PF suddenly malfunctioned

jmattax at clanspum.net jmattax at clanspum.net
Sun Jul 22 23:49:08 UTC 2012 

A few weeks ago (I've been trying to debug it myself since then) my pf
firewall stopped working fully correctly. The symptom is that I can no longer
access a variety of websites when I'm behind the firewall. I have verified
that I can access all of the affected websites from outside my firewall. I
have since stripped down my firewall (and general home server) so that it is
no longer running named, sshguard or any useful firewalling rules in an
attempt to figure out was broken but have been unable to do so.

Attached are my current /etc/pf.conf and /etc/rc.conf, to ensure that these
are the configurations being used as of my last test I restarted the system
and am still getting the same behavior. This behavior started sometime around
a storm at my house, but since the firewall can see the websites that the
computers behind it can't I don't believe the hardware is an issue.

Also, some websites (like anything google hosts) are just fine.

The also, so people can see what my kernel thinks I've attach the output of a
couple of commands below

[root@ ~]# pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
pass in quick all flags S/SA keep state
pass out quick all flags S/SA keep state
[root@ ~]# pfctl -s nat
No ALTQ support in kernel
ALTQ related functions disabled
nat on xl0 inet from 10.11.10.0/24 to any -> 192.168.0.200
[root at stilgar ~]# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 90:e6:ba:60:9a:33
        inet 10.11.10.1 netmask 0xffffff00 broadcast 10.11.10.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 00:01:03:d1:fa:90
        inet 192.168.0.200 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX
<full-duplex,flowcontrol,rxpause,txpause>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33152

I would be very appreciative of any suggestions anyone can offer.

     Jason Mattax

More information about the freebsd-pf mailing list