From owner-freebsd-stable@FreeBSD.ORG Fri Nov 9 10:07:10 2007 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7137516A417 for ; Fri, 9 Nov 2007 10:07:10 +0000 (UTC) (envelope-from steve@Watt.COM) Received: from wattres.watt.com (wattres.watt.com [66.93.133.130]) by mx1.freebsd.org (Postfix) with ESMTP id 450EF13C4B5 for ; Fri, 9 Nov 2007 10:07:10 +0000 (UTC) (envelope-from steve@Watt.COM) Received: from wattres.watt.com (localhost.watt.com [127.0.0.1]) by wattres.watt.com (8.14.1/8.13.8) with ESMTP id lA99TEx6038298 for ; Fri, 9 Nov 2007 01:29:14 -0800 (PST) (envelope-from steve@wattres.watt.com) Received: (from steve@localhost) by wattres.watt.com (8.14.1/8.13.8/Submit) id lA99TEQ3038297 for stable@freebsd.org; Fri, 9 Nov 2007 01:29:14 -0800 (PST) (envelope-from steve) Message-Id: <200711090929.lA99TEQ3038297@wattres.watt.com> From: steve@Watt.COM (Steve Watt) Date: Fri, 9 Nov 2007 01:29:13 -0800 X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: stable@freebsd.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (wattres.watt.com [127.0.0.1]); Fri, 09 Nov 2007 01:29:14 -0800 (PST) X-Archived: 1194600554.307135401@wattres.Watt.COM Cc: Subject: Subtle change in pf behavior from 6.2 to 6.3-PRE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2007 10:07:10 -0000 Greetings, I recently upgraded my system from a 6.2-PRE from Dec '06 to 6.3-PRE as of 4 Nov. I discovered an interesting and subtle change in the way pf behaves between the two versions. In the past I had the following (slightly incorrect) rule in my pf.conf: pass out on $ext_if proto { tcp, udp, icmp } all keep state It seemed to do the right thing; it kept state on all outbound traffic and allowed the return traffic. However, with the newer pf, it appears that the desired incantation is now pass out on $ext_if proto tcp all flags S/SA keep state pass out on $ext_if proto { udp, icmp } all keep state The symptom of the problem that I noticed was that innd was getting EPERM attempting to talk to other systems, and that my web server couldn't be talked to by Linux browsers. Groping around and turning on debugging on pf led me to the (apparently) usual: Nov 8 16:59:48 wattres kernel: pf: BAD state: TCP :25 :25 :48418 [lo=2541394648 high=2541394831 win=33304 modulator=0] [lo=2408093130 high=2408126434 win=183 modulator=0] 4:4 PA seq=2541394648 ack=2408093130 len=214 ackskew=0 pkts=3:3 dir=out,fwd Which finally led me to the hint that the flags weren't getting stored correctly by the earlier pass rules. Whee. Breadcrumbs for someone to google up some dark and stormy night. -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.5" / 37N 20' 15.3" Internet: steve @ Watt.COM Whois: SW32-ARIN Free time? There's no such thing. It just comes in varying prices...