From owner-freebsd-pf@FreeBSD.ORG Wed Oct 31 10:48:01 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0CF3816A420 for ; Wed, 31 Oct 2007 10:48:01 +0000 (UTC) (envelope-from frank@pinky.sax.de) Received: from post.frank-behrens.de (post.frank-behrens.de [82.139.255.138]) by mx1.freebsd.org (Postfix) with ESMTP id 59A6F13C4A5 for ; Wed, 31 Oct 2007 10:47:59 +0000 (UTC) (envelope-from frank@pinky.sax.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pinky.sax.de; h=from:to:date:mime-version:subject:in-reply-to:references:content-type:content-transfer-encoding:content-description; q=dns/txt; s=pinky1; t=1193822155; i=frank@pinky.sax.de; bh=m2aWoB2VohsEjlqcRIYk4Xq3qJnUl5PWhHsDySQTNrU=; b=mJ9TdDlxDjktDhe45Bt3fOHR3T6RvCZfIoCl0Wn1SkjtE3iM/QI//i+x4xWeYiQQ9HcCLFEdVMxwgo1IdB5vlQ== Received: from [192.168.20.32] (sun.behrens [192.168.20.32]) by post.frank-behrens.de (8.14.1/8.14.1) with ESMTP-MSA id l9V9Fdld027372 for ; Wed, 31 Oct 2007 10:15:39 +0100 (CET) (envelope-from frank@pinky.sax.de) Message-Id: <200710310915.l9V9Fdld027372@post.frank-behrens.de> From: "Frank Behrens" To: freebsd-pf@freebsd.org Date: Wed, 31 Oct 2007 10:15:39 +0100 MIME-Version: 1.0 Priority: normal In-reply-to: <200708021537.l72Fb69k004919@pinky.frank-behrens.de> References: <200708021715.25167.max@love2party.net> X-mailer: Pegasus Mail for Windows (4.31, DE v4.31 R1) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-Hashcash: 1:24:071031:freebsd-pf@freebsd.org::0HJtcVC+k5P6Pd7z:000000000000lIC8 Subject: Re: pf eates syn packet? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2007 10:48:01 -0000 Although this is an old thread, the problem is still present. Lets remember: As I wrote in http://lists.freebsd.org/pipermail/freebsd-pf/2007-August/003642.html and related mails I want to do policy based routing with pf. The basic rules are nat inet from !tun2-address to any port = http -> tun2-address nat on tun0 inet from to any -> tun0-address .... pass out quick on tun0 route-to (tun2 tun2-peer) inet from tun2-address to any keep state pass out quick on tun2 route-to (tun0 tun0-peer) inet from tun0-address to any keep state I see the result, that the 1st syn packet can not pass the pf firewall, because a state insertion fails. Now I tried to debug this state handling and inserted some debug print statements in pf.c. A typical session (with associated packets) is 09:44:29 pfdbg: insert_state TCP 192.168.50.02:1948 84.182.202.81:57560 192.109.108.33:80 [lo=3608055223 high=3608055225 win=32768 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 rule: 0 nat_rule: 0 09:44:29 pfdbg: insert_state TCP 84.182.202.81:57560 84.182.202.81:57560 192.109.108.33:80 [lo=3608055223 high=3608055225 win=32768 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 rule: 2 09:44:29 pf: state insert failed: tree_ext_gwy lan: 84.182.202.81:57560 gwy: 84.182.202.81:57560 ext: 192.109.108.33:80 09:44:29.475380 IP (tos 0x0, ttl 128, id 51971, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.1948 > 192.109.108.33.80: S, cksum 0x010e (correct), 3608055223:3608055223(0) win 65535 09:44:32.573436 IP (tos 0x0, ttl 128, id 51988, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.1948 > 192.109.108.33.80: S, cksum 0x010e (correct), 3608055223:3608055223(0) win 65535 The repeated SYN after 3 seconds passes the firewall and the tcp session continues without any problems. The debug messages are created on pf.c (v1.45 2007/07/03) with @@ -892,6 +892,16 @@ int pf_insert_state(struct pfi_kif *kif, struct pf_state *state) { + if (pf_status.debug >= PF_DEBUG_MISC) { + printf("pfdbg: insert_state "); + pf_print_state(state); + if (state->rule.ptr) + printf(" rule: %x", (int)state->rule.ptr->nr); + if (state->nat_rule.ptr) + printf(" nat_rule: %x", (int)state->nat_rule.ptr->nr); + printf("\n"); + } + Now my questions: 1. Is my setup correct or should I use other rules? 2. Is it right, that pf tries to insert an additional state entry with lan and gwy addresses being the same, although a NAT entry is already inserted? Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.