From owner-freebsd-pf@FreeBSD.ORG Thu May 15 00:29:33 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 604AE1065671 for ; Thu, 15 May 2008 00:29:33 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from mailhost.auckland.ac.nz (moe.its.auckland.ac.nz [130.216.12.35]) by mx1.freebsd.org (Postfix) with ESMTP id 002628FC1E for ; Thu, 15 May 2008 00:29:32 +0000 (UTC) (envelope-from m.pagulayan@auckland.ac.nz) Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id CE749480590; Thu, 15 May 2008 12:29:31 +1200 (NZST) X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (moe.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORMDS3KceJG7; Thu, 15 May 2008 12:29:31 +1200 (NZST) Received: from UXCHANGE2.UoA.auckland.ac.nz (uxcn2.itss.auckland.ac.nz [130.216.190.119]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 86577480524; Thu, 15 May 2008 12:29:31 +1200 (NZST) Received: from UXCHANGE1.UoA.auckland.ac.nz ([130.216.190.118]) by UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 15 May 2008 12:29:16 +1200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 15 May 2008 12:29:15 +1200 Message-ID: In-Reply-To: <482B80D3.4010701@quis.cx> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Thread-Index: Aci2IP9KrnKFFp6DToWIXnvjotMHhwAALjKw References: <482B7BE6.9080608@uffner.com> <482B80D3.4010701@quis.cx> From: "Mark Pagulayan" To: "Jille" X-OriginalArrivalTime: 15 May 2008 00:29:16.0723 (UTC) FILETIME=[B551A830:01C8B622] Cc: freebsd-pf@freebsd.org Subject: RE: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2008 00:29:33 -0000 Hi Jill,=20 I am using bridge pf: I only allow pass all on my internal interface. So there is no other rule for that interface. How do I know that states are mismatched for both internal and external?=20 Cheers,=20 Mark -----Original Message----- From: Jille [mailto:jille@quis.cx]=20 Sent: Thursday, 15 May 2008 12:16 p.m. To: Mark Pagulayan Cc: Tom Uffner; Kian Mohageri; freebsd-pf@freebsd.org Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules Hello, Mark Pagulayan schreef: > Hi Tom,=20 > > I have just zeroed in the statistics and yes the state-mismatch is still > increasing.=20 > > If I do enable logging, how would I know that packet is mismatched?=20 > =20 If you use tcpdump, the standard flags will also show what rule it matched, so if it is an 'pass all' rule, it mismatched your other rule. -- Jille > Cheers,=20 > > Mark > -----Original Message----- > From: Tom Uffner [mailto:tom@uffner.com]=20 > Sent: Thursday, 15 May 2008 11:55 a.m. > To: Kian Mohageri > Cc: Mark Pagulayan; freebsd-pf@freebsd.org > Subject: Re: FreeBSD PF 4.1 Inserts Flags S/SA Automatically to rules > > Kian Mohageri wrote: > =20 >> On Wed, May 14, 2008 at 3:45 PM, Mark Pagulayan >> =20 >>> The way I see this is that this rule would be applied to udp traffic >>> =20 > as > =20 >>> well which will be dropped/blocked because flags only work for tcp >>> =20 > and > =20 >>> this might be the cause of state-mismatches that I see in the table - >>> =20 >> 'flags S/SA keep state' will work OK for UDP too. Only the 'keep >> state' part will be applied to UDP, since no flags are involved. >> >> =20 >>> state-mismatch 11577272 48.7/s >>> =20 >> Could be caused by reloading your ruleset to include 'keep state' >> mid-connections, I think. PF won't be aware of where the state is >> (especially true if you're using TCP window scaling), so it will fail >> after a while and you'll see state mismatches. >> =20 > > even if reloading the ruleset to include "keep state" and/or "flags > s/sa" > didn't sever pre-existing connections, it shouldn't cause that large a > number of mismatches. > > when was the last time you zeroed the statistics? is the mismatch count > still increasing w/ the 7.0 stateful rules? you may need to add "log > (all)" > to find out where the state mismatches are coming from. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > =20