Date: Mon, 29 Sep 2014 19:32:51 +0200 From: Andrea Venturoli <ml@netfence.it> To: freebsd-net@freebsd.org Subject: pf stuck Message-ID: <542997C3.5090004@netfence.it>
next in thread | raw e-mail | index | archive | help
Hello. Today a box of mine (8.4p16/amd64) stopped working as a router; I don't have a clear picture, but the internal nets were working perfectly, while the external interfaces lagged, dropped connections or stopped packets from passing. The box is running pf (for handling multiple Internet lines) + ipfw (for firewalling). I tried a simple telnet xxx:80 and this is what I observed: _ tcpdump would see packets going out and replies coming in; _ an early ipfw allow rule with setup keep-state would see no packet going out and would not create any dinamic rule. This lead me to look into pf... "/etc/rc.d/pf restart" did not solve. "/etc/rc.d/pf stop ; /etc/rc.d/pf start" did! These are my pf rules: > pass out quick inet from 192.168.x.0/24 to 192.168.y.0/24 no state > pass out quick inet from 192.168.x.0/24 to 192.168.z.0/24 no state > pass out log quick route-to (vlan3 192.168.x.x) inet from 192.168.x.0/24 to ! 192.168.x.0/24 no state > pass out quick inet from a.b.c.d/29 to 192.168.y.0/24 no state > pass out quick inet from a.b.c.d/29 to 192.168.z.0/24 no state > pass out log quick route-to (vlan1 a.b.c.e) inet from a.b.c.d/29 to ! a.b.c.d/29 no state > pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state > pass out quick inet from i.j.k.l/29 to 192.168.z.0/24 no state > pass out log quick route-to (vlan2 i.j.k.m) inet from i.j.k.l/29 to ! i.j.k.l/29 no state These rules are working fine, but have hanged already twice in two weeks (once on this box, once on an almost identical one). Is there any known problem wrt running pf? pf+ipfw? pf on 8.4? Any hint on how to search for what's wrong? bye & Thanks av. P.S. Please, forgive me, but I'm quite noob with pf.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?542997C3.5090004>