although should state that the issue appears to affect 9.1-RELEASE, assuming the OP and/or you are running that). As for the data to provide: everything I mentioned here except for #2. -- Making life hard for others since 1977. I speak for myself and not my employer/affiliates of my employer.
	to forum · permalink · 2013-03-03 02:36:22 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	Tangential question: are there public NNTP servers with LEGAL large files on them I can use to create a testcase and capture data. I'm sure my friend doesn't mind me using his news provider to test, and I did find ubuntu ISOs I can use for testing, but I am still weary of connecting to these kinds of things. So unless I can find such a thing, I'm going to point my friend to this thread (although I'd have to walk him through it probably) or hopefully the OP sends the problem in. -- "I drank what?" -Socrates
	to forum · permalink · 2013-03-04 14:01:20 ·
graysonf Premium,MVM join:1999-07-16 Fort Lauderdale, FL	Be more specific about exactly what you want to do on a public news server and you might get specific recommendations.
	to forum · permalink · 2013-03-04 14:25:15 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	said by graysonf: Be more specific about exactly what you want to do on a public news server and you might get specific recommendations. I need two downloads, at least 500 MB. They must be distinct I think in order to queue up 2 of them. So perhaps a Linux/FreeBSD/etc ISO? I don't know all the lingo, but I guess I would need to "nzb" files corresponding to these files to feed into this application. -- "I drank what?" -Socrates
	to forum · permalink · 2013-03-04 14:36:19 ·
graysonf Premium,MVM join:1999-07-16 Fort Lauderdale, FL	There are no single individual "files" (articles) that large in Usenet. The max allowed by the standard is 1MB including encoding overhead.
	to forum · permalink · 2013-03-04 14:41:19 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	said by graysonf: There are no single individual "files" (articles) that large in Usenet. The max allowed by the standard is 1MB including encoding overhead. Oh ok. I'm guessing this nzb file somehow combines them then? Obviously there are things on there larger than 1MB... edit yep
	to forum · permalink · 2013-03-04 14:43:31 ·
graysonf Premium,MVM join:1999-07-16 Fort Lauderdale, FL	An nzb is a text file containing a list of the individual articles that make up a complete multipart post. You need an nzb capable news reader or binary news downloader to use them. You can search the binary newsgroups for content you might be interested in at the web site »www.binsearch.info You you still need a free server to download from?
	to forum · permalink · 2013-03-04 14:50:03 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	So is there a public/free server that would have legal files then or not? This will help me find something to download, thanks. But I'm hesitant to test against a known "illegal" news host. If there's no way around that, then as I said I'll help my friend do it from his connection/host. -- "I drank what?" -Socrates
	to forum · permalink · 2013-03-04 14:58:50 ·
graysonf Premium,MVM join:1999-07-16 Fort Lauderdale, FL	It's up to you to decide what legal content is or isn't. Use the site I suggested to search for what you consider to be legal content or browse some of the available groups to see what's out there. There is no such thing as an illegal news host. I'd venture to say that every server that carries binary content contains some posts that infringe on somebody's intellectual property rights. You can get somewhat crippled free news service here, just sign up for it. »xsusenet.com/
	to forum · permalink · 2013-03-04 15:04:38 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	I found legal content to download. Ok, so not an "illegal news host", but obviously my friend's company isn't there so people can browse text news groups. So what I'm asking is if there are public news servers that index LEGAL binary content such as ubuntu ISOs above and explicitly delete/prevent (as much as they can) illegal content or not? Just trying to cover my ass here. -- "I drank what?" -Socrates
	to forum · permalink · 2013-03-04 15:09:59 ·
graysonf Premium,MVM join:1999-07-16 Fort Lauderdale, FL	There are news servers that offer free accounts with certain limitations, such as you can not post, the data rate is limited, retention is limited, and the number of simultaneous connections and/or hosts you can connect with are limited, etc. I suggested one such service where you can get such limited free service. Go there and sign up for a free account. I'm not aware of any news service that actively prevents illegal content on their servers. They all have mechanisms in place where the actual owners of copyrighted material (or their representatives) can demand that their material be removed from the server. And law enforcement can act to have illegal content such as child porn removed. But all this happens on a case by case basis, one request at a time. Requesting the removal of content on one server does not get it removed from the many, many of thousands of other servers out there. It's basically impossible to prevent illegal content and even more impossible to get it universally removed everywhere it may be found. You need not worry about connecting to a server that holds illegal content. Even downloading illegal content might not in itself be illegal. Uploading illegal content is where you can get into trouble. But you don't seem to be wanting to do that.
	to forum · permalink · 2013-03-04 15:30:07 ·
pflog Bueller? Bueller? Premium,MVM join:2001-09-01 El Dorado Hills, CA kudos:3	Thanks for the explanation. I guess I'm just being overly paranoid. -- "I drank what?" -Socrates
	to forum · permalink · 2013-03-04 15:44:40 ·

OS and Software > All Things Unix > FreeBSD 9.1 EAGAIN with news client and pf rules enabled