pf dropping packets despite pass all rule
Tilman Linneweh
arved at arved.at
Thu Jul 31 20:08:50 UTC 2008
On Jul 31, 2008, at 20:03, Max Laier wrote:
>>>> LAN -> Router with PF <- gif tunnel with IPSEC -> Server
>>>>
>>>> The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works,
>>>> but TCPv6 from LAN to Server does not work, unless i disable PF.
>>>>
>>>> Excerpt from pf.conf:
>>>> pass in quick on gif0 all keep state
>>>> pass out quick on gif0 all keep state
>>>>
>> Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap
>
> alright ... for some reasons we are blocking the ACKs - i.e. they
> don't seem
> to match any state (and the SYN must have gone through somehow).
> That can
> happen for two reasons: 1) There is no state created 2) Somethings
> wrong with
> the state entry or the involved tcp stacks.
>
> To debug this further you could enable pf debug logging (pfctl -xm)
> and watch
> the console for state mismatches ... however ...
>>
>> pfctl -si confirms that there are packets blocked.
>> Status: Enabled for 0 days 02:37:07 Debug: Urgent
>>
>> Interface Stats for gif0 IPv4 IPv6
>> Bytes In 0 261859
>> Bytes Out 0 207299
>> Packets In
>> Passed 0 2347
>> Blocked 0 90
>> Packets Out
>> Passed 0 2185
>> Blocked 0 0
>>
>> State Table Total Rate
>> current entries 31
>> searches 44046 4.7/s
>> inserts 2768 0.3/s
>> removals 2737 0.3/s
>> Counters
>> match 13425 1.4/s
>> bad-offset 0 0.0/s
>> [...rest is all zeros]
>>
>> ...and later:
>> status: Enabled for 0 days 02:37:21 Debug: Urgent
>>
>> Interface Stats for gif0 IPv4 IPv6
>> Bytes In 0 263327
>> Bytes Out 0 208711
>> Packets In
>> Passed 0 2356
>> Blocked 0 96
>> Packets Out
>> Passed 0 2197
>> Blocked 0 0
>>
>> State Table Total Rate
>> current entries 30
>> searches 44128 4.7/s
>> inserts 2772 0.3/s
>> removals 2742 0.3/s
>> Counters
>> match 13451 1.4/s
>> bad-offset 0 0.0/s
>
> ... if there is no counter increase on "state-mismatch" (please
> double-check),
> it would suggest that no state is created in the first place.
> Could you
> provide your complete ruleset with rule numbers? (pfctl -vvvsr)
>
There is now a single state-mismatch. But that could be something
else. The debug-logging shows nothing about state mismatch.
@0 scrub in all fragment reassemble
[ Evaluations: 3890 Packets: 2146 Bytes: 255350
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@0 pass in all flags S/SA keep state
[ Evaluations: 75 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@1 pass out all flags S/SA keep state
[ Evaluations: 75 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@2 block return log all
[ Evaluations: 75 Packets: 23 Bytes: 7440
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@3 pass in quick on sis0 proto tcp from any to any port = ssh flags S/
SA keep state
[ Evaluations: 75 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@4 pass in quick on sis0 proto tcp from any to any port = domain
flags S/SA keep state
[ Evaluations: 2 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@5 pass in quick on sis0 proto tcp from any to any port = smtp flags
S/SA keep state
[ Evaluations: 2 Packets: 30 Bytes: 2340
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@6 pass in quick on sis0 proto udp from any to any port = ssh keep state
[ Evaluations: 22 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@7 pass in quick on sis0 proto udp from any to any port = domain keep
state
[ Evaluations: 22 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@8 pass in quick on sis0 proto udp from any to any port = smtp keep
state
[ Evaluations: 22 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@9 block return out quick on sis0 inet proto udp from 62.178.208.15
to any port = who
[ Evaluations: 43 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@10 pass in on sis1 inet from 192.168.1.0/24 to any flags S/SA keep
state allow-opts
[ Evaluations: 73 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@11 pass in on sis1 inet6 from 2001:6f8:13fb:3::/64 to any flags S/SA
keep state allow-opts
[ Evaluations: 23 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@12 pass out on sis1 inet from any to 192.168.1.0/24 flags S/SA keep
state allow-opts
[ Evaluations: 25 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@13 pass out on sis1 inet6 from any to 2001:6f8:13fb:3::/64 flags S/
SA keep state allow-opts
[ Evaluations: 2 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@14 pass in on sis1 inet6 all flags S/SA keep state
[ Evaluations: 25 Packets: 2 Bytes: 144
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@15 pass out on sis1 inet6 all flags S/SA keep state
[ Evaluations: 4 Packets: 2 Bytes: 136
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@16 pass in on sis1 inet from 192.168.0.0/16 to any flags S/SA keep
state
[ Evaluations: 25 Packets: 180 Bytes: 51414
States: 21 ]
[ Inserted: uid 0 pid 2258 ]
@17 pass out on sis1 inet from any to 192.168.0.0/16 flags S/SA keep
state
[ Evaluations: 23 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@18 pass in inet proto icmp all icmp-type echoreq keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@19 pass out inet proto icmp all keep state
[ Evaluations: 24 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@20 pass out on sis0 proto tcp all flags S/SA keep state
[ Evaluations: 73 Packets: 160 Bytes: 49118
States: 11 ]
[ Inserted: uid 0 pid 2258 ]
@21 pass out on sis0 proto udp all keep state
[ Evaluations: 21 Packets: 21 Bytes: 2100
States: 10 ]
[ Inserted: uid 0 pid 2258 ]
@22 pass in quick on gif0 all flags S/SA keep state allow-opts
[ Evaluations: 73 Packets: 382 Bytes: 27496
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@23 pass out quick on gif0 all flags S/SA keep state allow-opts
[ Evaluations: 2 Packets: 3 Bytes: 288
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@24 pass in quick on sis0 inet proto ipv6 from any to 62.178.208.15
keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@25 pass out quick on sis0 inet proto ipv6 from 62.178.208.15 to any
keep state
[ Evaluations: 21 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@26 pass in quick proto esp all keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@27 pass in quick proto ipencap all keep state
[ Evaluations: 45 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@28 pass in quick proto udp from any port = isakmp to any port =
isakmp keep state
[ Evaluations: 45 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@29 pass in quick proto tcp from any port = isakmp to any port =
isakmp flags S/SA keep state
[ Evaluations: 11 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@30 pass out quick proto esp all keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@31 pass out quick proto ipencap all keep state
[ Evaluations: 24 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@32 pass out quick proto udp from any port = isakmp to any port =
isakmp keep state
[ Evaluations: 24 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@33 pass out quick proto tcp from any port = isakmp to any port =
isakmp flags S/SA keep state
[ Evaluations: 13 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@34 anchor "ftp-proxy/*" all
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@35 pass out inet6 proto tcp from ::1 to any port = ftp flags S/SA
keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@36 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/
SA keep state
[ Evaluations: 21 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
More information about the freebsd-pf
mailing list