From owner-freebsd-pf@FreeBSD.ORG Tue Oct 28 16:39:01 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15EDC1065680 for ; Tue, 28 Oct 2008 16:39:01 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 9D7928FC0A for ; Tue, 28 Oct 2008 16:39:00 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-121.pools.arcor-ip.net [88.66.21.121]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1Kurat0YdX-0001FN; Tue, 28 Oct 2008 17:38:59 +0100 Received: (qmail 80582 invoked from network); 28 Oct 2008 16:38:58 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 28 Oct 2008 16:38:58 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Tue, 28 Oct 2008 17:38:57 +0100 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <49072B6A.7010305@gmail.com> <20081028161915.GA53560@icarus.home.lan> In-Reply-To: <20081028161915.GA53560@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810281738.57767.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/Bm/ZhjM754GoRX4gJT+Fxk5ZB/2ilzzb7yYM yvY3T7+SrtbD5TEtu4JkwwlFbiqyeQJaF1QhpanYbGv25jJXhW HPfAXPnEbVgnuulyDi34Q== Cc: Niek Dekker Subject: Re: Pf: packets on lo0 blocked in spite of pass rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2008 16:39:01 -0000 On Tuesday 28 October 2008 17:19:15 Jeremy Chadwick wrote: > On Tue, Oct 28, 2008 at 04:10:34PM +0100, Niek Dekker wrote: > > Hi, > > > > I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf. > > After the upgrade connection problems arised on lo0, for java > mysql > > and apache > tomcat. > > The network interfaces are all in default setup. > > > > Here is the output of pfctl -sr, cleaned from network numbers. > > > > scrub in all fragment reassemble > > block drop in log all > > block drop in log quick on fxp0 from to any > > block drop out log quick on fxp0 from any to > > block drop in log quick on fxp0 from to any > > pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA > > keep state > > pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA > > keep state > > pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA > > keep state > > pass out on fxp0 proto tcp all flags S/SA keep state > > pass out on fxp0 proto udp all keep state > > pass on lo0 proto tcp all flags S/SA keep state > > pass on lo0 proto udp all keep state > > block drop in on ! fxp0 inet from ext_network/25 to any > > block drop in inet from ext_if to any > > > > Since the upgrade to 7.0, some packets on lo0 are being blocked > > nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009. > > Some, but not all of these packets are blocked. For example (pflog): > > > > 627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 > > > 127.0.0.1.8009: P 0:719(719) ack 1 win 8960 > 132868137> > > I'm betting money this is a rule order problem. I *highly* recommend > you stop with the "lo0" rules and use "set skip lo0" like you mention > later on. This is a good idea for performance reasons as well; don't > waste cycles having pf(4) parse packets for lo0, as nothing can talk > to that interface except local stuff anyway. Indeed. In fact, "set skip on" was especially made for this case. The problem is that lo0 is special. The packet direction and the fact that on lo0 127.0.0.1 talks to itself, greatly confuse the state checking. Hence the option to skip an interface completely. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News