From owner-freebsd-pf@FreeBSD.ORG  Mon Mar 30 11:06:57 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EFAA9106566B
	for <freebsd-pf@FreeBSD.org>; Mon, 30 Mar 2009 11:06:57 +0000 (UTC)
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id C31EE8FC36
	for <freebsd-pf@FreeBSD.org>; Mon, 30 Mar 2009 11:06:57 +0000 (UTC)
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2UB6v9N054835
	for <freebsd-pf@FreeBSD.org>; Mon, 30 Mar 2009 11:06:57 GMT
	(envelope-from owner-bugmaster@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2UB6vvU054831
	for freebsd-pf@FreeBSD.org; Mon, 30 Mar 2009 11:06:57 GMT
	(envelope-from owner-bugmaster@FreeBSD.org)
Date: Mon, 30 Mar 2009 11:06:57 GMT
Message-Id: <200903301106.n2UB6vvU054831@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: gnats set sender to
	owner-bugmaster@FreeBSD.org using -f
From: FreeBSD bugmaster <bugmaster@FreeBSD.org>
To: freebsd-pf@FreeBSD.org
Cc: 
Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2009 11:06:58 -0000

Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.


S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/132769  pf         [pf] [lor] 2 LOR's with pf task mtx / ifnet and  rtent
o kern/132176  pf         [pf] pf stalls connection when using route-to [regress
o kern/130977  pf         [netgraph][pf] kernel panic trap 12 on user connect to
o conf/130381  pf         [rc.d] [pf] [ip6] ipv6 not fully configured when pf st
o kern/129861  pf         [pf] [patch] Argument names reversed in pf_table.c:_co
o kern/129060  pf         [pf] [tun] pf doesn't forget the old tun IP
o kern/127920  pf         [pf] ipv6 and synproxy don't play well together
o conf/127814  pf         [pf] The flush in pf_reload in /etc/rc.d/pf does not w
o conf/127511  pf         [patch] /usr/sbin/authpf: add authpf folders to BSD.ro
o kern/127439  pf         [pf] deadlock in pf
o kern/127345  pf         [pf] Problem with PF on FreeBSD7.0 [regression]
o kern/127121  pf         [pf] [patch] pf incorrect log priority
o kern/127042  pf         [pf] [patch] pf recursion panic if interface group is 
o kern/125467  pf         [pf] pf keep state bug while handling sessions between
s kern/124933  pf         [pf] [ip6] pf does not support (drops) IPv6 fragmented
o kern/124364  pf         [pf] [panic] Kernel panic with pf + bridge
o kern/122773  pf         [pf] pf doesn't log uid or pid when configured to
o kern/122014  pf         [pf] [panic] FreeBSD 6.2 panic in pf
o kern/121704  pf         [pf] PF mangles loopback packets
o kern/120281  pf         [pf] [request] lost returning packets to PF for a rdr 
o kern/120057  pf         [pf] [patch] Allow proper settings of ALTQ_HFSC. The c
o bin/118355   pf         [pf] [patch] pfctl(8) help message options order false
o kern/114567  pf         [pf] [lor] pf_ioctl.c + if.c
o kern/114095  pf         [carp] carp+pf delay with high state limit
o kern/111220  pf         [pf] repeatable hangs while manipulating pf tables
s conf/110838  pf         [pf] tagged parameter on nat not working on FreeBSD 5.
o kern/103283  pf         pfsync fails to sucessfully transfer some sessions
o kern/103281  pf         pfsync reports bulk update failures
o kern/93825   pf         [pf] pf reply-to doesn't work
o sparc/93530  pf         [pf] Incorrect checksums when using pf's route-to on s
o kern/92949   pf         [pf] PF + ALTQ problems with latency
o bin/86635    pf         [patch] pfctl(8): allow new page character (^L) in pf.
o kern/82271   pf         [pf] cbq scheduler cause bad latency

33 problems total.


From owner-freebsd-pf@FreeBSD.ORG  Tue Mar 31 12:50:30 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0869E1065688;
	Tue, 31 Mar 2009 12:50:30 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id CE4918FC24;
	Tue, 31 Mar 2009 12:50:29 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2VCoT0X084728;
	Tue, 31 Mar 2009 12:50:29 GMT
	(envelope-from mlaier@freefall.freebsd.org)
Received: (from mlaier@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2VCoTgP084694;
	Tue, 31 Mar 2009 12:50:29 GMT (envelope-from mlaier)
Date: Tue, 31 Mar 2009 12:50:29 GMT
Message-Id: <200903311250.n2VCoTgP084694@freefall.freebsd.org>
To: ohauer@gmx.de, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org
From: mlaier@FreeBSD.org
Cc: 
Subject: Re: conf/127511: [patch] /usr/sbin/authpf: add authpf folders to
	BSD.root.dist and BSD.var.dist mtree files
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2009 12:50:32 -0000

Synopsis: [patch] /usr/sbin/authpf: add authpf folders to BSD.root.dist and BSD.var.dist mtree files

State-Changed-From-To: open->closed
State-Changed-By: mlaier
State-Changed-When: Tue Mar 31 12:49:33 UTC 2009
State-Changed-Why: 
No votes have been cas so I'll keep the safety on.

http://www.freebsd.org/cgi/query-pr.cgi?pr=127511

From owner-freebsd-pf@FreeBSD.ORG  Tue Mar 31 12:53:57 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C6320106566C;
	Tue, 31 Mar 2009 12:53:57 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 9BE4B8FC23;
	Tue, 31 Mar 2009 12:53:57 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2VCrvZJ094469;
	Tue, 31 Mar 2009 12:53:57 GMT
	(envelope-from mlaier@freefall.freebsd.org)
Received: (from mlaier@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2VCrvMM094465;
	Tue, 31 Mar 2009 12:53:57 GMT (envelope-from mlaier)
Date: Tue, 31 Mar 2009 12:53:57 GMT
Message-Id: <200903311253.n2VCrvMM094465@freefall.freebsd.org>
To: darius@dons.net.au, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org
From: mlaier@FreeBSD.org
Cc: 
Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2009 12:53:58 -0000

Synopsis: [pf] [tun] pf doesn't forget the old tun IP

State-Changed-From-To: open->closed
State-Changed-By: mlaier
State-Changed-When: Tue Mar 31 12:53:23 UTC 2009
State-Changed-Why: 
Not a pf bug and workaround is available - close this one.

http://www.freebsd.org/cgi/query-pr.cgi?pr=129060

From owner-freebsd-pf@FreeBSD.ORG  Tue Mar 31 13:05:03 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DB64E1065670;
	Tue, 31 Mar 2009 13:05:03 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id B0E008FC0C;
	Tue, 31 Mar 2009 13:05:03 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2VD53l0007548;
	Tue, 31 Mar 2009 13:05:03 GMT
	(envelope-from mlaier@freefall.freebsd.org)
Received: (from mlaier@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2VD530L007544;
	Tue, 31 Mar 2009 13:05:03 GMT (envelope-from mlaier)
Date: Tue, 31 Mar 2009 13:05:03 GMT
Message-Id: <200903311305.n2VD530L007544@freefall.freebsd.org>
To: link@ngc.net.ua, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org
From: mlaier@FreeBSD.org
Cc: 
Subject: Re: kern/132176: [pf] pf stalls connection when using route-to
	[regression]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2009 13:05:04 -0000

Synopsis: [pf] pf stalls connection when using route-to [regression]

State-Changed-From-To: open->feedback
State-Changed-By: mlaier
State-Changed-When: Tue Mar 31 13:01:17 UTC 2009
State-Changed-Why: 
There are no changes to pf or the kernel between 7.1-p2 and 7.1-p3 so
the error is likely found elsewhere.  Since you mention the bce(4) NIC
in your configuration you should try the updated bce driver:
http://lists.freebsd.org/pipermail/freebsd-stable/2009-March/049195.html

http://www.freebsd.org/cgi/query-pr.cgi?pr=132176

From owner-freebsd-pf@FreeBSD.ORG  Tue Mar 31 13:09:14 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D18AD106567F;
	Tue, 31 Mar 2009 13:09:14 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id A517F8FC0A;
	Tue, 31 Mar 2009 13:09:14 +0000 (UTC)
	(envelope-from mlaier@FreeBSD.org)
Received: from freefall.freebsd.org (mlaier@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2VD9E2b007638;
	Tue, 31 Mar 2009 13:09:14 GMT
	(envelope-from mlaier@freefall.freebsd.org)
Received: (from mlaier@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2VD9D9D007633;
	Tue, 31 Mar 2009 13:09:13 GMT (envelope-from mlaier)
Date: Tue, 31 Mar 2009 13:09:13 GMT
Message-Id: <200903311309.n2VD9D9D007633@freefall.freebsd.org>
To: work@megasid.com, mlaier@FreeBSD.org, freebsd-pf@FreeBSD.org
From: mlaier@FreeBSD.org
Cc: 
Subject: Re: kern/127345: [pf] Problem with PF on FreeBSD7.0 [regression]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2009 13:09:16 -0000

Synopsis: [pf] Problem with PF on FreeBSD7.0 [regression]

State-Changed-From-To: open->feedback
State-Changed-By: mlaier
State-Changed-When: Tue Mar 31 13:05:28 UTC 2009
State-Changed-Why: 
It seems that you are affected by the change of pf default behavior as
described in UPDATING.  "keep state" is now the default and this doesn't
play well with multiple pptp sessions.  You can add "no state" to your
rules to mitigate that.

http://www.freebsd.org/cgi/query-pr.cgi?pr=127345

From owner-freebsd-pf@FreeBSD.ORG  Wed Apr  1 01:10:02 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 440091065670
	for <freebsd-pf@hub.freebsd.org>; Wed,  1 Apr 2009 01:10:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 30F128FC17
	for <freebsd-pf@hub.freebsd.org>; Wed,  1 Apr 2009 01:10:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n311A284075284
	for <freebsd-pf@freefall.freebsd.org>; Wed, 1 Apr 2009 01:10:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n311A25r075283;
	Wed, 1 Apr 2009 01:10:02 GMT (envelope-from gnats)
Date: Wed, 1 Apr 2009 01:10:02 GMT
Message-Id: <200904010110.n311A25r075283@freefall.freebsd.org>
To: freebsd-pf@FreeBSD.org
From: "Daniel O'Connor" <darius@dons.net.au>
Cc: 
Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Daniel O'Connor <darius@dons.net.au>
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2009 01:10:02 -0000

The following reply was made to PR kern/129060; it has been noted by GNATS.

From: "Daniel O'Connor" <darius@dons.net.au>
To: bug-followup@freebsd.org, darius@dons.net.au
Cc:  
Subject: Re: kern/129060: [pf] [tun] pf doesn't forget the old tun IP
Date: Wed, 1 Apr 2009 11:01:37 +1030

 It's still _a_ bug.
 Is it a tun bug? Can it be reassigned so someone who groks tun can have a look 
 at it?
 
 While there is a work around available it isn't documented anywhere except the 
 lists.
 
 -- 
 Daniel O'Connor software and network engineer
 for Genesis Software - http://www.gsoft.com.au
 "The nice thing about standards is that there
 are so many of them to choose from."
   -- Andrew Tanenbaum
 GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
 

From owner-freebsd-pf@FreeBSD.ORG  Wed Apr  1 09:45:46 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 507361065670
	for <freebsd-pf@freebsd.org>; Wed,  1 Apr 2009 09:45:46 +0000 (UTC)
	(envelope-from sebster@sebster.com)
Received: from mail.sebster.com (mail.sebster.com [193.46.80.82])
	by mx1.freebsd.org (Postfix) with SMTP id 6DF5F8FC22
	for <freebsd-pf@freebsd.org>; Wed,  1 Apr 2009 09:45:45 +0000 (UTC)
	(envelope-from sebster@sebster.com)
Received: (qmail 1671 invoked from network); 1 Apr 2009 09:45:43 -0000
Received: from unknown (HELO ?10.10.1.5?) (sebster@212.83.238.46)
	by 10.0.98.3 with SMTP; 1 Apr 2009 09:45:43 -0000
Message-ID: <49D337C7.9020707@sebster.com>
Date: Wed, 01 Apr 2009 11:45:43 +0200
From: Sebastiaan van Erk <sebster@sebster.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090318)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
References: <49C9F27F.3010505@sebster.com>
In-Reply-To: <49C9F27F.3010505@sebster.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
	micalg=sha1; boundary="------------ms060201060408070404070806"
Subject: Re: state mismatch/connection issues
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2009 09:45:46 -0000

This is a cryptographically signed message in MIME format.

--------------ms060201060408070404070806
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

I upgrade to the latest FreeBSD-7.0 release using freebsd-update, with 
kernel 7.0-RELEASE-p11.

I still get massive amounts of state mismatches and intermittent 
connection problems (connection refused, operation not permitted) with 
outging connections....

My firewall rules are unchanged (see below), the stats are now:

Status: Enabled for 3 days 21:29:15           Debug: Urgent

State Table                          Total             Rate
   current entries                     1994
   searches                        33567431           99.7/s
   inserts                          4611322           13.7/s
   removals                         4609328           13.7/s
Counters
   match                            6170429           18.3/s
   bad-offset                             0            0.0/s
   fragment                               0            0.0/s
   short                                  0            0.0/s
   normalize                              1            0.0/s
   memory                           1516667            4.5/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                              0            0.0/s
   proto-cksum                          247            0.0/s
   state-mismatch                   1438892            4.3/s
   state-insert                           0            0.0/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s

Does anybody have *any* clue what's going on, and how I can go about 
fixing it?

Thanks in advance,
Sebastiaan


Sebastiaan van Erk wrote:
> Hi,
> 
> I'm running FreeBSD-7.0 RELEASE with the following patch to the kernel 
> (I know it's integrated in the latest patchlevels which you get when you 
> do freebsd-update, but since I'm still getting state-mismatches WITH the 
> patch I'm holding off on the upgrade until I have more information as to 
> the nature of the problem):
> 
> *** net/pf.c    2007/09/07 21:34:10     1.558
> --- net/pf.c    2007/09/18 19:45:59     1.559
> *************** pf_test_state_tcp(struct pf_state **state, int directi
> *** 3730,3735 ****
> --- 3730,3751 ----
>                         REASON_SET(reason, PFRES_SYNPROXY);
>                         return (PF_SYNPROXY_DROP);
>                 }
> +       }
> +
> +       if (((th->th_flags & (TH_SYN|TH_ACK)) == TH_SYN) &&
> +           dst->state >= TCPS_FIN_WAIT_2 &&
> +           src->state >= TCPS_FIN_WAIT_2) {
> +               if (pf_status.debug >= PF_DEBUG_MISC) {
> +                       printf("pf: state reuse ");
> +                       pf_print_state(*state);
> +                       pf_print_flags(th->th_flags);
> +                       printf("\n");
> +               }
> +               /* XXX make sure it's the same direction ?? */
> +               (*state)->src.state = (*state)->dst.state = TCPS_CLOSED;
> +               pf_unlink_state(*state);
> +               *state = NULL;
> +               return (PF_DROP);
>         }
> 
>         if (src->wscale && dst->wscale && !(th->th_flags & TH_SYN)) {
> 
> 
> The problem I'm having is that I get intermittent connection 
> refused/operation not permitted to another machine on the local network. 
> When I do pfctl -s info I see *huge* numbers of state mismatches:
> 
> Status: Enabled for 94 days 01:27:40          Debug: Urgent
> 
> State Table                          Total             Rate
>   current entries                      398
>   searches                       986228319          121.4/s
>   inserts                        104049508           12.8/s
>   removals                       104049110           12.8/s
> Counters
>   match                          107482262           13.2/s
>   bad-offset                             0            0.0/s
>   fragment                               0            0.0/s
>   short                                  0            0.0/s
>   normalize                             42            0.0/s
>   memory                           3125235            0.4/s
>   bad-timestamp                          0            0.0/s
>   congestion                             0            0.0/s
>   ip-option                              0            0.0/s
>   proto-cksum                        13919            0.0/s
>   state-mismatch                   3039814            0.4/s
>   state-insert                           0            0.0/s
>   state-limit                            0            0.0/s
>   src-limit                              0            0.0/s
>   synproxy                               0            0.0/s
> 
> This is causing serious problems at them moment. It seems that the state 
> problems occur in certain small time windows (my nagios starts reporting 
> that every service is connection refused/operation not permitted, which 
> is about 20 services). Then I get 20 recovery messages.
> 
> The firewall rules are trivially simple, $ext_if has 2 ips and $int_if 
> has one:
> 
> interfaces = "{" $ext_if "," $int_if "}"
> 
> scrub in all
> set skip on lo0
> antispoof for $interfaces inet
> block out log quick on $ext_if from !$ext_ip1 to any
> block in quick on $ext_if from any to 255.255.255.255
> block log all
> 
> pass in quick inet proto icmp all icmp-type $icmp_types
> 
> pass in quick on $int_if from $int_net to any
> pass out quick on $int_if from any to $int_net
> 
> pass out on $ext_if proto tcp all
> pass out on $ext_if proto { udp, icmp } all
> pass in on $ext_if proto tcp from any to $ext_ip1 port $tcp_services1
> pass in on $ext_if proto tcp from any to $ext_ip2 port $tcp_services2
> 
> Does anybody have any idea what's going on and where I can look? This is 
> a production server so it's seriously influencing the quality of the 
> hosted services. :-(
> 
> 
> Regards,
> Sebastiaan

--------------ms060201060408070404070806
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUTCC
AwMwggJsoAMCAQICEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDYzMDEzNTE1N1oX
DTA5MDYzMDEzNTE1N1owaDEQMA4GA1UEBBMHdmFuIEVyazETMBEGA1UEKhMKU2ViYXN0aWFh
bjEbMBkGA1UEAxMSU2ViYXN0aWFhbiB2YW4gRXJrMSIwIAYJKoZIhvcNAQkBFhNzZWJzdGVy
QHNlYnN0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDDAeYHVmH/
GVxi+bhFx27dmg++9BdhPJfk8k041sqEqq7oXnR2GT54quY3Ac7A1BuOM2JvoICraGmjud4y
b3EanRnqGIK6iH+VAhhTlV/Owrb2Qm1e13DLxwLp1SocSQl4IrEbF9Y5H3ASdIrE0iFqkpju
nPiiHeNhz3LaI5ipjiluKYoH+F6gPx8njHoaDxPePCkSLg4r0IA0afLM74LVZxCRBZEfyRZS
J6VVUJefKlz91dWSzR/3xSw/rO4u9Ds/Zh7VBUKy3K+YFryHxRpUek0gSepE1b70Q39L9Sqd
M/NZqMvFpwrqgW2Zh2Nh8nqRge90maR4ypBzz3GzLwIDAQABozAwLjAeBgNVHREEFzAVgRNz
ZWJzdGVyQHNlYnN0ZXIuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAS1Sk
NMgDVzb0ktO9tPPacV0KdKhTYOHcICVmuDEe2sFHOkjLAI1iAKp640pqJEVqvRnfRcCFJ9hK
koPjjVZ+ui2rVmJWBG6FSloLRS/YYED4tUAw6DQhK61UOpjkpQxjCdm+5bHG/2ZgJAda1j0x
uiN822+xFkcaW/5PQgxSRxcwggMDMIICbKADAgECAhBTfA2qzDbriiQxLX7NFGqlMA0GCSqG
SIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo
UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD
QTAeFw0wODA2MzAxMzUxNTdaFw0wOTA2MzAxMzUxNTdaMGgxEDAOBgNVBAQTB3ZhbiBFcmsx
EzARBgNVBCoTClNlYmFzdGlhYW4xGzAZBgNVBAMTElNlYmFzdGlhYW4gdmFuIEVyazEiMCAG
CSqGSIb3DQEJARYTc2Vic3RlckBzZWJzdGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALCQwwHmB1Zh/xlcYvm4Rcdu3ZoPvvQXYTyX5PJNONbKhKqu6F50dhk+eKrm
NwHOwNQbjjNib6CAq2hpo7neMm9xGp0Z6hiCuoh/lQIYU5VfzsK29kJtXtdwy8cC6dUqHEkJ
eCKxGxfWOR9wEnSKxNIhapKY7pz4oh3jYc9y2iOYqY4pbimKB/heoD8fJ4x6Gg8T3jwpEi4O
K9CANGnyzO+C1WcQkQWRH8kWUielVVCXnypc/dXVks0f98UsP6zuLvQ7P2Ye1QVCstyvmBa8
h8UaVHpNIEnqRNW+9EN/S/UqnTPzWajLxacK6oFtmYdjYfJ6kYHvdJmkeMqQc89xsy8CAwEA
AaMwMC4wHgYDVR0RBBcwFYETc2Vic3RlckBzZWJzdGVyLmNvbTAMBgNVHRMBAf8EAjAAMA0G
CSqGSIb3DQEBBQUAA4GBAEtUpDTIA1c29JLTvbTz2nFdCnSoU2Dh3CAlZrgxHtrBRzpIywCN
YgCqeuNKaiRFar0Z30XAhSfYSpKD441Wfrotq1ZiVgRuhUpaC0Uv2GBA+LVAMOg0ISutVDqY
5KUMYwnZvuWxxv9mYCQHWtY9MbojfNtvsRZHGlv+T0IMUkcXMIIDPzCCAqigAwIBAgIBDTAN
BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES
MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0
aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK
MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX
p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB
Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl
cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD
VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as
Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe
JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT
HUb/XV9lTzGCA3EwggNtAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD
b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBJc3N1aW5nIENBAhBTfA2qzDbriiQxLX7NFGqlMAkGBSsOAwIaBQCgggHQMBgGCSqGSIb3
DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDQwMTA5NDU0M1owIwYJKoZI
hvcNAQkEMRYEFCtrXiyj/rgQ+sdChaa6UguqMBLXMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZI
AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr
DgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwgYcGCyqG
SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp
bmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEBBQAEggEAAoFT+l6gtgpYB70X
6bXph2htHLrDO+u1ywmZtqv0DdCbRQRug5gr605HU/59kCwW7uFq0oPInh/hkCjY97bv4bON
IakAybxs9f9d/YtOdDCzdtalP/sqBuRJ6XIfhWN727DsBW5FP/t5ocuJErWe25FredcLSG03
jpzGMTKDzdAR3Wo9MWjxl6w4TJjiTw2CBitkojcrbCe8rZrHxKFr48ll1bEIq/h15ES1quLc
lboJtyA9AyQLros03z5CrFmoSlvg0zRTITQj42OCXGK5KLViHCDTz74af3mYypz//HBIT6oD
EKYeKngSN1ia0v71jQxWhlYD+ngf1Tddipxe0gAAAAAAAA==
--------------ms060201060408070404070806--

From owner-freebsd-pf@FreeBSD.ORG  Wed Apr  1 13:18:40 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4917E1065672
	for <freebsd-pf@freebsd.org>; Wed,  1 Apr 2009 13:18:40 +0000 (UTC)
	(envelope-from sebastian.tymkow@gmail.com)
Received: from mail-fx0-f167.google.com (mail-fx0-f167.google.com
	[209.85.220.167])
	by mx1.freebsd.org (Postfix) with ESMTP id D2BD48FC19
	for <freebsd-pf@freebsd.org>; Wed,  1 Apr 2009 13:18:39 +0000 (UTC)
	(envelope-from sebastian.tymkow@gmail.com)
Received: by fxm11 with SMTP id 11so21147fxm.43
	for <freebsd-pf@freebsd.org>; Wed, 01 Apr 2009 06:18:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:date:message-id:subject
	:from:to:content-type;
	bh=mEA7SZe9t6WwbXJNrYQ+CqJB7++wlBb2QS7xV92NsvU=;
	b=q0Py3h6C3W+TIjafyz1iiuhF9Ib2cNkkCpScUdz7Hjxbp3FTrcQs6D6yL5aLXkGsTi
	fwkZA+7bBzQFdDseYqOgHqm4bckZjY+h30eh5l1LYRmRp1vvfpJw5IHGJY0izSabXn9z
	ftDLdtnpQwD0ONS0OvNydZUrbG9cEIUjziCzI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=Tp+7WauxudCk0eVx6mIStpKptnFWs5betVLIkfzjP5JO7VVD6FNr0SEqkroo28ZUha
	k/nquMa+5/wZVaH1o6G9sNEhxnOStyk/UA5ds6m7TC0ripy9+qPtD70hzExF3AsIHnBc
	/kFfoSJYBhfsYmTsak5KXCVQT56+OPgwLHj2U=
MIME-Version: 1.0
Received: by 10.86.66.16 with SMTP id o16mr2206739fga.71.1238590690254; Wed, 
	01 Apr 2009 05:58:10 -0700 (PDT)
Date: Wed, 1 Apr 2009 14:58:10 +0200
Message-ID: <692660060904010558g6ea63972q5b23b2c63617b425@mail.gmail.com>
From: =?ISO-8859-1?Q?Sebastian_Tymk=F3w?= <sebastian.tymkow@gmail.com>
To: freebsd-pf <freebsd-pf@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Authpf and shell access
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2009 13:18:40 -0000

Hi,

I wonder if there is any solution to use authpf with normal shell.
I need to grant access to server for normal user but I don't want to set
another account to do this.
In example
userA has shell /bin/csh
userA_authpf has shell /usr/bin/authpf
I need only one account (userA) which allow me use both capabilities : ssh
with shell and grant access to other services after right authentication
(when I do this using authpf).
Is it possible ?

Best regards,

Sebastian Tymkow

From owner-freebsd-pf@FreeBSD.ORG  Thu Apr  2 20:28:34 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5BAD61065695
	for <freebsd-pf@freebsd.org>; Thu,  2 Apr 2009 20:28:34 +0000 (UTC)
	(envelope-from artis.caune@gmail.com)
Received: from mail-bw0-f164.google.com (mail-bw0-f164.google.com
	[209.85.218.164])
	by mx1.freebsd.org (Postfix) with ESMTP id B2FAE8FC18
	for <freebsd-pf@freebsd.org>; Thu,  2 Apr 2009 20:28:33 +0000 (UTC)
	(envelope-from artis.caune@gmail.com)
Received: by bwz8 with SMTP id 8so676141bwz.43
	for <freebsd-pf@freebsd.org>; Thu, 02 Apr 2009 13:28:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:in-reply-to:references
	:date:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=/Lb1POso21+Irh3jKo5ytD90bSkp8FUdCsmbHMmTqP0=;
	b=lPCOt5rHlkR2HkCuOYp8pyfR0hDSJCe5AilpkftpRaNh/SohncejIdPgcVw9JfKEnv
	PWC3phf0Ap3GHKiPPySv4zQ/6073IoFUkVKLJ90FAzod+S14FfXxqmnXdud+NnNYYESL
	85ed/wD5/oFvMrbG5h8R83hL9ye/Bo02wXGK4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=PC+Jq1X+sCngiHAB57uGRrQdiPdtXSj05QzeVcq5DRKCRI3NwGhpEVQf3CyGcINBxk
	z3MpSp0Ikw1amL5RHdzfQRCyfy58vZT/LxKRfsx/boa+ydcFmxyEXgw/w3RkxqDdlFWM
	phgnyFMklW9cvZ9eelGWmj8L+nfnqBigBOK/E=
MIME-Version: 1.0
Received: by 10.103.240.5 with SMTP id s5mr187559mur.133.1238704112695; Thu, 
	02 Apr 2009 13:28:32 -0700 (PDT)
In-Reply-To: <49C9F27F.3010505@sebster.com>
References: <49C9F27F.3010505@sebster.com>
Date: Thu, 2 Apr 2009 23:28:32 +0300
Message-ID: <9e20d71e0904021328u5e871322k1523c2ce0bf9fdd1@mail.gmail.com>
From: Artis Caune <artis.caune@gmail.com>
To: Sebastiaan van Erk <sebster@sebster.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
Subject: Re: state mismatch/connection issues
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2009 20:28:34 -0000

2009/3/25 Sebastiaan van Erk <sebster@sebster.com>:
> The problem I'm having is that I get intermittent connection
> refused/operation not permitted to another machine on the local network.
> When I do pfctl -s info I see *huge* numbers of state mismatches:
>
> The firewall rules are trivially simple, $ext_if has 2 ips and $int_if has
> one:
>
> interfaces = "{" $ext_if "," $int_if "}"
>
> scrub in all
> set skip on lo0
> antispoof for $interfaces inet
> block out log quick on $ext_if from !$ext_ip1 to any
> block in quick on $ext_if from any to 255.255.255.255
> block log all
>
> pass in quick inet proto icmp all icmp-type $icmp_types
>
> pass in quick on $int_if from $int_net to any
> pass out quick on $int_if from any to $int_net
>
> pass out on $ext_if proto tcp all
> pass out on $ext_if proto { udp, icmp } all
> pass in on $ext_if proto tcp from any to $ext_ip1 port $tcp_services1
> pass in on $ext_if proto tcp from any to $ext_ip2 port $tcp_services2


try without "block out log quick on $ext_if from !$ext_ip1 to any" rule.

btw, is your firewall forwarding traffic or doing nat?

Can you show pfctl -sr and ifconfig output?




-- 
regards,
Artis Caune

<----. CCNA | BSDA
<----|====================
<----' didii FreeBSD

From owner-freebsd-pf@FreeBSD.ORG  Sat Apr  4 09:44:34 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 89C5B106566B
	for <freebsd-pf@freebsd.org>; Sat,  4 Apr 2009 09:44:34 +0000 (UTC)
	(envelope-from sebster@sebster.com)
Received: from mail.sebster.com (mail.sebster.com [193.46.80.82])
	by mx1.freebsd.org (Postfix) with SMTP id D96CE8FC08
	for <freebsd-pf@freebsd.org>; Sat,  4 Apr 2009 09:44:33 +0000 (UTC)
	(envelope-from sebster@sebster.com)
Received: (qmail 4869 invoked from network); 4 Apr 2009 09:44:32 -0000
Received: from unknown (HELO ?192.168.1.33?) (sebster@195.240.254.51)
	by 10.0.98.3 with SMTP; 4 Apr 2009 09:44:31 -0000
Message-ID: <49D72BFF.40109@sebster.com>
Date: Sat, 04 Apr 2009 11:44:31 +0200
From: Sebastiaan van Erk <sebster@sebster.com>
User-Agent: Thunderbird 2.0.0.21 (X11/20090318)
MIME-Version: 1.0
To: Artis Caune <artis.caune@gmail.com>
References: <49C9F27F.3010505@sebster.com>
	<9e20d71e0904021328u5e871322k1523c2ce0bf9fdd1@mail.gmail.com>
In-Reply-To: <9e20d71e0904021328u5e871322k1523c2ce0bf9fdd1@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
	micalg=sha1; boundary="------------ms080004000704010509030408"
Cc: freebsd-pf@freebsd.org
Subject: Re: state mismatch/connection issues
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2009 09:44:35 -0000

This is a cryptographically signed message in MIME format.

--------------ms080004000704010509030408
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

Thanks for the reply.

> try without "block out log quick on $ext_if from !$ext_ip1 to any" rule.
I have other firewalls with the same rule which don't show the problem.

> btw, is your firewall forwarding traffic or doing nat?
Actually it does neither, there is no need for the backend servers to 
access the internet directly.

> Can you show pfctl -sr and ifconfig output?

Looking again at the pfctl -s info output, I saw something which I 
missed the first time around:

State Table                          Total             Rate
   current entries                      668
   searches                        70482052          118.5/s
   inserts                          8153087           13.7/s
   removals                         8152419           13.7/s
Counters
   match                           10637818           17.9/s
   bad-offset                             0            0.0/s
   fragment                               0            0.0/s
   short                                  0            0.0/s
   normalize                              1            0.0/s
   memory                           2405587            4.0/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                              0            0.0/s
   proto-cksum                          510            0.0/s
   state-mismatch                   2276240            3.8/s
   state-insert                           0            0.0/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s

The memory limit is hit almost the same amount of time as the state 
mismatches. It seems that my limits were simply too low. I have 
increased the limits (states/frags) and will see if the problem is 
resolved now.

Regards,
Sebastiaan

--------------ms080004000704010509030408
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUTCC
AwMwggJsoAMCAQICEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDYzMDEzNTE1N1oX
DTA5MDYzMDEzNTE1N1owaDEQMA4GA1UEBBMHdmFuIEVyazETMBEGA1UEKhMKU2ViYXN0aWFh
bjEbMBkGA1UEAxMSU2ViYXN0aWFhbiB2YW4gRXJrMSIwIAYJKoZIhvcNAQkBFhNzZWJzdGVy
QHNlYnN0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDDAeYHVmH/
GVxi+bhFx27dmg++9BdhPJfk8k041sqEqq7oXnR2GT54quY3Ac7A1BuOM2JvoICraGmjud4y
b3EanRnqGIK6iH+VAhhTlV/Owrb2Qm1e13DLxwLp1SocSQl4IrEbF9Y5H3ASdIrE0iFqkpju
nPiiHeNhz3LaI5ipjiluKYoH+F6gPx8njHoaDxPePCkSLg4r0IA0afLM74LVZxCRBZEfyRZS
J6VVUJefKlz91dWSzR/3xSw/rO4u9Ds/Zh7VBUKy3K+YFryHxRpUek0gSepE1b70Q39L9Sqd
M/NZqMvFpwrqgW2Zh2Nh8nqRge90maR4ypBzz3GzLwIDAQABozAwLjAeBgNVHREEFzAVgRNz
ZWJzdGVyQHNlYnN0ZXIuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAS1Sk
NMgDVzb0ktO9tPPacV0KdKhTYOHcICVmuDEe2sFHOkjLAI1iAKp640pqJEVqvRnfRcCFJ9hK
koPjjVZ+ui2rVmJWBG6FSloLRS/YYED4tUAw6DQhK61UOpjkpQxjCdm+5bHG/2ZgJAda1j0x
uiN822+xFkcaW/5PQgxSRxcwggMDMIICbKADAgECAhBTfA2qzDbriiQxLX7NFGqlMA0GCSqG
SIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo
UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD
QTAeFw0wODA2MzAxMzUxNTdaFw0wOTA2MzAxMzUxNTdaMGgxEDAOBgNVBAQTB3ZhbiBFcmsx
EzARBgNVBCoTClNlYmFzdGlhYW4xGzAZBgNVBAMTElNlYmFzdGlhYW4gdmFuIEVyazEiMCAG
CSqGSIb3DQEJARYTc2Vic3RlckBzZWJzdGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALCQwwHmB1Zh/xlcYvm4Rcdu3ZoPvvQXYTyX5PJNONbKhKqu6F50dhk+eKrm
NwHOwNQbjjNib6CAq2hpo7neMm9xGp0Z6hiCuoh/lQIYU5VfzsK29kJtXtdwy8cC6dUqHEkJ
eCKxGxfWOR9wEnSKxNIhapKY7pz4oh3jYc9y2iOYqY4pbimKB/heoD8fJ4x6Gg8T3jwpEi4O
K9CANGnyzO+C1WcQkQWRH8kWUielVVCXnypc/dXVks0f98UsP6zuLvQ7P2Ye1QVCstyvmBa8
h8UaVHpNIEnqRNW+9EN/S/UqnTPzWajLxacK6oFtmYdjYfJ6kYHvdJmkeMqQc89xsy8CAwEA
AaMwMC4wHgYDVR0RBBcwFYETc2Vic3RlckBzZWJzdGVyLmNvbTAMBgNVHRMBAf8EAjAAMA0G
CSqGSIb3DQEBBQUAA4GBAEtUpDTIA1c29JLTvbTz2nFdCnSoU2Dh3CAlZrgxHtrBRzpIywCN
YgCqeuNKaiRFar0Z30XAhSfYSpKD441Wfrotq1ZiVgRuhUpaC0Uv2GBA+LVAMOg0ISutVDqY
5KUMYwnZvuWxxv9mYCQHWtY9MbojfNtvsRZHGlv+T0IMUkcXMIIDPzCCAqigAwIBAgIBDTAN
BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES
MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0
aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK
MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX
p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB
Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl
cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD
VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as
Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe
JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT
HUb/XV9lTzGCA3EwggNtAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD
b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBJc3N1aW5nIENBAhBTfA2qzDbriiQxLX7NFGqlMAkGBSsOAwIaBQCgggHQMBgGCSqGSIb3
DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDQwNDA5NDQzMVowIwYJKoZI
hvcNAQkEMRYEFD1FiD9W61AfA+pHHIf3lBoLZMqgMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZI
AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr
DgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwgYcGCyqG
SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp
bmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEBBQAEggEAFR3I6cBKlyciKHVM
6KM5DlMyvYZTEo1CFgname0eT+tm27FDR+1n1vrfiEBSP7CHdMOhQR0AaH6h0SrmP/QJA0Xg
wdZlsH9jbNX8HVd/DE7dXuDexK14V6NcxbqzN0mssRPTznHFIuOfSuiH6F3Eu2qEfN7yDyIN
Nl4p84mz3WcamiLwlMGqPvpBu0cSk5FQL727NKw/0+TAAeEpl6Z7gJbh9OBVMseYC0GKoLHj
8tK35yZDd2TMBOzIMPHwSjz8hZG0ZEctiIR0IrXM5tZcqLEzFKxMK0DJ+miJMswh15Ox2SvI
qmf/TlX464i9yafAGM0MiDJcwCZillqJW5LPDgAAAAAAAA==
--------------ms080004000704010509030408--