From owner-freebsd-stable@FreeBSD.ORG Tue Nov 13 00:28:12 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5DC516A421 for ; Tue, 13 Nov 2007 00:28:12 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from core.stromnet.se (core.stromnet.se [83.218.84.131]) by mx1.freebsd.org (Postfix) with ESMTP id 4B88313C4B8 for ; Tue, 13 Nov 2007 00:28:11 +0000 (UTC) (envelope-from johan@stromnet.se) Received: from localhost (core.stromnet.se [83.218.84.131]) by core.stromnet.se (Postfix) with ESMTP id EEB68D4728B; Tue, 13 Nov 2007 00:50:41 +0100 (CET) X-Virus-Scanned: amavisd-new at stromnet.se X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=0 required=6.2 tests=[AWL=2.499, BAYES_00=-2.599, RDNS_DYNAMIC=0.1] Received: from core.stromnet.se ([83.218.84.131]) by localhost (core.stromnet.se [83.218.84.131]) (amavisd-new, port 10024) with ESMTP id o1AFktiNoqPO; Tue, 13 Nov 2007 00:50:39 +0100 (CET) Received: from [172.28.1.102] (90-224-172-102-no129.tbcn.telia.com [90.224.172.102]) by core.stromnet.se (Postfix) with ESMTP id 7B459D4728A; Tue, 13 Nov 2007 00:50:39 +0100 (CET) In-Reply-To: <74777995-192A-4058-ABE5-8BA1676B0654@stromnet.se> References: <74777995-192A-4058-ABE5-8BA1676B0654@stromnet.se> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: <188F0806-EB84-4044-A572-C9DCA75229F5@stromnet.se> Content-Transfer-Encoding: quoted-printable From: =?ISO-8859-1?Q?Johan_Str=F6m?= Date: Tue, 13 Nov 2007 00:50:35 +0100 To: =?ISO-8859-1?Q?Johan_Str=F6m?= X-Mailer: Apple Mail (2.752.3) Cc: freebsd-stable@freebsd.org Subject: Re: Jails and PF states on locahost X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Nov 2007 00:28:12 -0000 No-one with any clues or recommendations? :/ CCing to -stable too.. Thanks -- Johan Str=F6m Stromnet johan@stromnet.se http://www.stromnet.se/ On Oct 29, 2007, at 09:37 , Johan Str=F6m wrote: > Hello > > I got a FreeBSD 6.2 box running a few jails, with a pretty strict =20 > PF ruleset. I got a problem with traffic between two of the jails. =20 > Both have public IPs (one of them have two using the jail-multiple-=20 > ip-patch). The problem I have is when they are to talk with each =20 > other. First let med describe the PF ruleset (somewhat stripped =20 > down but this should be the relevant stuff) > > jail1=3Dxx.xx.xx.131 > jail2a=3Dxx.xx.xx.133 > jail2b=3Dxx.xx.xx.134 > scrub in all > block drop in log > # base system talk to itself > pass in on lo0 inet from 127.0.0.1 to 127.0.0.1 > > # all can talk out > pass out on em0 proto tcp flags S/SA modulate state > pass out on em0 proto udp keep state > > # jails talk to them selfs > pass in on lo0 inet from $jail1 to $jail1 > pass in on lo0 inet from {$jail2a $jail2b} to {$jail2a $jail2b} > > # let smtp in on jail1 > pass in on {lo0 em0} inet proto tcp from any to $jail1 port smtp =20 > flags S/SA modulate state > > Okay, so the problem occurs when jail2 shall talk to jail1 on port =20 > 25 (smtp). =46rom the above rules, when the traffic leaves jail2 =20 > (traffic comes from $jail2b it seems) it should match the last rule =20= > and create a state. And so it does! > > self tcp xx.xx.xx:25 <- xx.xx.xx.134:57557 SYN_SENT:ESTABLISHED > [3014249759 + 65536](+2074393365) wscale 1 [4121000179 + 65536]=20 > (+541973245) wscale 1 > age 00:01:03, expires in 00:00:01, 7:10 pkts, 384:640 bytes > > So the SYN arives at $jail1, but the SYNACK fails to go back to =20 > $jail2b (where the state should let the packet back in?), which is =20 > also seen in the following row from pflog0: > > 09:30:34.370402 rule 1/0(match): block in on lo0: (tos 0x0, ttl =20 > 64, id 35618, offset 0, flags [DF], proto: TCP (6), length: 64) =20 > xx.xx.xx.131.25 > xx.xx.xx.134.57557: S 793675827:793675827(0) ack =20 > 4121000179 win 65535 > > So.. What have I missed? The state is created but it doesnt seem to =20= > match enough bytes or something? 384:640 matched packets, so et =20 > matches in both directions? > > Any clues are welcome! Thanks > > -- > Johan Str=F6m > Stromnet > johan@stromnet.se > http://www.stromnet.se/ > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"