pf dropping packets despite pass all rule
Max Laier
max at love2party.net
Thu Jul 31 18:03:57 UTC 2008
On Thursday 31 July 2008 19:38:01 Tilman Linneweh wrote:
> * Max Laier [2008-07-31 18:27]:
> > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server
> > >
> > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works,
> > > but TCPv6 from LAN to Server does not work, unless i disable PF.
> > >
> > > Excerpt from pf.conf:
> > > pass in quick on gif0 all keep state
> > > pass out quick on gif0 all keep state
> > >
> > > pflog0 contains some strange packets:
> > > http://arved.priv.at/~arved/strangepackets.pcap
> >
> > That dump is useless, please cap with "-s0".
>
> Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap
alright ... for some reasons we are blocking the ACKs - i.e. they don't seem
to match any state (and the SYN must have gone through somehow). That can
happen for two reasons: 1) There is no state created 2) Somethings wrong with
the state entry or the involved tcp stacks.
To debug this further you could enable pf debug logging (pfctl -xm) and watch
the console for state mismatches ... however ...
> > > IPSEC_FILTERTUNNEL does not make a difference.
> > >
> > > I don't understand why pf is dropping something on gif0. And i can't
> > > decode what kind of packets these are, and why they are necessary for
> > > TCPv6.
> > >
> > > Any ideas?
> >
> > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you
> > really want to trust gif0 completely, you could simply add "skip on gif0"
> > and pf will not mess with it at all.
>
> Ok, allow-opts does not change anything. skip on gif0 works.
>
> pfctl -si confirms that there are packets blocked.
> Status: Enabled for 0 days 02:37:07 Debug: Urgent
>
> Interface Stats for gif0 IPv4 IPv6
> Bytes In 0 261859
> Bytes Out 0 207299
> Packets In
> Passed 0 2347
> Blocked 0 90
> Packets Out
> Passed 0 2185
> Blocked 0 0
>
> State Table Total Rate
> current entries 31
> searches 44046 4.7/s
> inserts 2768 0.3/s
> removals 2737 0.3/s
> Counters
> match 13425 1.4/s
> bad-offset 0 0.0/s
> [...rest is all zeros]
>
> ...and later:
> status: Enabled for 0 days 02:37:21 Debug: Urgent
>
> Interface Stats for gif0 IPv4 IPv6
> Bytes In 0 263327
> Bytes Out 0 208711
> Packets In
> Passed 0 2356
> Blocked 0 96
> Packets Out
> Passed 0 2197
> Blocked 0 0
>
> State Table Total Rate
> current entries 30
> searches 44128 4.7/s
> inserts 2772 0.3/s
> removals 2742 0.3/s
> Counters
> match 13451 1.4/s
> bad-offset 0 0.0/s
... if there is no counter increase on "state-mismatch" (please double-check),
it would suggest that no state is created in the first place. Could you
provide your complete ruleset with rule numbers? (pfctl -vvvsr)
> So yeah, thanks for the "skip on" hint, i can do the filtering on the
> non-gif interfaces, but i still would like to know what's going on, and
> why these packets are blocked.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
More information about the freebsd-pf
mailing list