FreeBSD 10 + ipfilter problems with the stateful rules
Roman Serbski
mefystofel at gmail.com
Tue Aug 19 16:07:07 UTC 2014
Hello,
#uname -a
FreeBSD freebsd-tmpl 10.0-STABLE FreeBSD 10.0-STABLE #0 r270138: Tue Aug 19
15:33:27 CEST 2014
root at freebsd-tmpl:/usr/obj/usr/src/sys/BSDTMPL2014081902
amd64
The kernel was compiled with:
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK
Here is the ipfilter ruleset:
# ipfstat -in
@1 pass in quick on lo0 from any to any
@2 block in quick on vmx0 from any to any with frag
@3 block in quick on vmx0 proto tcp from any to any with short
@4 block in quick on vmx0 inet from any to any with opt lsrr
@5 block in quick on vmx0 inet from any to any with opt ssrr
@6 block in log first quick on vmx0 proto tcp from any to any flags
FPU/FSRPAU
@7 block in quick on vmx0 from any to any with ipopts
@8 pass in quick on vmx0 inet proto tcp from 192.168.60.0/24 to
192.168.60.1/32 port = ssh flags S/FSRPAU keep state
@9 pass in quick on vmx0 inet proto icmp from 192.168.60.0/24 to
192.168.60.1/32 icmp-type echo keep state
@10 block in log quick on vmx0 all
# ipfstat -on
@1 pass out quick on lo0 from any to any
@2 pass out quick on vmx0 proto tcp from any to any port = domain flags
S/FSRPAU keep state
@3 pass out quick on vmx0 proto udp from any to any port = domain keep state
@4 pass out quick on vmx0 proto udp from any to any port = ntp keep state
@5 pass out quick on vmx0 inet proto icmp from any to any icmp-type echo
keep state
@6 block out log quick on vmx0 all
I can ssh to the box (.1) from 192.168.60.0/24 but there is a noticeable
delay (couple of seconds) if I run tail or less on any log file. At the
same time, I see the following blocked from the ipfilter logs:
Aug 19 17:37:26 freebsd-tmpl ipmon[410]: 17:37:26.817761 vmx0 @0:12 b
192.168.60.1,22 -> 192.168.60.21,64962 PR tcp len 20 1532 -AP OUT bad
Aug 19 17:37:26 freebsd-tmpl ipmon[410]: 17:37:26.817966 vmx0 @0:12 b
192.168.60.1,22 -> 192.168.60.21,64962 PR tcp len 20 1616 -AP OUT bad
If I add a rule allowing all traffic from .1 to 192.168.60.0/24 everything
is working fine, so I get an impression something is wrong with "flags
S/FSRPAU keep state".
Any hints would be greatly appreciated!
PS: I don't know whether it'll help, but this is a VMXNET3 adapter, so I
gooogled to disable RXCSUM and TXCSUM however it didn't help.
# ifconfig -m
vmx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=39b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,TSO6>
capabilities=61079b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
ether 00:50:56:8a:17:21
inet 192.168.60.1 netmask 0xffffff00 broadcast 192.168.60.255
media: Ethernet autoselect
status: active
supported media:
media autoselect
Thank you very much.
More information about the freebsd-questions
mailing list