From owner-freebsd-pf@FreeBSD.ORG Tue Feb 28 08:06:59 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79A94106566C for ; Tue, 28 Feb 2012 08:06:59 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0264B8FC14 for ; Tue, 28 Feb 2012 08:06:58 +0000 (UTC) Received: by wibhn6 with SMTP id hn6so1849082wib.13 for ; Tue, 28 Feb 2012 00:06:57 -0800 (PST) Received-SPF: pass (google.com: domain of ml@my.gd designates 10.180.97.196 as permitted sender) client-ip=10.180.97.196; Authentication-Results: mr.google.com; spf=pass (google.com: domain of ml@my.gd designates 10.180.97.196 as permitted sender) smtp.mail=ml@my.gd Received: from mr.google.com ([10.180.97.196]) by 10.180.97.196 with SMTP id ec4mr35799462wib.11.1330416417946 (num_hops = 1); Tue, 28 Feb 2012 00:06:57 -0800 (PST) Received: by 10.180.97.196 with SMTP id ec4mr28354928wib.11.1330416417825; Tue, 28 Feb 2012 00:06:57 -0800 (PST) Received: from dfleuriot.local (did75-17-88-165-130-96.fbx.proxad.net. [88.165.130.96]) by mx.google.com with ESMTPS id dw7sm27131549wib.4.2012.02.28.00.06.56 (version=SSLv3 cipher=OTHER); Tue, 28 Feb 2012 00:06:56 -0800 (PST) Message-ID: <4F4C8B1F.1000302@my.gd> Date: Tue, 28 Feb 2012 09:06:55 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <1330392478.216.YahooMailRC@web180716.mail.sp1.yahoo.com> In-Reply-To: <1330392478.216.YahooMailRC@web180716.mail.sp1.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQnifLbnhr1T8PjCOCB7upPtDH2TiLIweBVVLmWTPAZKYr/H1y1gxvIX0+VpAsO6lCR2Jjo1 Subject: Re: PF issue (rule match but rule fails) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2012 08:06:59 -0000 On 2/28/12 2:27 AM, csbender wrote: > Hi Folks, > it is great to join you. > I am pretty new to the world of PF so please excuse some ignorance at least for > now. > > > > I have a PF running freebsd 8.2. > > Here is my issue... > > I have SMTP rule allowing traffic in and out for certain networks. > Some SMTP traffic fails, eventhough I see rule match, I have no idea why. > > Evidence...Here is am sending email from a network which comes across the FW. > Here is the tcpdump. > > > # tcpdump -ni bge0 host 10.156.81.10 and port 25 > tcpdump: listening on bge0, link-type EN10MB > 14:26:50.220591 10.156.81.10.60809 > 172.19.4.41.25: S 3154136673:3154136673(0) > win 64240 1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos > 0xb8] > 14:26:50.244314 10.156.81.10.60809 > 172.19.4.41.25:R 3154136674:3154136735(61) > ack 1245040067 win 0 (DF) [tos 0xb8] > 14:27:11.233494 10.156.81.10.60809 > 172.19.4.41.25: S 3154136673:3154136673(0) > win 64240 1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos > 0xb8] > 14:27:11.245057 10.156.81.10.60809 > 172.19.4.41.25:R 0:61(61) ack 1 win 0 (DF) > [tos 0xb8] >>From the above it is easy to see traffic isn't passing. > > Below is the rule that this traffic should be matching. > > pass log quick inet proto tcp from to any port = smtp flags any > modulate state label "RULE 1 -- ACCEPT " > > First question ...what command can I run to verify that the rule above is > pertaining to the traffic above? > Secondly....what else could be squashing this SMTP traffic. It all works well > when pfctl is -d. > First, check the logs from PF itself, not just a tcpdump from the interface, and check what rule number matches: tcpdump -nei pflog0 Then, obviously, display your pf rules and check what rule matched the traffic, using its number: pfctl -vvsr Second, get rid of "modulate state" and use "keep state" instead. Third, if that doesn't fix your problem, disable tcp reassembly in your "scrub" rules. We had similar problems with scrubbing + TCP reassembly enabled over a year ago on 8.x