pf dropping packets despite pass all rule
Tilman Linneweh
arved at arved.at
Thu Jul 31 17:38:09 UTC 2008
* Max Laier [2008-07-31 18:27]:
> > LAN -> Router with PF <- gif tunnel with IPSEC -> Server
> >
> > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works,
> > but TCPv6 from LAN to Server does not work, unless i disable PF.
> >
> > Excerpt from pf.conf:
> > pass in quick on gif0 all keep state
> > pass out quick on gif0 all keep state
> >
> > pflog0 contains some strange packets:
> > http://arved.priv.at/~arved/strangepackets.pcap
>
> That dump is useless, please cap with "-s0".
Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap
> > IPSEC_FILTERTUNNEL does not make a difference.
> >
> > I don't understand why pf is dropping something on gif0. And i can't decode
> > what kind of packets these are, and why they are necessary for TCPv6.
> >
> > Any ideas?
>
> I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really
> want to trust gif0 completely, you could simply add "skip on gif0" and pf will
> not mess with it at all.
>
Ok, allow-opts does not change anything. skip on gif0 works.
pfctl -si confirms that there are packets blocked.
Status: Enabled for 0 days 02:37:07 Debug: Urgent
Interface Stats for gif0 IPv4 IPv6
Bytes In 0 261859
Bytes Out 0 207299
Packets In
Passed 0 2347
Blocked 0 90
Packets Out
Passed 0 2185
Blocked 0 0
State Table Total Rate
current entries 31
searches 44046 4.7/s
inserts 2768 0.3/s
removals 2737 0.3/s
Counters
match 13425 1.4/s
bad-offset 0 0.0/s
[...rest is all zeros]
...and later:
status: Enabled for 0 days 02:37:21 Debug: Urgent
Interface Stats for gif0 IPv4 IPv6
Bytes In 0 263327
Bytes Out 0 208711
Packets In
Passed 0 2356
Blocked 0 96
Packets Out
Passed 0 2197
Blocked 0 0
State Table Total Rate
current entries 30
searches 44128 4.7/s
inserts 2772 0.3/s
removals 2742 0.3/s
Counters
match 13451 1.4/s
bad-offset 0 0.0/s
So yeah, thanks for the "skip on" hint, i can do the filtering on the
non-gif interfaces, but i still would like to know what's going on, and
why these packets are blocked.
regards
arved
More information about the freebsd-pf
mailing list