From owner-freebsd-pf@FreeBSD.ORG Mon Jul 23 01:30:16 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 321CC106564A for ; Mon, 23 Jul 2012 01:30:16 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id DA8EB8FC12 for ; Mon, 23 Jul 2012 01:30:15 +0000 (UTC) Received: by yhfs35 with SMTP id s35so5857797yhf.13 for ; Sun, 22 Jul 2012 18:30:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=eJUug0iOKjFdE3zBPQJKpzUbk+MmAHVGRp81g/P2+KQ=; b=PwghqRoNtp4DtppKtvjp4AzKEl9yoQZJvBP3KDq8tMr9X/ItYkog9IUgREjGfhbXVh 0527FmTF5jMmcDlTAOe1aQUX1JtchHIK6NIhOhTqfSQpW7xyM23WvZba/iLbnyy9BhUY 1NPQi2ikZBT4w6ubc0eM3Rva4pSsJzt1b+8EB83Nwq353HIQ1poLdsn9SFKWdvQQ5G7j /A+0DJwBKlF9gaYtJpfd/qTPVTIHeUfxlxuAUjTy89R6IC2w6GhDjOe23/StMqyGABUe iSPOEw+LUwDVbEOIYF9gOvEIPZJEBWP264MbKJljOiG/qZWl4ggVwoxY+EuTyuP0MLRy oPAA== Received: by 10.236.151.110 with SMTP id a74mr12669501yhk.35.1343007009651; Sun, 22 Jul 2012 18:30:09 -0700 (PDT) Received: from ?IPv6:2a01:e35:8aac:83c0:8cea:47d5:fb7f:ad? ([2a01:e35:8aac:83c0:8cea:47d5:fb7f:ad]) by mx.google.com with ESMTPS id x4sm22598781yhh.2.2012.07.22.18.30.07 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 22 Jul 2012 18:30:09 -0700 (PDT) References: In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <2B5A7CC5-0950-47E9-928F-D5909238052C@my.gd> X-Mailer: iPhone Mail (9A405) From: Damien Fleuriot Date: Mon, 23 Jul 2012 03:30:05 +0200 To: "jmattax@clanspum.net" X-Gm-Message-State: ALoCoQnD/ChOupCk4Mmj91CeeD7BhPK6sw+YRrIENqRltQ8GJ0cavNDpUSKBBWiRBTsYMUrE2wFX Cc: "freebsd-pf@freebsd.org" Subject: Re: PF suddenly malfunctioned X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2012 01:30:16 -0000 On 23 Jul 2012, at 01:49, jmattax@clanspum.net wrote: > A few weeks ago (I've been trying to debug it myself since then) my pf > firewall stopped working fully correctly. The symptom is that I can no lon= ger > access a variety of websites when I'm behind the firewall. I have verified= > that I can access all of the affected websites from outside my firewall. I= > have since stripped down my firewall (and general home server) so that it i= s > no longer running named, sshguard or any useful firewalling rules in an > attempt to figure out was broken but have been unable to do so. >=20 > Attached are my current /etc/pf.conf and /etc/rc.conf, to ensure that thes= e > are the configurations being used as of my last test I restarted the syste= m > and am still getting the same behavior. This behavior started sometime aro= und > a storm at my house, but since the firewall can see the websites that the > computers behind it can't I don't believe the hardware is an issue. >=20 > Also, some websites (like anything google hosts) are just fine. >=20 > The also, so people can see what my kernel thinks I've attach the output o= f a > couple of commands below >=20 > [root@ ~]# pfctl -s rules > No ALTQ support in kernel > ALTQ related functions disabled > pass in quick all flags S/SA keep state > pass out quick all flags S/SA keep state > [root@ ~]# pfctl -s nat > No ALTQ support in kernel > ALTQ related functions disabled > nat on xl0 inet from 10.11.10.0/24 to any -> 192.168.0.200 > [root@stilgar ~]# ifconfig > re0: flags=3D8843 metric 0 mtu 150= 0 > options=3D389b > ether 90:e6:ba:60:9a:33 > inet 10.11.10.1 netmask 0xffffff00 broadcast 10.11.10.255 > media: Ethernet autoselect (100baseTX ) > status: active > xl0: flags=3D8843 metric 0 mtu 150= 0 > options=3D82009 > ether 00:01:03:d1:fa:90 > inet 192.168.0.200 netmask 0xffffff00 broadcast 192.168.0.255 > media: Ethernet autoselect (100baseTX > ) > status: active > plip0: flags=3D8810 metric 0 mtu 1500 > ipfw0: flags=3D8801 metric 0 mtu 65536 > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D3 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > nd6 options=3D3 > pflog0: flags=3D141 metric 0 mtu 33152 >=20 > I would be very appreciative of any suggestions anyone can offer. >=20 > Jason Mattax >=20 1/ OS version ? We can't tell from the current info 2/ When the problem appears. Have you tried disabling PF ? (pfctl -d) Does it help ? 3/ The websites wouldn't be using connection recycling per chance ? (linux) We've had a lot of problems with Linux enabled hosts using recycling, having= them turn it off solved the problems. There was not a thing we found on our side to fix it. Disabling scrubbing wouldn't help either.=