From owner-freebsd-pf@FreeBSD.ORG Tue Jan 15 22:58:52 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D19716A52E for ; Tue, 15 Jan 2008 22:58:52 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.178]) by mx1.freebsd.org (Postfix) with ESMTP id 7214213C45B for ; Tue, 15 Jan 2008 22:58:51 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by py-out-1112.google.com with SMTP id u52so37349pyb.10 for ; Tue, 15 Jan 2008 14:58:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=XlgldjDGW/Njy1SL8q1nk4PdYupZO6eg7VFVniqVY48=; b=NPiy4+5q6/PZsUV+lSkDiFAwA/jD4UEHp2dp0tToTyR5LFz85XpUQGTxbLKqr02DgasHKpH4MG6MJasPLcLO/TKsjqEJeYMAnlSu5Tw0pZ0vhCgjW5OEmlQAgXRTIXeETsAiItDjPmNWkmp5FfAu2ug9hOCGao48Fzql8HE3Ji4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=StUWpOpftjb3EKiRKi1/E5rU5fkeeg+KDpj3Zn/dntO/g676598dVNJ7kdGWVaA4RD+W2jnVCy2xtYTSbgQbZ2KkUY1oIy3Gyc6XT901QCsV28dZ+4pb/o9rGPMPrGre7bBU02GXPTjpPTg5UBrsZXe7E7TDtfZwSWVjO1GizM8= Received: by 10.65.158.9 with SMTP id k9mr48132qbo.85.1200437930092; Tue, 15 Jan 2008 14:58:50 -0800 (PST) Received: by 10.64.184.9 with HTTP; Tue, 15 Jan 2008 14:58:50 -0800 (PST) Message-ID: <8e10486b0801151458j2a3e104am6c30619ddfb08974@mail.gmail.com> Date: Tue, 15 Jan 2008 20:58:50 -0200 From: "Alexandre Biancalana" To: freebsd-pf@freebsd.org In-Reply-To: <8e10486b0801131404ne3c2339o3493a938046f2018@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200710272311.09059.max@love2party.net> <8e10486b0801090741k605d7183gfb8bbdfa55fce331@mail.gmail.com> <200801110408.22724.max@love2party.net> <8e10486b0801102018h4f417a4ex900bdaeb078bd29e@mail.gmail.com> <8e10486b0801110252w452f3e4asf438beb6297eb1f@mail.gmail.com> <8e10486b0801110949u1593e427wc24493b98d0003d2@mail.gmail.com> <8e10486b0801131404ne3c2339o3493a938046f2018@mail.gmail.com> Subject: Re: carpdev ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 22:58:52 -0000 On 1/13/08, Alexandre Biancalana wrote: > On 1/11/08, Scott Ullrich wrote: > > Thank you. Do you see the states on the backup machine when it is in the > > backup status mode? > > > > pfctl -ss > > > > You should see a similar output on the backup machine as the primary. > > Yes, the output is the same... > I found another problem, I think this could be related to the patch because this does not happened before.... In this firewall's I have only one real IP Address on each link, so I've to redirect some ports to internal servers. All services are working (http, smtp, pop3, imap) but ftp does not work, when you try to connect the connection is lost. Look this: tcpdump -nettti pflog0 port 21 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 000000 rule 3/0(match): block in on virtua: 201.21.xxx.xxx.52558 > 201.6.xxx.xxx.21: tcp 28 [bad hdr length 0 - too short, < 20] 3. 198670 rule 3/0(match): block in on virtua: 201.21.xxx.xxx.52558 > 201.6.xxx.xxx.21: tcp 28 [bad hdr length 0 - too short, < 20] 3. 235008 rule 3/0(match): block in on virtua: 201.21.xxx.xxx.52558 > 201.6.xxxx.xxx.21: tcp 28 [bad hdr length 0 - too short, < 20] 6. 195725 rule 3/0(match): block in on virtua: 201.21.xxx.xxx.52558 > 201.6.xxx.xxx.21: tcp 28 [bad hdr length 0 - too short, < 20] The a try to remove the block rule then the output changes to: 000000 rule 3/0(match): pass in on virtua: 201.21.xxx.xxx.52558 > 201.6.xxx.xxx.21: tcp 28 [bad hdr length 0 - too short, < 20] 3. 198670 rule 3/0(match): pass in on virtua: 201.21.xxx.xxx.52558 > 201.6.xxx.xxx.21: tcp 28 [bad hdr length 0 - too short, < 20] 3. 235008 rule 3/0(match): pass in on virtua: 201.21.xxx.xxx.52558 > 201.6.xxxx.xxx.21: tcp 28 [bad hdr length 0 - too short, < 20] 6. 195725 rule 3/0(match): pass in on virtua: 201.21.xxx.xxx.52558 > 201.6.xxx.xxx.21: tcp 28 [bad hdr length 0 - too short, < 20] Any ideas ?