From owner-freebsd-pf@FreeBSD.ORG Tue Oct 28 15:36:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 86C9D106566C for ; Tue, 28 Oct 2008 15:36:09 +0000 (UTC) (envelope-from niekdekker@gmail.com) Received: from smtp-2.orange.nl (smtp-2.orange.nl [193.252.22.242]) by mx1.freebsd.org (Postfix) with ESMTP id 23BC38FC22 for ; Tue, 28 Oct 2008 15:36:09 +0000 (UTC) (envelope-from niekdekker@gmail.com) Received: from smtp-2.orange.nl (mwinf6109 [172.22.153.39]) by mwinf6105.online.nl (SMTP Server) with ESMTP id 90B762001045 for ; Tue, 28 Oct 2008 16:10:43 +0100 (CET) Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf6109.online.nl (SMTP Server) with ESMTP id A59BF7000089 for ; Tue, 28 Oct 2008 16:10:41 +0100 (CET) Received: from [192.168.250.2] (s5591888a.adsl.wanadoo.nl [85.145.136.138]) by mwinf6109.online.nl (SMTP Server) with ESMTP id 732EA7000088 for ; Tue, 28 Oct 2008 16:10:41 +0100 (CET) X-ME-UUID: 20081028151041471.732EA7000088@mwinf6109.online.nl Message-ID: <49072B6A.7010305@gmail.com> Date: Tue, 28 Oct 2008 16:10:34 +0100 From: Niek Dekker Organization: Bureau Digitekst User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl-NL; rv:1.8.1.17) Gecko/20080829 SeaMonkey/1.1.12 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Pf: packets on lo0 blocked in spite of pass rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2008 15:36:09 -0000 Hi, I upgraded recently from 6.2 to 7.0 release p5 (i386) and I'm using pf. After the upgrade connection problems arised on lo0, for java > mysql and apache > tomcat. The network interfaces are all in default setup. Here is the output of pfctl -sr, cleaned from network numbers. scrub in all fragment reassemble block drop in log all block drop in log quick on fxp0 from to any block drop out log quick on fxp0 from any to block drop in log quick on fxp0 from to any pass in on fxp0 inet proto tcp from any to ext_if port = smtp flags S/SA keep state pass in on fxp0 inet proto tcp from any to ext_if port = http flags S/SA keep state pass in on fxp0 inet proto tcp from any to ext_if port = ssh flags S/SA keep state pass out on fxp0 proto tcp all flags S/SA keep state pass out on fxp0 proto udp all keep state pass on lo0 proto tcp all flags S/SA keep state pass on lo0 proto udp all keep state block drop in on ! fxp0 inet from ext_network/25 to any block drop in inet from ext_if to any Since the upgrade to 7.0, some packets on lo0 are being blocked nevertheless. Apache httpd is connecting to Tomcat ajp on port 8009. Some, but not all of these packets are blocked. For example (pflog): 627926 rule 0/0(match): block in on lo0: 127.0.0.1.57243 > 127.0.0.1.8009: P 0:719(719) ack 1 win 8960 In some of these lines, there is mention of "[bad hdr length 0 - too short, < 20]" BUT NOT IN ALL. The state table isn't full by far (78). There is some 123 'state mismatch' in the output of pfctl -s all. I have "set skip on lo0" to prevent the problem, but it seems to me there is an issue to address here. I am likely to submit a PR, unless someone comes up with a solution. Niek