Date: Mon, 25 Feb 2013 00:16:49 -0500 From: Jason Hellenthal <jhellenthal@DataIX.net> To: wishmaster <artemrts@ukr.net> Cc: "freebsd-pf@FreeBSD.org" <freebsd-pf@freebsd.org> Subject: Re: pf bad cksum on loopback Message-ID: <00B97EDD-F815-49DE-B045-03A68BD648CD@DataIX.net> In-Reply-To: <51075.1361751074.6390892036295163904@ffe6.ukr.net> References: <51075.1361751074.6390892036295163904@ffe6.ukr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Have you attempted to...
ifconfig lo0 -txcsum -rxcsum
And see if that solves your problem. I've had to do this numerous times with pf on 8.1 -> 8.3
Check syntax of flags though its been a while since I looked at that issue.
--
Jason Hellenthal
JJH48-ARIN
- (2^(N-1))
On Feb 24, 2013, at 19:11, "wishmaster" <artemrts@ukr.net> wrote:
Hello,
In my FreeBSD (9.1-STABLE i386) server there is Jail with nginx/apache + php + etc stuff... All works fine but with ftp not so good.
In the jail I have installed ftp server, listened on ip 10.15.1.1. This ip address (alias) is on internal interface bridge0. This bridge consist of 3 NICs.
I unable to connect to this ftp server not from same jail nor from base host. With completely disabled PF, connections to ftpd successful.
I have figured out that problem in antispoof rule:
antispoof log quick for {bridge0 lo0} inet
(@4 block drop in log quick on ! bridge0 inet from 10.15.1.0/24 to any)
Below tcpdump output:
01:42:27.348025 rule 50..16777216/0(match): pass out on lo0: (tos 0x0, ttl 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60)
10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107831611 ecr 0], length 0
01:42:27.348165 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->c55a)!)
10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107831611 ecr 0], length 0
01:42:30.347549 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 60408, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->f8a3)!)
10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0xf6be (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107834611 ecr 0], length 0
01:42:33.547564 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 12125, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->b53f)!)
10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xeafe (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107837811 ecr 0], length 0
01:42:36.747569 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 25338, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 0 (->81ae)!)
10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xa6fe (correct), seq 3376923564, win 65535, options [mss 16344,sackOK,eol], length 0
The workaround is something like this rule:
set skip on lo0
but this is unsuitable for me. For security reason I must use PF to filter traffic from jail to the base system.
Cheers,
Vitaliy
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00B97EDD-F815-49DE-B045-03A68BD648CD>