Subtle change in pf behavior from 6.2 to 6.3-PRE
Steve Watt
steve at Watt.COM
Fri Nov 9 02:07:10 PST 2007
Greetings,
I recently upgraded my system from a 6.2-PRE from Dec '06
to 6.3-PRE as of 4 Nov.
I discovered an interesting and subtle change in the way pf
behaves between the two versions.
In the past I had the following (slightly incorrect) rule in
my pf.conf:
pass out on $ext_if proto { tcp, udp, icmp } all keep state
It seemed to do the right thing; it kept state on all
outbound traffic and allowed the return traffic.
However, with the newer pf, it appears that the desired
incantation is now
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state
The symptom of the problem that I noticed was that innd was
getting EPERM attempting to talk to other systems, and that
my web server couldn't be talked to by Linux browsers.
Groping around and turning on debugging on pf led me to the
(apparently) usual:
Nov 8 16:59:48 wattres kernel: pf: BAD state: TCP <some.ip.addr>:25 <some.ip.addr>:25 <some.ip.addr>:48418 [lo=2541394648 high=2541394831 win=33304 modulator=0] [lo=2408093130 high=2408126434 win=183 modulator=0] 4:4 PA seq=2541394648 ack=2408093130 len=214 ackskew=0 pkts=3:3 dir=out,fwd
Which finally led me to the hint that the flags weren't getting
stored correctly by the earlier pass rules.
Whee. Breadcrumbs for someone to google up some dark and
stormy night.
--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3"
Internet: steve @ Watt.COM Whois: SW32-ARIN
Free time? There's no such thing. It just comes in varying prices...
More information about the freebsd-stable
mailing list