Pf: packets on lo0 blocked in spite of pass rule
Niek Dekker
niekdekker at gmail.com
Tue Oct 28 15:36:09 UTC 2008
Hi,
I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf.
After the upgrade connection problems arised on lo0, for java > mysql
and apache > tomcat.
The network interfaces are all in default setup.
Here is the output of pfctl -sr, cleaned from network numbers.
scrub in all fragment reassemble
block drop in log all
block drop in log quick on fxp0 from <priv_nets> to any
block drop out log quick on fxp0 from any to <priv_nets>
block drop in log quick on fxp0 from <banned> to any
pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA
keep state
pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA
keep state
pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA
keep state
pass out on fxp0 proto tcp all flags S/SA keep state
pass out on fxp0 proto udp all keep state
pass on lo0 proto tcp all flags S/SA keep state
pass on lo0 proto udp all keep state
block drop in on ! fxp0 inet from ext_network/25 to any
block drop in inet from ext_if to any
Since the upgrade to 7.0, some packets on lo0 are being blocked
nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009.
Some, but not all of these packets are blocked. For example (pflog):
627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 >
127.0.0.1.8009: P 0:719(719) ack 1 win 8960 <nop,nop,timestamp 300647202
132868137>
In some of these lines, there is mention of "[bad hdr length 0 - too
short, < 20]" BUT NOT IN ALL.
The state table isn't full by far (78).
There is some 123 'state mismatch' in the output of pfctl -s all.
I have "set skip on lo0" to prevent the problem, but it seems to me
there is an issue to address here. I am likely to submit a PR, unless
someone comes up with a solution.
Niek
More information about the freebsd-pf
mailing list