From nobody Tue Jul 15 16:19:19 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bhPXJ3nfgz62YvD for ; Tue, 15 Jul 2025 16:19:28 +0000 (UTC) (envelope-from polarian@polarian.dev) Received: from mail.polarian.dev (mail.polarian.dev [IPv6:2001:8b0:57a:2385::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4bhPXH6l7Xz3sQY for ; Tue, 15 Jul 2025 16:19:27 +0000 (UTC) (envelope-from polarian@polarian.dev) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=polarian.dev header.s=polarian header.b=QxSSVrfB; spf=pass (mx1.freebsd.org: domain of polarian@polarian.dev designates 2001:8b0:57a:2385::8 as permitted sender) smtp.mailfrom=polarian@polarian.dev; dmarc=pass (policy=reject) header.from=polarian.dev Received: from Hydrogen (_gateway [192.168.2.1]) by mail.polarian.dev (Postfix) with ESMTPSA id 6229710A002F for ; Tue, 15 Jul 2025 16:19:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=polarian.dev; s=polarian; t=1752596360; bh=zC5VRpLhg4+g5+5YrlfaK4RtzLt3vXz7i1ZvWMhH6Ck=; h=Date:From:To:Subject; b=QxSSVrfBqKHwNT8acHriO37di5xZewNGBDFQIHCAbPXRnL0leQq+CBYldChvM9+Ls jL23Lla0MwmADU3FjNKsSUpv+erLHmi9lZ1T7Plw0m5WQYqthpe55u3t70s/gYKYON wIJwQL8y40z5staY1z5Xc/Cps8qze/ROwE5wbdHY= Date: Tue, 15 Jul 2025 17:19:19 +0100 From: Polarian To: questions@freebsd.org Subject: Fw: Stateful packets being dropped by pf? Message-ID: <20250715171919.37040dc4@Hydrogen> X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd14.2) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-2.40 / 15.00]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-0.997]; NEURAL_HAM_SHORT(-0.98)[-0.983]; NEURAL_HAM_MEDIUM(-0.92)[-0.916]; DMARC_POLICY_ALLOW(-0.50)[polarian.dev,reject]; MID_RHS_NOT_FQDN(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:8b0:57a:2385::8]; R_DKIM_ALLOW(-0.20)[polarian.dev:s=polarian]; MIME_GOOD(-0.10)[text/plain]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:20712, ipnet:2001:8b0::/34, country:GB]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[polarian.dev:+] X-Rspamd-Queue-Id: 4bhPXH6l7Xz3sQY X-Spamd-Bar: -- Good evening, Below is a forward of an email I sent to the pf mailing list almost 3 months ago now. I am not sure if it has just been lost in the backlog or whether there is simply nobody subscribed to the mailing list there to receive it. In any case, as this mailing list is more active, and a pf question is still on topic for this list, I have forwarded it here in the hope that someone knows how to fix this issue. Thank you! Begin forwarded message: Date: Thu, 24 Apr 2025 13:50:42 +0100 (BST) From: Polarian To: freebsd-pf@freebsd.org Subject: Stateful packets being dropped by pf? Good afternoon, So some brief background on the issue, I have a vnet jail, one epair if within the jail and the other on the host, and the setup is being routed with pf. My host is typically "always on VPN" as it is my laptop and I tunnel all packets home, but it also acts as wifi hardening at home too, seen as I am using EOL APs which are not secure in the slightest. When wireguard is disabled (and I have removed my pf rules to block all non-vpn packets leaving wlan0), packets pass to and from the jail just fine, the way I am testing this is by using pkg -j on the host to fetch the pkg index from the FreeBSD servers, because weirdly enough ICMP passes just fine with both wg and no-wg. When wireguard is enabled, the tcp packet leaves via wg0 (NAT'd) hits the router, which then it leaves via the WAN if, the WAN if then receives a response, which is passed back via the wg if, but on my laptop (the host) it is dropped by pf (verified by logging block all to pflog). I have discussed this on IRC, at first I assumed I was making a stupid mistake, but the problem seems to be more complex, hence I have brought it to the ML. =46rom the debugging (see bottom of email) it appears to be a state issue, as far as I am aware pf will never be called within the network stack if the packet is stateful, it is passed immediately. So if this packet is stateful, like it is with wlan0, it passes without being blocked by the default "block all" rule. Any ideas on what is wrong? Thank you. pf.conf: # Interface macros lbmk_if=3D"lbmk0" eth_if=3D"em0" wifi_if=3D"wlan0" wg_if=3D"wg0" # Network macros #lbmk_net=3D$lbmk_if:network lbmk_net=3D"192.168.254.1/24" # NAT traffic from lbmk jail nat on $wifi_if from $lbmk_net to any -> ($wifi_if) nat on $wg_if from $lbmk_net to any -> ($wg_if) # Antispoof antispoof quick for { $lbmk_if, $eth_if, $wifi_if, $wg_if } # Block all incoming packets by default block log all # Ignore loopback traffic set skip on lo # Block all packets from lmbk jail to host block quick from $lbmk_net to { ($lbmk_if), ($eth_if), ($wifi_if), ($wg_if) } # Pass on traffic from lbmk, do not permit it to the host pass from $lbmk_net to any pass out on { $wifi_if, $wg_if } netstat -rn: Destination Gateway Flags Netif Expire 0.0.0.0/1 link#5 US wg0 default 192.168.2.1 UGS wlan0 192.168.2.1 UGHS wlan0 127.0.0.1 link#2 UH lo0 128.0.0.0/1 link#5 US wg0 192.168.2.0/24 link#3 U wlan0 192.168.2.53 link#2 UHS lo0 192.168.4.2 link#2 UH lo0 192.168.254.0/24 link#6 U lbmk0 192.168.254.1 link#2 UHS lo0 is the public IP, I would rather not include this on the ML, although it is somewhat public already. ifconfig: em0: flags=3D8843 metric 0 mtu 1500 options=3D4e524bb ether ba:c6:15:91:0f:09 media: Ethernet autoselect status: no carrier nd6 options=3D29 lo0: flags=3D1008049 metric 0 mtu 16384 options=3D680003 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 groups: lo nd6 options=3D21 wlan0: flags=3D8843 metric 0 mtu 1500 options=3D0 ether inet 192.168.2.53 netmask 0xffffff00 broadcast 192.168.2.255 groups: wlan ssid... parent interface: iwn0 media: IEEE 802.11 Wireless Ethernet MCS mode 11ng status: associated nd6 options=3D29 pflog0: flags=3D1000141 metric 0 mtu 33152 options=3D0 groups: pflog wg0: flags=3D10080c1 metric 0 mtu 1420 options=3D80000 inet 192.168.4.2 netmask 0xffffffff groups: wg nd6 options=3D109 lbmk0: flags=3D1008843 metric 0 mtu 1500 options=3D8 ether 02:9a:ab:73:39:0a inet 192.168.254.1 netmask 0xffffff00 broadcast 192.168.254.255 groups: epair media: Ethernet 10Gbase-T (10Gbase-T ) status: active nd6 options=3D29 tcpdump -lnei pflog0 13:38:57.739879 rule 6/0(match): block in on wg0: 85.30.190.140.443 > 192.168.4.2.62185: Flags [.], seq 3871801137:3871802505, ack 28561907, win 1044, options [nop,nop,TS val 3930415865 ecr 416616883], length 1368 13:38:57.739894 rule 6/0(match): block in on wg0: 85.30.190.140 > 192.168.4.2: ip-proto-6 13:38:58.025984 rule 6/0(match): block in on wg0: 85.30.190.140.443 > 192.168.4.2.62185: Flags [.], seq 0:1368, ack 1, win 1044, options [nop,nop,TS val 3930416151 ecr 416616912], length 1368 pfctl -vvs rules @0 block drop in quick on ! wg0 inet from 192.168.4.2 to any [ Evaluations: 31 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @1 block drop in quick inet from 192.168.4.2 to any [ Evaluations: 27 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @2 block drop in quick on ! lbmk0 inet from 192.168.254.0/24 to any [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @3 block drop in quick inet from 192.168.254.1 to any [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @4 block drop in quick on ! wlan0 inet from 192.168.2.0/24 to any [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @5 block drop in quick inet from 192.168.2.53 to any [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @6 block drop log all [ Evaluations: 31 Packets: 20 Bytes: 15120 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: Thu Apr 24 13:39:41 2025 ] @7 block drop quick inet from 192.168.254.0/24 to (lbmk0:1) [ Evaluations: 31 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @8 block drop quick inet from 192.168.254.0/24 to (em0:*) [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @9 block drop quick inet from 192.168.254.0/24 to (wlan0:1) [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @10 block drop quick inet from 192.168.254.0/24 to (wg0:1) [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @11 pass out on wlan0 all flags S/SA keep state [ Evaluations: 31 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 75508 State Creations: 0 ] [ Last Active Time: N/A ] @12 pass out on wg0 all flags S/SA keep state [ Evaluations: 31 Packets: 41 Bytes: 16855 States: 1 ] [ Inserted: uid 0 pid 75508 State Creations: 7 ] [ Last Active Time: Thu Apr 24 13:38:59 2025 ] @13 pass inet from 192.168.254.0/24 to any flags S/SA keep state [ Evaluations: 31 Packets: 16 Bytes: 2635 States: 1 ] [ Inserted: uid 0 pid 75508 State Creations: 4 ] [ Last Active Time: Thu Apr 24 13:38:59 2025 ] pfctl -vvs states all tcp 85.30.190.140:443 <- 192.168.254.2:16542 FIN_WAIT_2:FIN_WAIT_2 [1857673068 + 1291518208] wscale 6 [1348382370 + 327936] wscale 6 age 00:00:45, expires in 00:01:15, 6:4 pkts, 873:1258 bytes, rule 13 id: fd000a6800000000 creatorid: 4bf1244b origif: lbmk0 all tcp 192.168.4.2:65270 (192.168.254.2:16542) -> 85.30.190.140:443 FIN_WAIT_2:FIN_WAIT_2 [1348382370 + 327936] wscale 6 [1857673068 + 1291518208] wscale 6 age 00:00:45, expires in 00:01:15, 6:4 pkts, 873:1258 bytes, rule 12 id: fe000a6800000000 creatorid: 4bf1244b origif: wg0 all tcp 85.30.190.140:443 <- 192.168.254.2:63806 ESTABLISHED:ESTABLISHED [3980477677 + 1325138176] wscale 6 [3870501212 + 327936] wscale 6 age 00:00:15, expires in 23:59:45, 4:2 pkts, 745:1153 bytes, rule 13 id: ff000a6800000000 creatorid: 4bf1244b origif: lbmk0 Polarian Jabber/XMPP: polarian@icebound.dev --=20 Polarian Jabber/XMPP: polarian@icebound.dev