PF issue since 11.2-RELEASE
Kristof Provost
kp at FreeBSD.org
Sun Jan 27 15:08:59 UTC 2019
On 26 Jan 2019, at 17:00, ASV wrote:
> since I've upgraded to 11.2 (from 11.1) I've observed that anytime I
> change something on pf.conf and reload (pfctl -f /etc/pf.conf) I
> partially loose connectivity. Partially means that I still am
> connected
> to the server but the server cannot connect anywhere or ping anything
> (no hosts no IPs) also the jails instantly suffers from the same.
That sounds like your established connection continues (because it keeps
using the old rules), and something is wrong with the new rules.
The logical debugging steps would be:
- check the ruleset matches what you expect (pfctl -s rules)
- check the state table (pfctl -s states)
- use pflog to determine what rule causes traffic to be dropped
> The quickest fix is to revert the PF configuration to the previous one
> and reload. Everything starts working again.
>
What do you mean by ‘previous one’? Do you have two rulesets? What
are the two rulesets?
> I've been trying to find the root cause of this without success. Did I
> miss some major change on the PF port on FreeBSD? I've never seen this
> serious issue before nor on FreeBSD neither on OpenBSD.
It’s very difficult to debug this with the extremely limited
information you’ve included.
Please post, at the very least, your pf ruleset and a full description
of what you’re doing when things break and how you recover.
Regards,
Kristof
More information about the freebsd-questions
mailing list