6.1-PRERELEASE: pf blocks fetch after restart

Thu Mar 30 10:52:14 UTC 2006

Hi:

I wrote about this some weeks ago, now I have investigated further, system 
upgrated to latest (yesterday) snap of RELENG_6

Summary:

1) boot
2a) fetch http://host/file: operation not permitted
2b) fetch ftp://host/file: operation not permitted
3) pfctl -Fr && pfctl -Rf pf.conf
4a) fetch http://host/file: successful
4b) fetch ftp://host/file: successful
5) pfctl -Fa && pfctl -f pf.conf
6) tcping host_on_lan 22: port open
7a) fetch http://host/file: operation not permitted
7b) fetch ftp://host/file: operation not permitted

There is one more thing that is weird, the interface, em0, after 
successful configuration with dhcp, it reports status "no carrier". This 
happens on boot as well as if I run

   # /etc/rc.d/netif restart

however running the above does not change whether fetch succeeds or not.

The problem with netif is not solved if the interface is configured with a 
static ip, nor is the problem with fetch.

I can repeat this, it has occurred on a number of snapshots of the 
PRERELEASE. Any ideas on how to solve this?

Thanks, Erik

Complete transcript of session:

Script started on Thu Mar 30 12:39:48 2006
You have mail.
mordac#	uname -a
FreeBSD mordac 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0:
      Thu Mar 30 11:08:17 CEST 2006
      root at mordac:/usr/obj/usr/src/sys/SERVER6-SMP  i386
mordac#	/etc/rc.d/netif restart
Stopping network: lo0 em0.
em0: no link .... got link
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 6
DHCPOFFER from 172.24.0.24
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPACK from 172.24.0.24
bound to 172.24.8.48 -- renewal in 1296000 seconds.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=b<RXCSUM,TXCSUM,VLAN_MTU>
	inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1
	inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255
	ether 00:13:72:3d:e2:f4
	media: Ethernet autoselect
	status: no carrier
mordac#	ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=b<RXCSUM,TXCSUM,VLAN_MTU>
	inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1
	inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255
	ether 00:13:72:3d:e2:f4
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
mordac#	/etc/rc.d/pf restart
No ALTQ support in kernel
ALTQ related functions disabled
Disabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled
Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
mordac#	tcping 172.24.8.84 22
172.24.8.84 port 22 open.
mordac#	fetch 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz
fetch: 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz: 
Operation not permitted
mordac#	fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz
fetch: http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz: Operation not 
permitted
mordac#	pfctl -Fr && pfctl -Rf /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
No ALTQ support in kernel
ALTQ related functions disabled
mordac#	fetch 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz
tcping-1.3.4.tar.gz                             0% of   11 kB    0  Bps
tcping-1.3.4.tar.gz                           100% of   11 kB   32 MBps
mordac#	fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz
tcping-1.3.4.tar.gz                             0% of   11 kB    0  Bps
tcping-1.3.4.tar.gz                           100% of   11 kB   36 MBps
mordac#	tcping 172.24.8.84 22
172.24.8.84 port 22 open.
mordac#	pfctl -Fa && pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
0 tables deleted.
7 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
No ALTQ support in kernel
ALTQ related functions disabled
mordac#	tcping 172.24.8.84 22
172.24.8.84 port 22 open.
mordac#	fetch 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz
fetch: 
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz: 
Operation not permitted
mordac#	 fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz
fetch: http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz: Operation not 
permitted
mordac#	ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=b<RXCSUM,TXCSUM,VLAN_MTU>
	inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1
	inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255
	ether 00:13:72:3d:e2:f4
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
	inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
mordac#	exit

Script done on Thu Mar 30 12:44:20 2006

pf.conf:

# Interfaces, not loopback
ext_if   = em0
ext_net  = "(em0:network)"
ext_ip   = "(em0)"

# Networks: LAN is non-internet address spaces, ie. local networks
lan_net  = "{ 172.16.0.0/12 192.168.0.0/16 }"

# These networks are listed in RFC3330 and not used:
table <nullnet> const { 0/8, 10/8, 127/8, 169.254/16, 172.16/12, \
                         !172.24/20, 192.0.2/24, 192.168/16, \
                         !192.168.212/24, 198.18/15, \
                         224/4, 240/4 }

# Services: Services listed by name must be in /etc/services, else
#         use number
ext_tcp  = "{ ssh }"
lan_tcp  = "{ ssh ftp svn postgresql 49152:49216 }"
lan_icmp = "{ echoreq }"

#
# Define filtering rules
#
# default policy: block and log, log is used to catch unknown traffic
#         logs by this rule means something has not been taken care of
block log all

# Allow all traffic on loopback interface
pass in  quick on lo0 all
pass out quick on lo0 all

# Block (default) incoming trafic, this rule marks the start of a group,
#         needed for optimal skip step.
block in log on $ext_if all

# Anti spoofing
block in quick on $ext_if inet from <nullnet>
block in quick on $ext_if inet from any to !$ext_ip

# Local/LAN access only
pass  in quick on $ext_if inet proto tcp from $lan_net to $ext_ip \
     port $lan_tcp flags S/SA keep state
#pass  in quick on $ext_if inet proto udp from $lan_net to $ext_ip \
#   port $lan_udp keep state
pass  in quick on $ext_if inet proto icmp from $lan_net to $ext_ip \
     icmp-type $lan_icmp keep state

# External access
pass  in quick on $ext_if inet proto tcp from any to $ext_ip \
     port $ext_tcp flags S/SA keep state
# Catch rule for remaining packets
block in log quick on $ext_if all

# Outgoing traffic:
block out log on $ext_if all

# Anti spoofing
block out quick on $ext_if inet from <nullnet> to any
block out quick on $ext_if inet from $ext_ip to <nullnet>

# OK, just allow all out, this should be more restrictive:
pass  out quick on $ext_if inet proto tcp  from $ext_ip to any \
     flags S/SA keep state
pass  out quick on $ext_if inet proto udp  from $ext_ip to any \
     keep state
pass  out quick on $ext_if inet proto icmp from $ext_ip to any \
     keep state

# Catch rule for remaining packets
block out log quick on $ext_if

-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9