From owner-freebsd-net@FreeBSD.ORG Mon Sep 29 17:33:01 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A8AD7B5 for ; Mon, 29 Sep 2014 17:33:01 +0000 (UTC) Received: from cp-out7.libero.it (cp-out7.libero.it [151.1.108.64]) by mx1.freebsd.org (Postfix) with ESMTP id E8D4FAE2 for ; Mon, 29 Sep 2014 17:33:00 +0000 (UTC) X-CTCH-Spam: Unknown X-CTCH-RefID: str=0001.0A0C0208.542997C5.005E,ss=1,re=0.000,fgs=0 X-libjamoibt: 1555 Received: from soth.ventu (151.41.137.184) by cp-out7.libero.it (8.5.133) id 53075AA8174E4967 for freebsd-net@freebsd.org; Mon, 29 Sep 2014 19:32:53 +0200 Received: from alamar.ventu (alamar.ventu [10.1.2.18]) by soth.ventu (8.14.9/8.14.7) with ESMTP id s8THWpgE036826 for ; Mon, 29 Sep 2014 19:32:51 +0200 (CEST) (envelope-from ml@netfence.it) Message-ID: <542997C3.5090004@netfence.it> Date: Mon, 29 Sep 2014 19:32:51 +0200 From: Andrea Venturoli User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: pf stuck Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2014 17:33:01 -0000 Hello. Today a box of mine (8.4p16/amd64) stopped working as a router; I don't have a clear picture, but the internal nets were working perfectly, while the external interfaces lagged, dropped connections or stopped packets from passing. The box is running pf (for handling multiple Internet lines) + ipfw (for firewalling). I tried a simple telnet xxx:80 and this is what I observed: _ tcpdump would see packets going out and replies coming in; _ an early ipfw allow rule with setup keep-state would see no packet going out and would not create any dinamic rule. This lead me to look into pf... "/etc/rc.d/pf restart" did not solve. "/etc/rc.d/pf stop ; /etc/rc.d/pf start" did! These are my pf rules: > pass out quick inet from 192.168.x.0/24 to 192.168.y.0/24 no state > pass out quick inet from 192.168.x.0/24 to 192.168.z.0/24 no state > pass out log quick route-to (vlan3 192.168.x.x) inet from 192.168.x.0/24 to ! 192.168.x.0/24 no state > pass out quick inet from a.b.c.d/29 to 192.168.y.0/24 no state > pass out quick inet from a.b.c.d/29 to 192.168.z.0/24 no state > pass out log quick route-to (vlan1 a.b.c.e) inet from a.b.c.d/29 to ! a.b.c.d/29 no state > pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state > pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state > pass out log quick route-to (vlan2 i.j.k.m) inet from i.j.k.l/29 to ! i.j.k.l/29 no state These rules are working fine, but have hanged already twice in two weeks (once on this box, once on an almost identical one). Is there any known problem wrt running pf? pf+ipfw? pf on 8.4? Any hint on how to search for what's wrong? bye & Thanks av. P.S. Please, forgive me, but I'm quite noob with pf.