Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Aug 2021 10:58:25 +0000
From:      "Dave Cottlehuber" <dch@skunkwerks.at>
To:        "Valeri Galtsev" <galtsev@kicp.uchicago.edu>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: Jails: pf blocks access to localhost of host system
Message-ID:  <521aab6b-eab0-460b-8fcc-a432bfd9b135@www.fastmail.com>
In-Reply-To: <8a330aeb-fccf-f8bd-1154-15288e3f0a9d@kicp.uchicago.edu>
References:  <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu> <d28be669-30d8-89b9-3035-899084d3c148@FreeBSD.org> <8a330aeb-fccf-f8bd-1154-15288e3f0a9d@kicp.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 16 Aug 2021, at 21:54, Valeri Galtsev wrote:
> Here if my simplified to necessary minimum for debugging pf.conf:

A very helpful trick for debugging pf rules is to temporarily switch to logging blocks, and then use tcpdump or wireshark on the pflog interface to show exactly which rule is blocking your traffic.

# use `block log all` temporarily in your pf.conf
$ sudo service pflog onestart
$ sudo tcpdump -i pflog0 -o -ttt -vv -e -n
... 
 00:00:00.000000 rule 6/0(match): block in on wlan0: (tos 0x0, ttl 28, id 10175, offset 0, flags [DF], proto TCP (6), length 52)
    18.135.227.37.443 > 172.17.29.35.41193: Flags [.], cksum 0xcd79 (correct), seq 2375471224, ack 432893548, win 8, options [nop,nop,TS val 2577574610 ecr 2828825691], length 0

in particular note the rule 6 listed. When you run `pfctl -vvv -f /etc/pf.conf | egrep '^@6 ' you'll see what rules those are, and then you can add a pass rule as appropriate from tcpdump info.

This would be a great addition to the handbook, I think. There is already `31.3. PF` which alludes to this but doesn't link all the bits together for a newcomer to pf.

Read pflog(4) and specifically this in pf.conf(5):

     log   In addition to the action specified,	a log message is generated.
	   Only	the packet that	establishes the	state is logged, unless	the no
	   state option	is specified.  The logged packets are sent to a
	   pflog(4) interface, by default pflog0.  This	interface is monitored
	   by the pflogd(8) logging daemon, which dumps	the logged packets to
	   the file /var/log/pflog in pcap(3) binary format.

You can attach logging to almost any rule in pf.conf, not just blocking ones.

Finally, remember to clean up pcap junk:

sudo service pflog onestop
sudo rm /var/log/pflog

As a general pointer, I tend to use `pass in  quick ...` for rules, I was once told that speeds things up but I forget the details.

https://home.nuug.no/~peter/pftutorial/ if you haven't already found it, is invaluable. There is a version somewhere with a freebsd specific section in it, if somebody has a link to this please share.

A+
Dave

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?521aab6b-eab0-460b-8fcc-a432bfd9b135>