From owner-freebsd-pf@FreeBSD.ORG Wed Jun 1 22:28:29 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 93502106566B for ; Wed, 1 Jun 2011 22:28:29 +0000 (UTC) (envelope-from mistrzipan@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 27A148FC16 for ; Wed, 1 Jun 2011 22:28:28 +0000 (UTC) Received: by wwc33 with SMTP id 33so288903wwc.31 for ; Wed, 01 Jun 2011 15:28:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=R1GPraesUsDFtzFZ61z3MCpA8zcEqi+5BF95ub0f1NY=; b=rssGYfRPb85WxNWT9XkPFKQ1Gfvih9/tG/Nk9haWHa+5iAyo3Pcl80bMTLkB8sN7br Om2LENWwHQKfCi3t4XsCRe98AvQhj+9tllHTFdIWRN87CGifYQdea4vXtFYCzCHjwSrH 7oPK6eh74RGU0kBTOPx0t2A9YcrKBNbSK2OxQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=x6Cxq7vAoDmGHYnnHT0tDAOczHJ8gpA0hY99z3O/wN7CmEFkhFC4tjC2rVQa3UZZn8 cqp58eU6Uk5bNP3SDZz1H/NVyeKwme9vPnSll9hEGHpPKHSO5SuLJzqkuuG8hotM7+jS riQ1/Ts4HnLc21snxD8q8WRpPqeX0iwk+V1AE= Received: by 10.227.175.12 with SMTP id v12mr7889295wbz.110.1306965741570; Wed, 01 Jun 2011 15:02:21 -0700 (PDT) Received: from [192.168.33.244] ([79.110.199.199]) by mx.google.com with ESMTPS id 14sm1031510wbw.49.2011.06.01.15.02.19 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 01 Jun 2011 15:02:20 -0700 (PDT) Message-ID: <4DE6B6EA.3030708@gmail.com> Date: Thu, 02 Jun 2011 00:02:18 +0200 From: "Bartek W. aka Mastier" User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: PF some packets are falling into block, some are not X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2011 22:28:29 -0000 I want to just block few classes that must be blocked. It seems like it's partly working , but not all packets are accessible. And moreover I cannot connect from outside. What is wrong? My FreeBSD is 7.3-Stable my wan interface is vlan300 and vlan352 is for an user. The rule for blocking is: Code: rule 28/0 block in log on vlan352 from 79.110.199.192/27 to rule 29/0 block in log on vlan352 from 79.110.199.192/27 to ! I was trying also with: block in log on vlan352 from 79.110.199.192/27 to any instead of these 2 above contains adresses of my network: 79.110.192.0/20 I used tags, because, i thought it was be the best way, considering that, that I also have non-public classes that goes through nat. In this case, the simplest one there's a public address. I'm opening the window for allowed ip with proper queuing. Passing rules are: pass quick from 79.110.199.199 to keep state pass in quick on vlan352 from 79.110.199.199 to ! tag FROM79_110_199_199 queue 79_110_199_199D pass out quick on vlan300 tagged FROM79_110_199_199 queue 79_110_199_199U pass in quick on vlan300 from ! to 79.110.199.199 tag TO79_110_199_199 queue 79_110_199_199U pass out quick on vlan352 tagged TO79_110_199_199 queue 79_110_199_199D 79_110_199_199D is on vlan352 (specifically the physical interface em0) 79_110_199_199U is on vlan300 (em1) queue type is hfsc. But still some packets are dropped tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54312, offset 0, flags [DF], proto TCP (6), length 1500) 79.110.199.199.55073 > 87.239.219.82.59291: tcp 1480 [bad hdr length 0 - too short, < 20] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 56948, offset 0, flags [DF], proto TCP (6), length 1442) 79.110.199.199.55073 > 80.229.149.80.55511: tcp 1422 [bad hdr length 0 - too short, < 20] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8242, offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 85.222.56.47.56705: [|tcp] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8243, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 85.222.56.47.56705: [|tcp] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8244, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8245, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 85.222.56.47.56705: [|tcp] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8246, offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 85.222.56.47.56705: [|tcp] rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 79.110.194.135.43126: [|tcp] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8247, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54313, offset 0, flags [DF], proto TCP (6), length 40) 79.110.199.199.55073 > 87.239.219.82.59291: [|tcp] rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 79.110.194.135.43126: [|tcp] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54314, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 87.239.219.82.59291: [|tcp] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 8248, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 85.222.56.47.56705: tcp 32 [bad hdr length 0 - too short, < 20] rule 28/0(match): block in on vlan352: (tos 0x10, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55022 > 79.110.194.135.43126: [|tcp] rule 29/0(match): block in on vlan352: (tos 0x0, ttl 64, id 54315, offset 0, flags [DF], proto TCP (6), length 52) 79.110.199.199.55073 > 87.239.219.82.59291: [|tcp] From this ip point of view, mostly all Internet connection seems to be working , dns in pool. This traffic should fall in default queue. But sometimes it stucks. Bandwidth test are showing the right result for upload and download. I cannot connect from my IP class (79.110.194.135) to this one (79.110.199.199). I haven't checked how it looks when someone announces connection from outside ( ! ).