From owner-freebsd-pf@FreeBSD.ORG Fri Feb 24 01:06:52 2006 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A92B716A420 for ; Fri, 24 Feb 2006 01:06:52 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: from daemon.egr.msu.edu (daemon.egr.msu.edu [35.9.44.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D5AA43D46 for ; Fri, 24 Feb 2006 01:06:52 +0000 (GMT) (envelope-from mcdouga9@daemon.egr.msu.edu) Received: by daemon.egr.msu.edu (Postfix, from userid 21281) id 9A8C81CC2B; Thu, 23 Feb 2006 20:08:34 -0500 (EST) Date: Thu, 23 Feb 2006 20:08:34 -0500 From: Adam McDougall To: pf@freebsd.org Message-ID: <20060224010834.GC83891@egr.msu.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.11 Cc: Subject: pf no-df breaking all tcp traffic through bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2006 01:06:52 -0000 I have setup if_bridge and pf on a server with dual em interfaces running FreeBSD 6.1-PRERELEASE #5: Wed Feb 22 14:55:45 EST 2006. rc.conf relevant items: (The IP's are just for temporary management from either side of the firewall as needed) ifconfig_em0="inet 10.0.0.80 netmask 0xffffff00" ifconfig_em0_alias0="inet 35.9.44.100 netmask 0xffffff00" ifconfig_em1="inet 10.0.1.80 netmask 0xffffff00" cloned_interfaces="bridge0" ifconfig_bridge0="addm em0 addm em1 up" I have narrowed my ruleset down to a simple config for testing: ext_if="em0" int_if="em1" scrub in on $ext_if no-df pass in all pass out all pass quick on lo0 # pfctl -Rf /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled # pfctl -sr No ALTQ support in kernel ALTQ related functions disabled scrub in on em0 all no-df fragment reassemble pass in all pass out all pass quick on lo0 all Whenever I have no-df in the scrub line, the bridging firewall still passes my ssh SYN packet to the host behind the firewall, but the receiving host discards it due to a bad IP checksum (I believe). Using tcpdump on em0 and em1 on the firewall, I see the packet come in with DF set, and leave with DF unset however the IP checksum is reported bad on the em1 side according to ethereal. Running tcpdump on the receiving host shows the SYN packet, but trying to use -w to save it to a file results in nothing captured. I'm not sure how easy it would be to get the receiving host to print a debug message when an IP packet would be dropped due to bad IP sum. All systems involved are FreeBSD so far, and the symptoms persist going both directions across the bridge. ping still works. I am trying to get no-df to work because documentation indicates it is needed to pass NFS which will be a requirement for me. I didn't get very far with attempting to exclude just NFS traffic from being scrubbed, but it seems to be that a firewall munging packets ought to produce ones with valid checksums. Please let me know if I need to provide more information or what else I can do to debug this further.