From owner-freebsd-pf@FreeBSD.ORG Wed Sep 3 11:28:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5AEF1065676 for ; Wed, 3 Sep 2008 11:28:53 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195]) by mx1.freebsd.org (Postfix) with ESMTP id 475CD8FC14 for ; Wed, 3 Sep 2008 11:28:53 +0000 (UTC) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id D63E242D821; Wed, 3 Sep 2008 13:09:43 +0200 (CEST) Date: Wed, 3 Sep 2008 13:09:43 +0200 From: Guido van Rooij To: freebsd-pf@freebsd.org Message-ID: <20080903110943.GA25396@gvr.gvr.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: keeping state on outgoing connections fails (?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 11:28:53 -0000 Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0. ep0: 1.2.3.4/24 bge0: 10.0.0.1/24 ruleset (made as simple as possible): pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 block drop out log quick on ep0 all pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0 and passes because of rule 1. Then the packet goes out via bge0, is passed via rule 3 and a satte entry is created. The return SYN/ACK comes in via bge0 and passes because of the state entry. Then the packet should be sent out via ep0, but it is blocked, as pflogd shows: 000000 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 2. 955997 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 2. 999812 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 3. 009226 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 5. 999234 rule 1/0(match): block out on ep0: 10.0.0.2.25 > 1.2.3.1.1040: S 3255603624:3255603624(0) ack 3600825196 win 65535 A tcpdump of the relevant packets (bad checksum because of chaecksum ofloading): 13:05:39.471200 IP (tos 0x0, ttl 127, id 195, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->ed00)!) 1.2.3.1.1040 > 10.0.0.2.25: S, cksum 0x62e5 (correct), 3600825195:3600825195(0) win 64512 13:05:39.471378 IP (tos 0x0, ttl 64, id 37525, offset 0, flags [DF], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 13:05:42.427163 IP (tos 0x0, ttl 127, id 196, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->ecff)!) 1.2.3.1.1040 > 10.0.0.2.25: S, cksum 0x62e5 (correct), 3600825195:3600825195(0) win 64512 13:05:42.427377 IP (tos 0x0, ttl 64, id 37593, offset 0, flags [none], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 13:05:45.427182 IP (tos 0x0, ttl 64, id 39074, offset 0, flags [none], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 13:05:48.436285 IP (tos 0x0, ttl 127, id 197, offset 0, flags [DF], proto: TCP (6), length: 48, bad cksum 0 (->ecfe)!) 1.2.3.1.1040 > 10.0.0.2.25: S, cksum 0x62e5 (correct), 3600825195:3600825195(0) win 64512 13:05:48.436418 IP (tos 0x0, ttl 64, id 45408, offset 0, flags [none], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 13:05:54.435645 IP (tos 0x0, ttl 64, id 48287, offset 0, flags [none], proto: TCP (6), length: 48) 10.0.0.2.25 > 1.2.3.1.1040: S, cksum 0x0c21 (correct), 3255603624:3255603624(0) ack 3600825196 win 65535 pfctl -si before telnetting: State Table Total Rate current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Counters match 0 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s After telnetting: State Table Total Rate current entries 1 searches 44 1.8/s inserts 1 0.0/s removals 0 0.0/s Counters match 32 1.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s The state entry (pfctl -vvvs state): self tcp 1.2.3.1:1040 -> 10.0.0.2:25 ESTABLISHED:SYN_SENT [3600825196 + 65535] [3255603625 + 64512] age 00:00:22, expires in 00:00:23, 8:5 pkts, 424:240 bytes, rule 2 id: 48be58f800000009 creatorid: 89adbe9b pfctl -vvvvs rules before the telnet: @0 pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @1 block drop out log quick on ep0 all [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @2 pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] and after: @0 pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 [ Evaluations: 32 Packets: 3 Bytes: 144 States: 0 ] @1 block drop out log quick on ep0 all [ Evaluations: 5 Packets: 5 Bytes: 240 States: 0 ] @2 pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state [ Evaluations: 24 Packets: 13 Bytes: 664 States: 1 ] I would expect the packet to match the state entry, but somehow it does not. Setting the state-policy to if-bound or floating makes no difference. My question is why the packet does not match the state entry resulting to its blocking. -Guido