kern/94877: packet filter blocks outgoing traffic after boot

Erik Norgaard norgaard at locolomo.org
Thu Mar 23 20:40:19 UTC 2006 

>Number:         94877
>Category:       kern
>Synopsis:       packet filter blocks outgoing traffic after boot
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 23 20:40:17 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Erik Norgaard
>Release:        FreeBSD 6.1-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD charm 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Thu Mar 23 09:12:55 CET 2006 root at charm:/usr/obj/usr/src/sys/GENERIC i386

	
>Description:

pf ruleset is loaded correctly at boot, but outgoing connections are blocked: icmp, tcp and udp. This was verified with ping (operation not permitted), host (timeout) and tcping (operation not permitted).

arp traffic is allowed, confirmed with arping.

It has been verified with snort that no packets leave the interface, the problem is not that responses are blocked.

Reloading the ruleset with 

  # pfctl -Fr && pfctl -Rf /etc/pf.conf

solves the problem. The fact that it is the same ruleset seems to prove that the
ruleset is ok.

This has been observed on two systems more or less same snap of source, different networks. Also, incoming traffic is accepted.

Both systems have interfaces configured with dhclient which run before the ruleset is loaded. In rc.conf is background_dhclient="NO", ensuring that the interface is configured before proceeding. 

If the interface is not configured pf will fail loading the ruleset as the macros interface and interface:network are used in the rulesets. 

The problem can be repeated by rebooting.

>How-To-Repeat:

A transcript of the actions done and produced output is found here:

  http://www.locolomo.org/pub/pf/debug.charm

Snort packets captured for the above session

  http://www.locolomo.org/pub/pf/snort.charm

The used pf ruleset is found here:

  http://www.locolomo.org/pub/pf/pf.conf

System info here:

  http://www.locolomo.org/pub/pf/dmesg.charm
  http://www.locolomo.org/pub/pf/sysctl.charm

>Fix:

Workaround: Reload the ruleset after each boot with 

  # pfctl -Fr && pfctl -Rf <ruleset>

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list