Date: Mon, 29 Sep 2014 20:21:21 +0200 From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= <eri@freebsd.org> To: Andrea Venturoli <ml@netfence.it>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: pf stuck Message-ID: <CAPBZQG0CxpSU5zk3C0evQE_y3P=yHfBEOHp%2B-F4O5ogwfpWPhA@mail.gmail.com> In-Reply-To: <542997C3.5090004@netfence.it> References: <542997C3.5090004@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Probably is better you ask this on freebsd-pf@. Though this sounds like state limit reached. On Mon, Sep 29, 2014 at 7:32 PM, Andrea Venturoli <ml@netfence.it> wrote: > Hello. > > Today a box of mine (8.4p16/amd64) stopped working as a router; I don't > have a clear picture, but the internal nets were working perfectly, while > the external interfaces lagged, dropped connections or stopped packets from > passing. > > The box is running pf (for handling multiple Internet lines) + ipfw (for > firewalling). > I tried a simple telnet xxx:80 and this is what I observed: > _ tcpdump would see packets going out and replies coming in; > _ an early ipfw allow rule with setup keep-state would see no packet going > out and would not create any dinamic rule. > > This lead me to look into pf... > "/etc/rc.d/pf restart" did not solve. > "/etc/rc.d/pf stop ; /etc/rc.d/pf start" did! > > > > These are my pf rules: > >> pass out quick inet from 192.168.x.0/24 to 192.168.y.0/24 no state >> pass out quick inet from 192.168.x.0/24 to 192.168.z.0/24 no state >> pass out log quick route-to (vlan3 192.168.x.x) inet from 192.168.x.0/24 >> to ! 192.168.x.0/24 no state >> pass out quick inet from a.b.c.d/29 to 192.168.y.0/24 no state >> pass out quick inet from a.b.c.d/29 to 192.168.z.0/24 no state >> pass out log quick route-to (vlan1 a.b.c.e) inet from a.b.c.d/29 to ! >> a.b.c.d/29 no state >> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state >> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state >> pass out log quick route-to (vlan2 i.j.k.m) inet from i.j.k.l/29 to ! >> i.j.k.l/29 no state >> > > These rules are working fine, but have hanged already twice in two weeks > (once on this box, once on an almost identical one). > > > > Is there any known problem wrt running pf? pf+ipfw? pf on 8.4? > Any hint on how to search for what's wrong? > > > > bye & Thanks > av. > > P.S. Please, forgive me, but I'm quite noob with pf. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG0CxpSU5zk3C0evQE_y3P=yHfBEOHp%2B-F4O5ogwfpWPhA>