From owner-freebsd-pf@FreeBSD.ORG Tue Feb 28 14:43:25 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AA02106566B for ; Tue, 28 Feb 2012 14:43:25 +0000 (UTC) (envelope-from csbender@bellsouth.net) Received: from nm18-vm0.access.bullet.mail.sp2.yahoo.com (nm18-vm0.access.bullet.mail.sp2.yahoo.com [98.139.44.170]) by mx1.freebsd.org (Postfix) with SMTP id 539628FC0A for ; Tue, 28 Feb 2012 14:43:25 +0000 (UTC) Received: from [98.139.44.102] by nm18.access.bullet.mail.sp2.yahoo.com with NNFMP; 28 Feb 2012 14:43:24 -0000 Received: from [98.139.44.90] by tm7.access.bullet.mail.sp2.yahoo.com with NNFMP; 28 Feb 2012 14:43:24 -0000 Received: from [127.0.0.1] by omp1027.access.mail.sp2.yahoo.com with NNFMP; 28 Feb 2012 14:43:24 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 947610.8875.bm@omp1027.access.mail.sp2.yahoo.com Received: (qmail 55783 invoked by uid 60001); 28 Feb 2012 14:43:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bellsouth.net; s=s1024; t=1330440204; bh=hgA3ex2i+ZwnEJ8TxXBmsUPtAE2SnnRKcrqo25OUb5A=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=JiH4pHmUSVVy4+ihxPcT5kudR5YNbkM3cdCOGPafeGelMqJggX2HQa9Pmfvojj1rrL9l5251dVMNnQJiieUy2+gpM/JC+qRKU8Y8gTBmNF7OS6xnuO4KRuhA/7xwwtO4To7Zl+BI8Mwu8ZXHR0dtaG4sZro30w9CUoaSv36XzGg= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=bellsouth.net; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=AiiLxBzYfBz0ekWQgoOtzUUyNajf09GNR+rt445tYfuAmfh9AN9FPiVj70soNnsc9BbJWH5tQvs+QCH7fzMPGA7UOhLwDK7OacN8jJry1EFzil6GFn+AXFtNj38oAhvVqNHtcYoqM0+5Jo2indVuCw1bbId/PWeAzebOn1otkSY=; X-YMail-OSG: PYWu8PEVM1mT3fwYDHOKDpmXpoHcZ.Dek.HZW08v.YnEj_p qalSLhLeN_9vjkpWZn35r.f0dBau7sd25K9BLO8df1tXCgClGvIW2So0dsdu 8x5duxY.eO1WlMIPnk7rjrX8iR5LAFOx6u51weTM2yCLx5FMoCPmJz_DcFS6 KB468Rrj6fG5BDMkArbLJ9ixcp3W3sDnz65UcvM_ATk7qwMwxqmNluM5gAhp kkQgAX3FAkmgYdjze_FB1rtQNmsjkVMSaOM.C.nojkq1F2Y_7__AZ7struvK rn.e2sX3rmm7GJS3P89TLmTSVxkXCKfKNLSMUNQs_wT3_rhAtnfmkyAdlkCz SNYo9ujex3.q.MR8bTuFZJd4Qyw5bARZuJoBvkg1zH75YoxKu_SqTm7xghVl JoRP3qKPDYb63nUlz Received: from [63.214.236.169] by web180705.mail.sp1.yahoo.com via HTTP; Tue, 28 Feb 2012 06:43:24 PST X-Mailer: YahooMailRC/708 YahooMailWebService/0.8.116.338427 References: <1330392478.216.YahooMailRC@web180716.mail.sp1.yahoo.com> <4F4C8B1F.1000302@my.gd> Message-ID: <1330440204.54973.YahooMailRC@web180705.mail.sp1.yahoo.com> Date: Tue, 28 Feb 2012 06:43:24 -0800 (PST) From: csbender To: Damien Fleuriot , freebsd-pf@freebsd.org In-Reply-To: <4F4C8B1F.1000302@my.gd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Subject: Re: PF issue (rule match but rule fails) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Feb 2012 14:43:25 -0000 Hi Damien, PF folks yes checking the pflog is important. I am not entirely sure but please correct were I go off path. I send SMTP traffic from client here is pflog: # tcpdump -nei pflog0 host 10.156.81.10 and port 25 tcpdump: listening on pflog0, link-type PFLOG 09:37:14.901238 rule 12/(match) pass in on bge0: 10.156.81.10.55718 > 172.19.4.41.25: S 3029008357:3029008357(0) win 64240 (DF) [tos 0xb8] 09:37:14.901276 rule 12/(match) pass out on vlan579: 10.156.81.10.55718 > 172.19.4.41.25: S 3597046675:3597046675(0) win 64240 [tos 0xb8] 09:37:35.901429 rule 12/(match) pass in on bge0: 10.156.81.10.55718 > 172.19.4.41.25: S 3029008357:3029008357(0) win 64240 (DF) [tos 0xb8] 09:37:35.901471 rule 12/(match) pass out on vlan579: 10.156.81.10.55718 > 172.19.4.41.25: S 3619107731:3619107731(0) win 64240 [tos 0xb8] Now I am not sure what indicated this rules is used. From below @11 pass in quick inet proto tcp from 172.19.4.75 to 172.19.5.1 port = ssh flags any modulate state label "RULE -1 -- ACCEPT " [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 1901 State Creations: 0 ] @12 pass log quick inet proto tcp from to port = smtp flags any modulate state label "RULE 0 -- ACCEPT " [ Evaluations: 111973184 Packets: 12400 Bytes: 893938 States: 6 ] you have packets, byes and states. Is it the state I must see incrementing? I have doen this several times and I see the state incrementing. @11 pass in quick inet proto tcp from 172.19.4.75 to 172.19.5.1 port = ssh flags any modulate state label "RULE -1 -- ACCEPT " [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 1901 State Creations: 0 ] @12 pass log quick inet proto tcp from to port = smtp flags any modulate state label "RULE 0 -- ACCEPT " [ Evaluations: 111650386 Packets: 12362 Bytes: 891246 States: 24 ] I do see states changing on this rule @12. What is the modulate state, I was looking in the book of PF didn't see it as modulate, what setting or how to change that? Lastly, how to disable scrub in tcp reassembly. I am not sure. I will look into these though Regards ----- Original Message ---- From: Damien Fleuriot To: freebsd-pf@freebsd.org Sent: Tue, February 28, 2012 3:06:55 AM Subject: Re: PF issue (rule match but rule fails) On 2/28/12 2:27 AM, csbender wrote: > Hi Folks, > it is great to join you. > I am pretty new to the world of PF so please excuse some ignorance at least for > > now. > > > > I have a PF running freebsd 8.2. > > Here is my issue... > > I have SMTP rule allowing traffic in and out for certain networks. > Some SMTP traffic fails, eventhough I see rule match, I have no idea why. > > Evidence...Here is am sending email from a network which comes across the FW. > Here is the tcpdump. > > > # tcpdump -ni bge0 host 10.156.81.10 and port 25 > tcpdump: listening on bge0, link-type EN10MB > 14:26:50.220591 10.156.81.10.60809 > 172.19.4.41.25: S 3154136673:3154136673(0) > > win 64240 1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos > > 0xb8] > 14:26:50.244314 10.156.81.10.60809 > 172.19.4.41.25:R 3154136674:3154136735(61) > > ack 1245040067 win 0 (DF) [tos 0xb8] > 14:27:11.233494 10.156.81.10.60809 > 172.19.4.41.25: S 3154136673:3154136673(0) > > win 64240 1260,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop> (DF) [tos > > 0xb8] > 14:27:11.245057 10.156.81.10.60809 > 172.19.4.41.25:R 0:61(61) ack 1 win 0 (DF) > > [tos 0xb8] >>From the above it is easy to see traffic isn't passing. > > Below is the rule that this traffic should be matching. > > pass log quick inet proto tcp from to any port = smtp flags any > modulate state label "RULE 1 -- ACCEPT " > > First question ...what command can I run to verify that the rule above is > pertaining to the traffic above? > Secondly....what else could be squashing this SMTP traffic. It all works well > when pfctl is -d. > First, check the logs from PF itself, not just a tcpdump from the interface, and check what rule number matches: tcpdump -nei pflog0 Then, obviously, display your pf rules and check what rule matched the traffic, using its number: pfctl -vvsr Second, get rid of "modulate state" and use "keep state" instead. Third, if that doesn't fix your problem, disable tcp reassembly in your "scrub" rules. We had similar problems with scrubbing + TCP reassembly enabled over a year ago on 8.x _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"