From owner-freebsd-pf@FreeBSD.ORG Wed Dec 19 07:11:58 2007 Return-Path: <owner-freebsd-pf@FreeBSD.ORG> Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2007D16A417 for <freebsd-pf@freebsd.org>; Wed, 19 Dec 2007 07:11:58 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id 9960613C455 for <freebsd-pf@freebsd.org>; Wed, 19 Dec 2007 07:11:57 +0000 (UTC) (envelope-from silver.salonen@gmail.com) Received: by fg-out-1718.google.com with SMTP id 16so535514fgg.35 for <freebsd-pf@freebsd.org>; Tue, 18 Dec 2007 23:11:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; bh=KohI1Z+RYkIr2QKL4XbROSBr4ujeYI8QRJxMN14ZrbM=; b=Dirkw1eoa8U3q77SwRDAHNAbBMfoK36Lqk9MNpLD2jUYm4DKq2OU0FAj9AAWf3eYoWuPAzza3f3dM7REB6GD3vXj+pWodjRrqO7P1ObrRERjoXl1hrd3aFpmKoLeyb/wVKkv4Ci6Kug+WdYHIIS1b5FpAdL4J9ZsVjQDfPT766c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=Mx8hYfsD7ll7/oRgqa3NL+PhjBs2VVqx8+Z6+9+t/c45sGvs9ge/OeJf4M1e6a+gfAQp/yZ+1emVpVeH1orvsYUh+wRFZm8USq2fVXEDO6GeZGWG3TQ3SoErDuAGKJp/T9hTLTzU7R5/0au9BH9StQ54xKIz/wimvTAOH498gIg= Received: by 10.86.96.18 with SMTP id t18mr8597144fgb.13.1198048316419; Tue, 18 Dec 2007 23:11:56 -0800 (PST) Received: from ?192.168.8.99? ( [195.50.198.178]) by mx.google.com with ESMTPS id j12sm20568057fkf.2007.12.18.23.11.54 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 18 Dec 2007 23:11:55 -0800 (PST) From: Silver Salonen <silver.salonen@gmail.com> To: freebsd-pf@freebsd.org Date: Wed, 19 Dec 2007 09:11:45 +0200 User-Agent: KMail/1.9.7 References: <200712180934.58755.silver.salonen@gmail.com> <fee88ee40712181144g55727367gf333e44c537d0b47@mail.gmail.com> In-Reply-To: <fee88ee40712181144g55727367gf333e44c537d0b47@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200712190911.46211.silver.salonen@gmail.com> Cc: Subject: Re: occasional "Operation not permitted" on state-mismatch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" <freebsd-pf.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf> List-Post: <mailto:freebsd-pf@freebsd.org> List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 19 Dec 2007 07:11:58 -0000 On Tuesday 18 December 2007 21:44, Kian Mohageri wrote: > On Dec 17, 2007 11:34 PM, Silver Salonen <silver.salonen@gmail.com> wrote: > > Hello! > > > > I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec), > > 1x6.2-RELEASE) with PF configured. They are connected with OpenVPN LAN-to-LAN > > and the problem is that a few times per hour connection drops between > > computers from one LAN to another. At first I blamed OpenVPN, then I blamed > > bridge, but now I've realized that the problem is in PF. > > So I've tried increasing TCP-timeouts and setting optimization > > to "aggressive", but well, it's still the same. > > > > I monitor connections by sending TCP packets once per second to some other > > host and wait for reply. I use Nagios-plugins' check_tcp for that. The script > > looks like: > > ===== > > while [ 1 ]; do > > pfctl -si |grep mismatch > > /usr/local/libexec/nagios/check_tcp -H $host -p $port -t 2 > > pfctl -si |grep mismatch > > sleep 1 > > done > > ===== > > > > My guess is that you're re-using a source port and are mismatching an > existing state on the source or destination host (or something in > between) because the state hasn't expired before the new connection > attempt takes place. > > Can't be sure though... > > -Kian Yup, googling a bit about openbsd, pf and "no route to host" turned up that it's "the port reuse issue". Although FreeBSD is supposed to be protected against it (http://www.freebsd.org/releases/4.11R/relnotes-i386.html#NET-PROTO), it seems not to be. So question is that how can I avoid the issue without removing keeping states from my rules. Actually I did the latter yesterday and connections started dropping as my default rule is to block everything. So now I'm keeping states on only outgoing connections and it's better this way, but not perfect though. -- Silver