Date: Thu, 31 Jul 2008 21:39:52 +0200 From: Tilman Linneweh <arved@arved.at> To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org, Tilman Linneweh <arved@arved.at> Subject: Re: pf dropping packets despite pass all rule Message-ID: <96F634DC-33DE-407D-A56C-6E28FE327276@arved.at> In-Reply-To: <200807312003.53098.max@love2party.net> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> <20080731173801.GB61317@arved.priv.at> <200807312003.53098.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 31, 2008, at 20:03, Max Laier wrote: >>>> LAN -> Router with PF <- gif tunnel with IPSEC -> Server >>>> >>>> The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, >>>> but TCPv6 from LAN to Server does not work, unless i disable PF. >>>> >>>> Excerpt from pf.conf: >>>> pass in quick on gif0 all keep state >>>> pass out quick on gif0 all keep state >>>> >> Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap > > alright ... for some reasons we are blocking the ACKs - i.e. they > don't seem > to match any state (and the SYN must have gone through somehow). > That can > happen for two reasons: 1) There is no state created 2) Somethings > wrong with > the state entry or the involved tcp stacks. > > To debug this further you could enable pf debug logging (pfctl -xm) > and watch > the console for state mismatches ... however ... >> >> pfctl -si confirms that there are packets blocked. >> Status: Enabled for 0 days 02:37:07 Debug: Urgent >> >> Interface Stats for gif0 IPv4 IPv6 >> Bytes In 0 261859 >> Bytes Out 0 207299 >> Packets In >> Passed 0 2347 >> Blocked 0 90 >> Packets Out >> Passed 0 2185 >> Blocked 0 0 >> >> State Table Total Rate >> current entries 31 >> searches 44046 4.7/s >> inserts 2768 0.3/s >> removals 2737 0.3/s >> Counters >> match 13425 1.4/s >> bad-offset 0 0.0/s >> [...rest is all zeros] >> >> ...and later: >> status: Enabled for 0 days 02:37:21 Debug: Urgent >> >> Interface Stats for gif0 IPv4 IPv6 >> Bytes In 0 263327 >> Bytes Out 0 208711 >> Packets In >> Passed 0 2356 >> Blocked 0 96 >> Packets Out >> Passed 0 2197 >> Blocked 0 0 >> >> State Table Total Rate >> current entries 30 >> searches 44128 4.7/s >> inserts 2772 0.3/s >> removals 2742 0.3/s >> Counters >> match 13451 1.4/s >> bad-offset 0 0.0/s > > ... if there is no counter increase on "state-mismatch" (please > double-check), > it would suggest that no state is created in the first place. > Could you > provide your complete ruleset with rule numbers? (pfctl -vvvsr) > There is now a single state-mismatch. But that could be something else. The debug-logging shows nothing about state mismatch. @0 scrub in all fragment reassemble [ Evaluations: 3890 Packets: 2146 Bytes: 255350 States: 0 ] [ Inserted: uid 0 pid 2258 ] @0 pass in all flags S/SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @1 pass out all flags S/SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @2 block return log all [ Evaluations: 75 Packets: 23 Bytes: 7440 States: 0 ] [ Inserted: uid 0 pid 2258 ] @3 pass in quick on sis0 proto tcp from any to any port = ssh flags S/ SA keep state [ Evaluations: 75 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @4 pass in quick on sis0 proto tcp from any to any port = domain flags S/SA keep state [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @5 pass in quick on sis0 proto tcp from any to any port = smtp flags S/SA keep state [ Evaluations: 2 Packets: 30 Bytes: 2340 States: 2 ] [ Inserted: uid 0 pid 2258 ] @6 pass in quick on sis0 proto udp from any to any port = ssh keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @7 pass in quick on sis0 proto udp from any to any port = domain keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @8 pass in quick on sis0 proto udp from any to any port = smtp keep state [ Evaluations: 22 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @9 block return out quick on sis0 inet proto udp from 62.178.208.15 to any port = who [ Evaluations: 43 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @10 pass in on sis1 inet from 192.168.1.0/24 to any flags S/SA keep state allow-opts [ Evaluations: 73 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @11 pass in on sis1 inet6 from 2001:6f8:13fb:3::/64 to any flags S/SA keep state allow-opts [ Evaluations: 23 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @12 pass out on sis1 inet from any to 192.168.1.0/24 flags S/SA keep state allow-opts [ Evaluations: 25 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @13 pass out on sis1 inet6 from any to 2001:6f8:13fb:3::/64 flags S/ SA keep state allow-opts [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @14 pass in on sis1 inet6 all flags S/SA keep state [ Evaluations: 25 Packets: 2 Bytes: 144 States: 2 ] [ Inserted: uid 0 pid 2258 ] @15 pass out on sis1 inet6 all flags S/SA keep state [ Evaluations: 4 Packets: 2 Bytes: 136 States: 2 ] [ Inserted: uid 0 pid 2258 ] @16 pass in on sis1 inet from 192.168.0.0/16 to any flags S/SA keep state [ Evaluations: 25 Packets: 180 Bytes: 51414 States: 21 ] [ Inserted: uid 0 pid 2258 ] @17 pass out on sis1 inet from any to 192.168.0.0/16 flags S/SA keep state [ Evaluations: 23 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @18 pass in inet proto icmp all icmp-type echoreq keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @19 pass out inet proto icmp all keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @20 pass out on sis0 proto tcp all flags S/SA keep state [ Evaluations: 73 Packets: 160 Bytes: 49118 States: 11 ] [ Inserted: uid 0 pid 2258 ] @21 pass out on sis0 proto udp all keep state [ Evaluations: 21 Packets: 21 Bytes: 2100 States: 10 ] [ Inserted: uid 0 pid 2258 ] @22 pass in quick on gif0 all flags S/SA keep state allow-opts [ Evaluations: 73 Packets: 382 Bytes: 27496 States: 2 ] [ Inserted: uid 0 pid 2258 ] @23 pass out quick on gif0 all flags S/SA keep state allow-opts [ Evaluations: 2 Packets: 3 Bytes: 288 States: 2 ] [ Inserted: uid 0 pid 2258 ] @24 pass in quick on sis0 inet proto ipv6 from any to 62.178.208.15 keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @25 pass out quick on sis0 inet proto ipv6 from 62.178.208.15 to any keep state [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @26 pass in quick proto esp all keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @27 pass in quick proto ipencap all keep state [ Evaluations: 45 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @28 pass in quick proto udp from any port = isakmp to any port = isakmp keep state [ Evaluations: 45 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @29 pass in quick proto tcp from any port = isakmp to any port = isakmp flags S/SA keep state [ Evaluations: 11 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @30 pass out quick proto esp all keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @31 pass out quick proto ipencap all keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @32 pass out quick proto udp from any port = isakmp to any port = isakmp keep state [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @33 pass out quick proto tcp from any port = isakmp to any port = isakmp flags S/SA keep state [ Evaluations: 13 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @34 anchor "ftp-proxy/*" all [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @35 pass out inet6 proto tcp from ::1 to any port = ftp flags S/SA keep state [ Evaluations: 69 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ] @36 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/ SA keep state [ Evaluations: 21 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 2258 ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96F634DC-33DE-407D-A56C-6E28FE327276>