From owner-freebsd-pf@FreeBSD.ORG Tue May 19 09:55:29 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 790A2106567A for ; Tue, 19 May 2009 09:55:29 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from fallbackmx10.syd.optusnet.com.au (fallbackmx10.syd.optusnet.com.au [211.29.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 741968FC23 for ; Tue, 19 May 2009 09:55:23 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail36.syd.optusnet.com.au (mail36.syd.optusnet.com.au [211.29.133.76]) by fallbackmx10.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n4J9ic3A016350 for ; Tue, 19 May 2009 19:44:38 +1000 Received: from server.vk2pj.dyndns.org (c122-106-216-167.belrs3.nsw.optusnet.com.au [122.106.216.167]) by mail36.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n4J9iZiW010811 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 19 May 2009 19:44:35 +1000 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id n4J9iY2j005979; Tue, 19 May 2009 19:44:34 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id n4J9iYUJ005978; Tue, 19 May 2009 19:44:34 +1000 (EST) (envelope-from peter) Date: Tue, 19 May 2009 19:44:34 +1000 From: Peter Jeremy To: mehma sarja Message-ID: <20090519094434.GA5943@server.vk2pj.dyndns.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.19 (2009-01-05) Cc: ysidhu@ucolick.org, freebsd-pf@freebsd.org Subject: Re: Testing new firewall to replace operational firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 May 2009 09:55:29 -0000 --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2009-May-17 23:20:40 -0700, mehma sarja wrote: >I want to test two pf firewalls in-line - an old openBSD (3.7 #50, i386) is >on the 'outside' and a new FreeBSD (7.2 #0 amd64) is on the 'inside.' The >FreeBSD firewall does NOT have altq enabled. Here is the setup: I can't think of anything specific that would make this break. >I suspect "modulate state" may be the culprit. Here is what the manual say= s: >"modulate state - works only with TCP. PF will generate strong Initial >Sequence Numbers (ISNs) for packets matching this rule." So we have 2 >machines generating ISNs for the same connection. Could this be the proble= m? No. The inner firewall will generate "strong" ISNs and forward the packets. The outer firewall will then generate its own "strong" ISN and forward the packet to the internet. Neither firewall cares about the sequence numbers other than for tracking windows. >SECOND >Are the "flags S/SA" altq functions? No but I presume your testing took into account that inserting/removing the firewall would kill all existing TCP connections. My suggestion would be to do some repeat testing (hopefully you have a maintenance window or low-traffic period where you can afford a planned outage) with tcpdump running on inner, middle and outer interfaces and follow the packets through. Looking at how the packets are transformed will hopefully provide a clue as to what is not working the way you expect. --=20 Peter Jeremy --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (FreeBSD) iEYEARECAAYFAkoSf4IACgkQ/opHv/APuIcNQQCdHt8H65pzo9XlhsMwkK96j1U2 KtkAnA/gEVSej69d196jd81EW6y8uO6N =xvpw -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx--