Date: Mon, 29 Oct 2007 09:37:45 +0100 From: =?ISO-8859-1?Q?Johan_Str=F6m?= <johan@stromnet.se> To: freebsd-pf@freebsd.org Subject: Jails and PF states on locahost Message-ID: <74777995-192A-4058-ABE5-8BA1676B0654@stromnet.se>
next in thread | raw e-mail | index | archive | help
Hello
I got a FreeBSD 6.2 box running a few jails, with a pretty strict PF =20
ruleset. I got a problem with traffic between two of the jails. Both =20
have public IPs (one of them have two using the jail-multiple-ip-=20
patch). The problem I have is when they are to talk with each other. =20
First let med describe the PF ruleset (somewhat stripped down but =20
this should be the relevant stuff)
jail1=3Dxx.xx.xx.131
jail2a=3Dxx.xx.xx.133
jail2b=3Dxx.xx.xx.134
scrub in all
block drop in log
# base system talk to itself
pass in on lo0 inet from 127.0.0.1 to 127.0.0.1
# all can talk out
pass out on em0 proto tcp flags S/SA modulate state
pass out on em0 proto udp keep state
# jails talk to them selfs
pass in on lo0 inet from $jail1 to $jail1
pass in on lo0 inet from {$jail2a $jail2b} to {$jail2a $jail2b}
# let smtp in on jail1
pass in on {lo0 em0} inet proto tcp from any to $jail1 port smtp =20
flags S/SA modulate state
Okay, so the problem occurs when jail2 shall talk to jail1 on port 25 =20=
(smtp). =46rom the above rules, when the traffic leaves jail2 (traffic =20=
comes from $jail2b it seems) it should match the last rule and create =20=
a state. And so it does!
self tcp xx.xx.xx:25 <- xx.xx.xx.134:57557 SYN_SENT:ESTABLISHED
[3014249759 + 65536](+2074393365) wscale 1 [4121000179 + 65536]=20
(+541973245) wscale 1
age 00:01:03, expires in 00:00:01, 7:10 pkts, 384:640 bytes
So the SYN arives at $jail1, but the SYNACK fails to go back to =20
$jail2b (where the state should let the packet back in?), which is =20
also seen in the following row from pflog0:
09:30:34.370402 rule 1/0(match): block in on lo0: (tos 0x0, ttl 64, =20
id 35618, offset 0, flags [DF], proto: TCP (6), length: 64) xx.xx.xx.=20
131.25 > xx.xx.xx.134.57557: S 793675827:793675827(0) ack 4121000179 =20
win 65535 <mss 1460,nop,wscale 1,[|tcp]>
So.. What have I missed? The state is created but it doesnt seem to =20
match enough bytes or something? 384:640 matched packets, so et =20
matches in both directions?
Any clues are welcome! Thanks
--
Johan Str=F6m
Stromnet
johan@stromnet.se
http://www.stromnet.se/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?74777995-192A-4058-ABE5-8BA1676B0654>