pf stuck

Ermal Luçi eri at freebsd.org
Mon Sep 29 18:21:24 UTC 2014 

Probably is better you ask this on freebsd-pf at .

Though this sounds like state limit reached.

On Mon, Sep 29, 2014 at 7:32 PM, Andrea Venturoli <ml at netfence.it> wrote:

> Hello.
>
> Today a box of mine (8.4p16/amd64) stopped working as a router; I don't
> have a clear picture, but the internal nets were working perfectly, while
> the external interfaces lagged, dropped connections or stopped packets from
> passing.
>
> The box is running pf (for handling multiple Internet lines) + ipfw (for
> firewalling).
> I tried a simple telnet xxx:80 and this is what I observed:
> _ tcpdump would see packets going out and replies coming in;
> _ an early ipfw allow rule with setup keep-state would see no packet going
> out and would not create any dinamic rule.
>
> This lead me to look into pf...
> "/etc/rc.d/pf restart" did not solve.
> "/etc/rc.d/pf stop ; /etc/rc.d/pf start" did!
>
>
>
> These are my pf rules:
>
>> pass out quick inet from 192.168.x.0/24 to 192.168.y.0/24 no state
>> pass out quick inet from 192.168.x.0/24 to 192.168.z.0/24 no state
>> pass out log quick route-to (vlan3 192.168.x.x) inet from 192.168.x.0/24
>> to ! 192.168.x.0/24 no state
>> pass out quick inet from a.b.c.d/29 to 192.168.y.0/24 no state
>> pass out quick inet from a.b.c.d/29 to 192.168.z.0/24 no state
>> pass out log quick route-to (vlan1 a.b.c.e) inet from a.b.c.d/29 to !
>> a.b.c.d/29 no state
>> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state
>> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state
>> pass out log quick route-to (vlan2 i.j.k.m) inet from i.j.k.l/29 to !
>> i.j.k.l/29 no state
>>
>
> These rules are working fine, but have hanged already twice in two weeks
> (once on this box, once on an almost identical one).
>
>
>
> Is there any known problem wrt running pf? pf+ipfw? pf on 8.4?
> Any hint on how to search for what's wrong?
>
>
>
>  bye & Thanks
>         av.
>
> P.S. Please, forgive me, but I'm quite noob with pf.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>



-- 
Ermal

More information about the freebsd-pf mailing list