Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Jul 2012 03:30:05 +0200
From:      Damien Fleuriot <ml@my.gd>
To:        "jmattax@clanspum.net" <jmattax@clanspum.net>
Cc:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: PF suddenly malfunctioned
Message-ID:  <2B5A7CC5-0950-47E9-928F-D5909238052C@my.gd>
In-Reply-To: <effb611b289f2b14d345c1cd63c9828a.squirrel@mail.clanspum.net>
References:  <effb611b289f2b14d345c1cd63c9828a.squirrel@mail.clanspum.net>

next in thread | previous in thread | raw e-mail | index | archive | help

On 23 Jul 2012, at 01:49, jmattax@clanspum.net wrote:

> A few weeks ago (I've been trying to debug it myself since then) my pf
> firewall stopped working fully correctly. The symptom is that I can no lon=
ger
> access a variety of websites when I'm behind the firewall. I have verified=

> that I can access all of the affected websites from outside my firewall. I=

> have since stripped down my firewall (and general home server) so that it i=
s
> no longer running named, sshguard or any useful firewalling rules in an
> attempt to figure out was broken but have been unable to do so.
>=20
> Attached are my current /etc/pf.conf and /etc/rc.conf, to ensure that thes=
e
> are the configurations being used as of my last test I restarted the syste=
m
> and am still getting the same behavior. This behavior started sometime aro=
und
> a storm at my house, but since the firewall can see the websites that the
> computers behind it can't I don't believe the hardware is an issue.
>=20
> Also, some websites (like anything google hosts) are just fine.
>=20
> The also, so people can see what my kernel thinks I've attach the output o=
f a
> couple of commands below
>=20
> [root@ ~]# pfctl -s rules
> No ALTQ support in kernel
> ALTQ related functions disabled
> pass in quick all flags S/SA keep state
> pass out quick all flags S/SA keep state
> [root@ ~]# pfctl -s nat
> No ALTQ support in kernel
> ALTQ related functions disabled
> nat on xl0 inet from 10.11.10.0/24 to any -> 192.168.0.200
> [root@stilgar ~]# ifconfig
> re0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 150=
0
>        options=3D389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WO=
L_UCAST,WOL_MCAST,WOL_MAGIC>
>        ether 90:e6:ba:60:9a:33
>        inet 10.11.10.1 netmask 0xffffff00 broadcast 10.11.10.255
>        media: Ethernet autoselect (100baseTX <full-duplex>)
>        status: active
> xl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 150=
0
>        options=3D82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE>
>        ether 00:01:03:d1:fa:90
>        inet 192.168.0.200 netmask 0xffffff00 broadcast 192.168.0.255
>        media: Ethernet autoselect (100baseTX
> <full-duplex,flowcontrol,rxpause,txpause>)
>        status: active
> plip0: flags=3D8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
> ipfw0: flags=3D8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>        options=3D3<RXCSUM,TXCSUM>
>        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
>        inet6 ::1 prefixlen 128
>        inet 127.0.0.1 netmask 0xff000000
>        nd6 options=3D3<PERFORMNUD,ACCEPT_RTADV>
> pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33152
>=20
> I would be very appreciative of any suggestions anyone can offer.
>=20
>     Jason Mattax
>=20

1/ OS version ? We can't tell from the current info

2/ When the problem appears. Have you tried disabling PF ? (pfctl -d)
Does it help ?

3/ The websites wouldn't be using connection recycling per chance ? (linux)
We've had a lot of problems with Linux enabled hosts using recycling, having=
 them turn it off solved the problems.
There was not a thing we found on our side to fix it.
Disabling scrubbing wouldn't help either.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2B5A7CC5-0950-47E9-928F-D5909238052C>