From owner-freebsd-i386@FreeBSD.ORG Fri Mar 16 15:00:15 2007 Return-Path: X-Original-To: freebsd-i386@hub.freebsd.org Delivered-To: freebsd-i386@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D021A16A40E for ; Fri, 16 Mar 2007 15:00:15 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id B1D6D13C46E for ; Fri, 16 Mar 2007 15:00:15 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2GF0FCt056467 for ; Fri, 16 Mar 2007 15:00:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2GF0FR7056466; Fri, 16 Mar 2007 15:00:15 GMT (envelope-from gnats) Resent-Date: Fri, 16 Mar 2007 15:00:15 GMT Resent-Message-Id: <200703161500.l2GF0FR7056466@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-i386@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alejandro Gramajo Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2848116A404 for ; Fri, 16 Mar 2007 14:58:51 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [69.147.83.33]) by mx1.freebsd.org (Postfix) with ESMTP id 0CF9B13C465 for ; Fri, 16 Mar 2007 14:58:51 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l2GEwoPm050644 for ; Fri, 16 Mar 2007 14:58:50 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id l2GEwofh050643; Fri, 16 Mar 2007 14:58:50 GMT (envelope-from nobody) Message-Id: <200703161458.l2GEwofh050643@www.freebsd.org> Date: Fri, 16 Mar 2007 14:58:50 GMT From: Alejandro Gramajo To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.0 Cc: Subject: i386/110393: parameter syncpeer only works if ip address is backwards X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: I386-specific issues for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2007 15:00:16 -0000 >Number: 110393 >Category: i386 >Synopsis: parameter syncpeer only works if ip address is backwards >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-i386 >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Mar 16 15:00:15 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Alejandro Gramajo >Release: 6.1-RELEASE >Organization: BAICOM Networks >Environment: FreeBSD fleni-fw2.fleni 6.1-RELEASE FreeBSD 6.1-RELEASE #2: Fri Sep 22 14:47:51 ART 2006 root@fleni-fw.16.1.27:/usr/src/sys/i386/compile/MYKERNEL i386 >Description: 2 firewalls with 3 ethernet interfaces. - rl0 (wan / internet) - re0 (dmz) [ fw1: 172.21.0.101 fw2: 172.21.0.102 ] - re1 (lan) 2 virtual interfaces - carp0 (dmz gateway) - carp1 (lan gateway) Pfsync - syncdev re0 - for fw1 set syncpeer 172.21.0.102 - for fw2 set syncpeer 172.21.0.101 When I set the syncpeer parameter of pfsync0, it is not work. Because it's try to connect to the internet, to the backwards ip address FW2 (the master) # ifconfig pfsync0 syncdev re0 syncpeer 172.21.0.101 # ifconfig pfsync0 pfsync0: flags=0<> mtu 1348 pfsync: syncdev: re0 syncpeer: 172.21.0.101 maxupd: 128 You can see the tcpdump's output (rl0 is the ethernet for wan connections) # tcpdump -n -c 3 -i rl0 proto pfsync tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 11:32:52.187251 IP 200.41.236.244 > 101.0.21.172: pfsync 532 11:32:52.232685 IP 200.41.236.244 > 101.0.21.172: pfsync 180 11:32:52.232696 IP 200.41.236.244 > 101.0.21.172: pfsync 452 3 packets captured 198 packets received by filter 0 packets dropped by kernel The FW1 has exactly the same behaviour. And another problem, that I observe here, is the psyncdev parameter. What parameter is more important to decide I only a found one reference to this apparently bug. And with no answer. http://lists.freebsd.org/pipermail/freebsd-pf/2006-April/002084.html >How-To-Repeat: FW2: # ifconfig pfsync0 syncdev re0 syncpeer 172.21.0.101 # ifconfig pfsync0 pfsync0: flags=0<> mtu 1348 pfsync: syncdev: re0 syncpeer: 172.21.0.101 maxupd: 128 # tcpdump -n -c 3 -i rl0 proto pfsync tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 11:32:52.187251 IP 200.41.236.244 > 101.0.21.172: pfsync 532 11:32:52.232685 IP 200.41.236.244 > 101.0.21.172: pfsync 180 11:32:52.232696 IP 200.41.236.244 > 101.0.21.172: pfsync 452 3 packets captured 198 packets received by filter 0 packets dropped by kernel >Fix: Put the backwards ip address in syncpeer. ( 172.21.0.101 -> 101.0.21.172 ) FW2: # ifconfig pfsync0 syncpeer 101.0.21.172 syncdev re0 # tcpdump -n -c 3 -i re0 proto pfsync tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes 11:39:12.569303 IP 172.21.0.102 > 172.21.0.101: pfsync 532 11:39:12.629316 IP 172.21.0.102 > 172.21.0.101: pfsync 532 11:39:12.650105 IP 172.21.0.102 > 172.21.0.101: pfsync 532 3 packets captured 122 packets received by filter 0 packets dropped by kernel You can see now that packets are send via re0 interface correctly. And everything seems to work fine. >Release-Note: >Audit-Trail: >Unformatted: