Date: Thu, 31 Jul 2008 19:38:01 +0200 From: Tilman Linneweh <arved@arved.at> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf dropping packets despite pass all rule Message-ID: <20080731173801.GB61317@arved.priv.at> In-Reply-To: <200807311826.51457.max@love2party.net> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
* Max Laier [2008-07-31 18:27]: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > Excerpt from pf.conf: > > pass in quick on gif0 all keep state > > pass out quick on gif0 all keep state > > > > pflog0 contains some strange packets: > > http://arved.priv.at/~arved/strangepackets.pcap > > That dump is useless, please cap with "-s0". Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap > > IPSEC_FILTERTUNNEL does not make a difference. > > > > I don't understand why pf is dropping something on gif0. And i can't decode > > what kind of packets these are, and why they are necessary for TCPv6. > > > > Any ideas? > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really > want to trust gif0 completely, you could simply add "skip on gif0" and pf will > not mess with it at all. > Ok, allow-opts does not change anything. skip on gif0 works. pfctl -si confirms that there are packets blocked. Status: Enabled for 0 days 02:37:07 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 261859 Bytes Out 0 207299 Packets In Passed 0 2347 Blocked 0 90 Packets Out Passed 0 2185 Blocked 0 0 State Table Total Rate current entries 31 searches 44046 4.7/s inserts 2768 0.3/s removals 2737 0.3/s Counters match 13425 1.4/s bad-offset 0 0.0/s [...rest is all zeros] ...and later: status: Enabled for 0 days 02:37:21 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 263327 Bytes Out 0 208711 Packets In Passed 0 2356 Blocked 0 96 Packets Out Passed 0 2197 Blocked 0 0 State Table Total Rate current entries 30 searches 44128 4.7/s inserts 2772 0.3/s removals 2742 0.3/s Counters match 13451 1.4/s bad-offset 0 0.0/s So yeah, thanks for the "skip on" hint, i can do the filtering on the non-gif interfaces, but i still would like to know what's going on, and why these packets are blocked. regards arved
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080731173801.GB61317>