From owner-freebsd-pf@freebsd.org Thu Oct 1 12:59:16 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 03DA9A0DA17 for ; Thu, 1 Oct 2015 12:59:16 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B918C1A3B for ; Thu, 1 Oct 2015 12:59:15 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 60F272840C for ; Thu, 1 Oct 2015 14:51:47 +0200 (CEST) Received: from illbsd.quip.test (ip-89-177-49-111.net.upcbroadband.cz [89.177.49.111]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9D42928422 for ; Thu, 1 Oct 2015 14:51:46 +0200 (CEST) Message-ID: <560D2C62.6000504@quip.cz> Date: Thu, 01 Oct 2015 14:51:46 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Cannot connect to self IP after upgrade to FreeBSD 10.2 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 12:59:16 -0000 Is there any change in PF how "antispoof" works in 10.2? I have machines on 10.1 with rule antispoof quick for { $ext_if, lo0 } it is translated to block drop in quick on ! bge1 inet from A.B.C.0/25 to any block drop in quick inet from A.B.C.D to any block drop in quick on ! lo0 inet from 127.0.0.0/8 to any block drop in quick on ! lo0 inet6 from ::1 to any It worked for a years on 7.x, 8.x, 9.x, 10.1, but after recent upgrade to 10.2 I cannot connect to self IP (A.B.C.D) from console. It is blocked by rule block drop in quick inet from A.B.C.D to any A.B.C.D is public IP address. I can connect to public services from the outside, but cannot connect from machine it-self. What was changed in PF in 10.2? Are there any easy option to user antispoof and still be able to connect from machine itself? The machine is old Sun Fire X2100 M2 with FreeBSD 10.2-RELEASE-p3 amd64 GENERIC and Broadcom BCM5714 interfaces. Miroslav Lachman