From nobody Fri Jun 4 09:43:55 2021 X-Original-To: stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 18DAA13A463D for ; Fri, 4 Jun 2021 09:44:04 +0000 (UTC) (envelope-from petefrench@ingresso.co.uk) Received: from constantine.ingresso.co.uk (constantine.ingresso.co.uk [IPv6:2001:470:6a18:411::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FxHsH3BGRz4jZj for ; Fri, 4 Jun 2021 09:44:03 +0000 (UTC) (envelope-from petefrench@ingresso.co.uk) Received: from dilbert.ingresso.co.uk ([2001:470:6a18:411::6]) by constantine.ingresso.co.uk with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lp6Mu-000FLj-7W for stable@freebsd.org; Fri, 04 Jun 2021 09:43:56 +0000 Received: from petefrench by dilbert.ingresso.co.uk with local (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1lp6Mt-000Nhj-V7 for stable@freebsd.org; Fri, 04 Jun 2021 10:43:56 +0100 To: stable@freebsd.org Subject: pf starts blocking all traffic after a short while Message-Id: From: Pete French Date: Fri, 04 Jun 2021 10:43:55 +0100 X-Rspamd-Queue-Id: 4FxHsH3BGRz4jZj X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=ingresso.co.uk; spf=pass (mx1.freebsd.org: domain of petefrench@ingresso.co.uk designates 2001:470:6a18:411::3 as permitted sender) smtp.mailfrom=petefrench@ingresso.co.uk X-Spamd-Result: default: False [-3.79 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2001:470:6a18:411::3:from]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2001:470:6a18:411::3]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2001:470:6a18:411::3:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.988]; DMARC_POLICY_ALLOW(-0.50)[ingresso.co.uk,none]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[stable] X-ThisMailContainsUnwantedMimeParts: N List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org I thought I understood pf pretty well, but this one puzzles me. I have a very simple setup here - a machine I omnly want to allow public IPv6 in from one place, allow private Ipv4 from its local neighbours, and be able to connect out to anywhere. Seems to work, I boot it up, I can ssh in. After about five minutes it just starts blocking all traffic. I have serial console access, so I can still examine the machine, and if, when it is stuck, I load a pf config files which allows everything, then traffic resumesd again, which is what makes me think pf is doing this. Heres the rules, all eleven of them... root@joanna-may:~ # pfctl -s rules scrub all max-mss 1200 fragment reassemble block return all pass quick proto icmp all keep state pass quick proto ipv6-icmp all keep state pass in inet from 127.0.0.0/8 to any flags S/SA keep state pass in inet from 192.168.0.0/16 to any flags S/SA keep state pass in inet from 172.16.0.0/12 to any flags S/SA keep state pass in inet from 10.0.0.0/8 to any flags S/SA keep state pass in inet6 from 2001:470:6cc4::/48 to any flags S/SA keep state pass in inet6 from 2001:470:1f08:1771::2 to any flags S/SA keep state pass out all flags S/SA keep state Nothing particularly controversial there I think! I've checked the states table, theres a handful in there, and they look fine. If I ssh in and run top, then that connection eventually drops when the packet flow ceases. The pf table is left with a state of TIME_WAIT in it. Any ideas ? This is a mchine inside AWS, so not real hardware, but that should not make a difference I think... Its also the only time I have used pf without using NAT, so maybe I have issed something, but really, this was supposd to be a very simple ruleset to do a very simple job. -pete.