From owner-freebsd-pf@FreeBSD.ORG  Mon Feb 25 00:33:07 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id D17459BD
 for <freebsd-pf@freebsd.org>; Mon, 25 Feb 2013 00:33:07 +0000 (UTC)
 (envelope-from artemrts@ukr.net)
Received: from ffe6.ukr.net (ffe6.ukr.net [195.214.192.56])
 by mx1.freebsd.org (Postfix) with ESMTP id 87F6089
 for <freebsd-pf@freebsd.org>; Mon, 25 Feb 2013 00:33:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net;
 s=ffe; 
 h=Date:Message-Id:From:To:Subject:Content-Type:Content-Transfer-Encoding:MIME-Version;
 bh=v/D/a1BZqm1D0mXalFMSj7cK81nUdeWtt4MMBfywLmQ=; 
 b=mFNnXq94uHdsDkKGt+ZUnjOwlixQj7YP/m/zJn6jLhlI4YRlg7UdSTmRFQW13gCOOJxkQEVZUfn0G1tf89YS33u2Y932UyCwvH9N9qQJaDQ719IhVcsb1mzBI0VQZsh5KiDBGDQcqR/u8ue74OeR3p+kNwowFW1Whf4P3EXyEEk=;
Received: from mail by ffe6.ukr.net with local ID 1U9lf0-000Dpx-9T
 for freebsd-pf@freebsd.org; Mon, 25 Feb 2013 02:11:14 +0200
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Type: text/plain; charset="windows-1251"
Subject: pf bad cksum on loopback
To: "freebsd-pf@FreeBSD.org" <freebsd-pf@freebsd.org>
From: "wishmaster" <artemrts@ukr.net>
X-Mailer: freemail.ukr.net 4.0
Message-Id: <51075.1361751074.6390892036295163904@ffe6.ukr.net>
X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:19.0) Gecko/20100101 Firefox/19.0
Date: Mon, 25 Feb 2013 02:11:14 +0200
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2013 00:33:07 -0000

Hello,

In my FreeBSD (9.1-STABLE i386) server there is Jail with nginx/apache + php + etc stuff... All works fine but with ftp not so good.
In the jail I have installed ftp server, listened on ip 10.15.1.1. This ip address (alias) is on internal interface bridge0. This bridge consist of 3 NICs.
I unable to connect to this ftp server not from same jail nor from base host. With completely disabled PF, connections to ftpd successful.

  I have figured out that problem in antispoof rule:

antispoof log quick for {bridge0 lo0} inet
(@4 block drop in log quick on ! bridge0 inet from 10.15.1.0/24 to any)

Below tcpdump output:

01:42:27.348025 rule 50..16777216/0(match): pass out on lo0: (tos 0x0, ttl 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60)
    10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107831611 ecr 0], length 0
01:42:27.348165 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->c55a)!)
    10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107831611 ecr 0], length 0
01:42:30.347549 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 60408, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->f8a3)!)
    10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0xf6be (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107834611 ecr 0], length 0
01:42:33.547564 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 12125, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->b53f)!)
    10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xeafe (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107837811 ecr 0], length 0
01:42:36.747569 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 25338, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 0 (->81ae)!)
    10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xa6fe (correct), seq 3376923564, win 65535, options [mss 16344,sackOK,eol], length 0

The workaround is something like this rule:
 set skip on lo0

but this is unsuitable for me. For security reason I must use PF to filter traffic from jail to the base system.

Cheers,
Vitaliy