Date: Wed, 28 May 2008 09:18:49 -0400 From: user <user@lgkap.com> To: freebsd-pf@freebsd.org Subject: PF occasionally "losing" packets Message-ID: <483D5BB9.40900@lgkap.com>
next in thread | raw e-mail | index | archive | help
Hey Everyone,
I seem to have a problem with PF "losing" packets. With PF enabled
(7.0-RELEASE) allowed traffic will sometimes get through but more often
will not.
More specifically, from the logs I can see packets passed into the
internal interface, but they often do not trigger the outbound rule even
though I allow everything out.
pass out quick log all
pass in quick log on fxp1 proto {tcp,udp} from X.33.195/24 to X.33.10.20
port 53 keep state
Sometimes BIND requests will get through and I can see both in/out rule
trigger and get logged.
More often, I see the following in the logs when the nslookup fails:
4. 835454 rule 21/0(match): pass in on fxp1: X.33.195.244.45453 >
X.33.10.20.53: [|domain]
242279 rule 21/0(match): pass in on fxp1: X.33.195.244.45454 >
X.33.10.20.53: [|domain]
3. 756975 rule 21/0(match): pass in on fxp1: X.33.195.244.45455 >
X.33.10.20.53: [|domain]
242070 rule 21/0(match): pass in on fxp1: X.33.195.244.45454 >
X.33.10.20.53: [|domain]
7. 756284 rule 21/0(match): pass in on fxp1: X.33.195.244.45456 >
X.33.10.20.53: [|domain]
Even though the packets are allowed in, they often never get to the
outbound interface. Note that this is not limited to bind requests. I
see the same thing with ssh, ping, etc.
I've checked the routing table, interfaces, etc.... I can't seem to
pinpoint the cause.
Has anyone seen this inconsistency?
Thanks in advance for any help.
Louis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?483D5BB9.40900>