Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 13 Sep 2008 09:56:16 GMT
From:      Andrey Golenischev <work@megasid.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/127345: Problem with PF on FreeBSD7.0
Message-ID:  <200809130956.m8D9uGuZ058445@www.freebsd.org>
Resent-Message-ID: <200809131000.m8DA04iv009561@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         127345
>Category:       kern
>Synopsis:       Problem with PF on FreeBSD7.0
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 13 10:00:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Andrey Golenischev
>Release:        7.0-p4
>Organization:
Infocom
>Environment:
FreeBSD testbox 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #0: Fri Sep  5 14:51:15 EEST 2008     megasid@testbox:/usr/src/sys/i386/compile/TESTBOX  i386
>Description:
I upgraded this release from 6.2 (just buy a new hdd and install 7.0, upgrade via freebsd-update and copy all configs). 7.0 is working pretty good but i get strange problem with PF.

Look on this rules:

table <propusk> { 10.0.0.1, 10.0.1.1 }
block out on vlan0 from any to any
block out on vlan1 from any to any
block out on vlan2 from any to any
pass out on vlan0 from <propusk> to any
pass out on vlan1 from <propusk> to any
pass out on vlan2 from <propusk> to any


On FreeBSD 6.2 this scheme is working pretty good. Packets from 10.0.0.1 passed to this vlan-s without any problems. When i install 7.0 some clients start to call me and ask that they pinging 10.0.0.1 and 10.0.1.1 from their PC's but cannot connect by pptp to this hosts. I spend a lot of time to monitor all my routers and switches about any access lists and so on. But i do not think that something changes in PF algorithm. When i comment this "block" lines in PF - clients can connect to pptp and all is good. Did something changes in PF and if this is not a bug - how i should change a syntax of this rules? If this is a bug - write my name somewhere on FreeBSD board like "This man catch a bug in PF" :)
>How-To-Repeat:
Just make a scheme like i describe above.
>Fix:
Hmm.. temporary i start using ipfw for this scheme.

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809130956.m8D9uGuZ058445>