From owner-freebsd-net@FreeBSD.ORG  Fri Jan  6 07:07:47 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B70C0106566B
	for <freebsd-net@freebsd.org>; Fri,  6 Jan 2012 07:07:47 +0000 (UTC)
	(envelope-from azanar@carrel.org)
Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com
	[209.85.210.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 843718FC08
	for <freebsd-net@freebsd.org>; Fri,  6 Jan 2012 07:07:47 +0000 (UTC)
Received: by iadj38 with SMTP id j38so3069956iad.13
	for <multiple recipients>; Thu, 05 Jan 2012 23:07:47 -0800 (PST)
Received: by 10.50.89.197 with SMTP id bq5mr6186709igb.24.1325833666948;
	Thu, 05 Jan 2012 23:07:46 -0800 (PST)
Received: from rowlf.sea.carrel.org (dsl231-050-036.sea1.dsl.speakeasy.net.
	[216.231.50.36])
	by mx.google.com with ESMTPS id py4sm128033486igc.2.2012.01.05.23.07.44
	(version=TLSv1/SSLv3 cipher=OTHER);
	Thu, 05 Jan 2012 23:07:45 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=iso-8859-1
From: Edward Carrel <azanar@carrel.org>
In-Reply-To: <CAPBZQG2z0GeOoV_RfcnmnD=pbQ4CYQAYEs9PqrhE_JXirLMBOA@mail.gmail.com>
Date: Thu, 5 Jan 2012 23:06:47 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <D25A9950-97FB-4BE9-996E-986A00344164@carrel.org>
References: <CAC6u2XeLijriLrYgiUf32BMLzYF-uza18c_e9Rk9jXmxe0fW2w@mail.gmail.com>
	<CAC6u2XeiUP2jouYv1Qc+1gmjx-1twSmKeLMbNZNq_3CU625mFw@mail.gmail.com>
	<CAPBZQG2z0GeOoV_RfcnmnD=pbQ4CYQAYEs9PqrhE_JXirLMBOA@mail.gmail.com>
To: =?iso-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
X-Mailer: Apple Mail (2.1251.1)
Cc: freebsd-net@freebsd.org
Subject: Re: pf not seeing inbound packets on netgraph interface
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 07:07:47 -0000

On Jan 4, 2012, at 12:03 AM, Ermal Lu=E7i wrote:

> Can you see if on the enc(4) interface pf(4) sees both side of the =
traffic?

I can on enc0. Doing a tcpdump(1) shows me traffic traveling both ways. =
Should there be a pf(4) interface for me to listen on? I've listened on =
pflog(4), and only seen traffic going one way, even when I have relevant =
rules set to "log(all)"

> Also please describe/post what is the ruleset of blindly passing =
packets and the ruleset that you define as 'keep state'!?


=46rom my /etc/pf.conf:

pass in quick log(all) on enc0 no state
pass out quick log(all) on enc0 no state
pass out quick log(all) on ng0 proto tcp from ng0 to 10.0.0.0/8
pass in quick log(all) on ng0 proto tcp from 10.0.0.0/8 to ng0

If I assert the last two rules as being explicitly 'no state' things =
continue to work after the stateful tracking drops the entry due to =
never seeing the SYN-ACK responding to my SYN to the remote end.

- Ed=