From owner-freebsd-pf@FreeBSD.ORG Mon Sep 29 18:21:24 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 938FAE7B; Mon, 29 Sep 2014 18:21:24 +0000 (UTC) Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com [IPv6:2a00:1450:4010:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E4099BF; Mon, 29 Sep 2014 18:21:23 +0000 (UTC) Received: by mail-la0-f43.google.com with SMTP id gb8so9167094lab.30 for ; Mon, 29 Sep 2014 11:21:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Yjx1yn6MydME2mxs/qMVRuP6upr3R6TJYVDodSmrsOU=; b=HUPO5UCUXHzNUlme7AjM5pQ+1Hg2HJ6LQUAGD26yB3GXhKdfJAQydCqR+zlx+xM+HZ WEgXQXmGCV/fKNL15mSp+y6x2inN4VQHSORzlECac5BZ69ZuiGUBaazrq+BOJ/1SqlVj 5xFw3+fJn/2ulUQPL0FIJZMku+VuQvx7m1Qga5kS2k4d7aEA1S0FTSZXJCXaU+maCkcU xKkXIf636GPmO+x5LnT3TQ0EusWY4SEm1Y7OPN7/sKDfP6zW4J9CvW/b8PXuaRgzVp0h UmfaOygBLpkvO2tqqMh8DwlXEEs2N1u6ia1M0Bnm6Huh875b2nmOqFSlPajOzoHFQW5B jXSw== MIME-Version: 1.0 X-Received: by 10.112.55.7 with SMTP id n7mr39352621lbp.16.1412014881739; Mon, 29 Sep 2014 11:21:21 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.25.43.2 with HTTP; Mon, 29 Sep 2014 11:21:21 -0700 (PDT) In-Reply-To: <542997C3.5090004@netfence.it> References: <542997C3.5090004@netfence.it> Date: Mon, 29 Sep 2014 20:21:21 +0200 X-Google-Sender-Auth: FAnmGr4HNbaZku0os09YqLT0e8Y Message-ID: Subject: Re: pf stuck From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= To: Andrea Venturoli , "freebsd-pf@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 18:21:24 -0000 Probably is better you ask this on freebsd-pf@. Though this sounds like state limit reached. On Mon, Sep 29, 2014 at 7:32 PM, Andrea Venturoli wrote: > Hello. > > Today a box of mine (8.4p16/amd64) stopped working as a router; I don't > have a clear picture, but the internal nets were working perfectly, while > the external interfaces lagged, dropped connections or stopped packets from > passing. > > The box is running pf (for handling multiple Internet lines) + ipfw (for > firewalling). > I tried a simple telnet xxx:80 and this is what I observed: > _ tcpdump would see packets going out and replies coming in; > _ an early ipfw allow rule with setup keep-state would see no packet going > out and would not create any dinamic rule. > > This lead me to look into pf... > "/etc/rc.d/pf restart" did not solve. > "/etc/rc.d/pf stop ; /etc/rc.d/pf start" did! > > > > These are my pf rules: > >> pass out quick inet from 192.168.x.0/24 to 192.168.y.0/24 no state >> pass out quick inet from 192.168.x.0/24 to 192.168.z.0/24 no state >> pass out log quick route-to (vlan3 192.168.x.x) inet from 192.168.x.0/24 >> to ! 192.168.x.0/24 no state >> pass out quick inet from a.b.c.d/29 to 192.168.y.0/24 no state >> pass out quick inet from a.b.c.d/29 to 192.168.z.0/24 no state >> pass out log quick route-to (vlan1 a.b.c.e) inet from a.b.c.d/29 to ! >> a.b.c.d/29 no state >> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state >> pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state >> pass out log quick route-to (vlan2 i.j.k.m) inet from i.j.k.l/29 to ! >> i.j.k.l/29 no state >> > > These rules are working fine, but have hanged already twice in two weeks > (once on this box, once on an almost identical one). > > > > Is there any known problem wrt running pf? pf+ipfw? pf on 8.4? > Any hint on how to search for what's wrong? > > > > bye & Thanks > av. > > P.S. Please, forgive me, but I'm quite noob with pf. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Ermal