From owner-freebsd-pf@FreeBSD.ORG Tue Dec 18 14:09:07 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D840316A469 for ; Tue, 18 Dec 2007 14:09:07 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id A0A7713C448 for ; Tue, 18 Dec 2007 14:09:07 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1J4cnQ-00045a-1Z for freebsd-pf@freebsd.org; Tue, 18 Dec 2007 05:47:44 -0800 Message-ID: <14397207.post@talk.nabble.com> Date: Tue, 18 Dec 2007 05:47:44 -0800 (PST) From: Atrox To: freebsd-pf@freebsd.org In-Reply-To: <200712180934.58755.silver.salonen@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: silver.salonen@gmail.com References: <200712180934.58755.silver.salonen@gmail.com> Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2007 14:09:07 -0000 Atrox wrote: > > Hello! > > I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec), > 1x6.2-RELEASE) with PF configured. They are connected with OpenVPN > LAN-to-LAN > and the problem is that a few times per hour connection drops between > computers from one LAN to another. At first I blamed OpenVPN, then I > blamed > bridge, but now I've realized that the problem is in PF. > So I've tried increasing TCP-timeouts and setting optimization > to "aggressive", but well, it's still the same. > > I monitor connections by sending TCP packets once per second to some other > host and wait for reply. I use Nagios-plugins' check_tcp for that. The > script > looks like: > ===== > while [ 1 ]; do > pfctl -si |grep mismatch > /usr/local/libexec/nagios/check_tcp -H $host -p $port -t 2 > pfctl -si |grep mismatch > sleep 1 > done > ===== > > So if I let this script into action, I see that in 2-3 minutes, check_tcp > gets "Operation not permitted" error and just in this moment > packet-mismatch > counter is increased by one (on machine with lesser traffic, I get the > timeout > in a few hours). That's on both 6.3-PRERELEASE as well as on 6.2-RELEASE. > I've > tried connections: > * along WAN to IPFW-enabled machines > * along WAN to PF-enabled machines > * along LAN to PF-enabled machines > * along LAN to Windows machines > * along VPN to PF-enabled machines > * along VPN to Windows machines > > Sometimes I get just some connection timeout: CRITICAL - Socket timeout > after > 2 seconds (I don't know what could cause that). > > I can see this behaviour in about every FreeBSD/PF machine I have. > > The basic PF-configuration looks like: > ===== > set block-policy return > set loginterface $ext_if > set timeout tcp.closed 15 > set optimization aggressive > scrub in all no-df > > block drop out quick on $ext_if from ($ext_if) to 0.0.0.0 > block log all > pass quick on lo0 all > pass out all modulate state > pass out proto tcp all flags S/SA modulate state > pass on $int_if all modulate state > pass on $int_if proto tcp all flags S/SA modulate state > pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services > flags > S/SA modulate state > ===== > > Is PF buggy or have I misconfigured smth? > Today I installed an OpenBSD-4.2 box just to see whether PF does the same thing there. And yes, it does. pf.conf: ===== ext_if = rl0 set block-policy return set loginterface $ext_if scrub in all no-df block drop out quick on $ext_if from ($ext_if) to 0.0.0.0 pass all modulate state pass quick on lo0 all ===== I check TCP without "sleep 1" now, and I do it to FreeBSD box without firewall. state-mismatch gets increased by one, and I get either "No route to host" or "Socket timeout after 2 seconds". Am I still misconfiguring the thing? -- Silver -- View this message in context: http://www.nabble.com/occasional-%22Operation-not-permitted%22-on-state-mismatch-tp14392406p14397207.html Sent from the freebsd-pf mailing list archive at Nabble.com.