From owner-freebsd-pf@FreeBSD.ORG Mon Feb 25 00:33:07 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id D17459BD for ; Mon, 25 Feb 2013 00:33:07 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe6.ukr.net (ffe6.ukr.net [195.214.192.56]) by mx1.freebsd.org (Postfix) with ESMTP id 87F6089 for ; Mon, 25 Feb 2013 00:33:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:Subject:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=v/D/a1BZqm1D0mXalFMSj7cK81nUdeWtt4MMBfywLmQ=; b=mFNnXq94uHdsDkKGt+ZUnjOwlixQj7YP/m/zJn6jLhlI4YRlg7UdSTmRFQW13gCOOJxkQEVZUfn0G1tf89YS33u2Y932UyCwvH9N9qQJaDQ719IhVcsb1mzBI0VQZsh5KiDBGDQcqR/u8ue74OeR3p+kNwowFW1Whf4P3EXyEEk=; Received: from mail by ffe6.ukr.net with local ID 1U9lf0-000Dpx-9T for freebsd-pf@freebsd.org; Mon, 25 Feb 2013 02:11:14 +0200 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" Subject: pf bad cksum on loopback To: "freebsd-pf@FreeBSD.org" From: "wishmaster" X-Mailer: freemail.ukr.net 4.0 Message-Id: <51075.1361751074.6390892036295163904@ffe6.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Date: Mon, 25 Feb 2013 02:11:14 +0200 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 00:33:07 -0000 Hello, In my FreeBSD (9.1-STABLE i386) server there is Jail with nginx/apache + php + etc stuff... All works fine but with ftp not so good. In the jail I have installed ftp server, listened on ip 10.15.1.1. This ip address (alias) is on internal interface bridge0. This bridge consist of 3 NICs. I unable to connect to this ftp server not from same jail nor from base host. With completely disabled PF, connections to ftpd successful. I have figured out that problem in antispoof rule: antispoof log quick for {bridge0 lo0} inet (@4 block drop in log quick on ! bridge0 inet from 10.15.1.0/24 to any) Below tcpdump output: 01:42:27.348025 rule 50..16777216/0(match): pass out on lo0: (tos 0x0, ttl 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107831611 ecr 0], length 0 01:42:27.348165 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->c55a)!) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107831611 ecr 0], length 0 01:42:30.347549 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 60408, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->f8a3)!) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0xf6be (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107834611 ecr 0], length 0 01:42:33.547564 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 12125, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->b53f)!) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xeafe (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107837811 ecr 0], length 0 01:42:36.747569 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 25338, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 0 (->81ae)!) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xa6fe (correct), seq 3376923564, win 65535, options [mss 16344,sackOK,eol], length 0 The workaround is something like this rule: set skip on lo0 but this is unsuitable for me. For security reason I must use PF to filter traffic from jail to the base system. Cheers, Vitaliy From owner-freebsd-pf@FreeBSD.ORG Mon Feb 25 05:16:56 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 92DC24A4 for ; Mon, 25 Feb 2013 05:16:56 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-oa0-f41.google.com (mail-oa0-f41.google.com [209.85.219.41]) by mx1.freebsd.org (Postfix) with ESMTP id 2EFE4DD3 for ; Mon, 25 Feb 2013 05:16:55 +0000 (UTC) Received: by mail-oa0-f41.google.com with SMTP id i10so2555681oag.0 for ; Sun, 24 Feb 2013 21:16:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to; bh=uNHFXOYynj9Wle8zusTMpvqsIEM2Gfmd6hgSbqMqGoM=; b=J//mRtSC9He3gp5t1hKzYBTAan5XYHw1doSOFCSpRjvVOlaeIGH+LyvFUo4O1o7SmG 9cNi+OArIsj4Md472vfORKmVnmbRNlihYbINRWHLQzcwnZkIp5ASlgocfwrLOTx2zYG1 Ta3XDItqu1CPZ0rXadG1zBV4P0swa4m/VY4O1sWBajNqqzK0b4qDEQsJ7GmK9a8VWwvl /5ENyPIdf9HgsEbA0JIFDtByq2pwMaaMvXHyqWAO8HRvs9k1D4nsTD8azJSV+RXHmMEd DHUAjzczFjIy8AJmMHPYfuJBRKrJ+HolJf9ZFcTiNZR8JrYMfiOA4keEYPN9YYAr2xHK DV2Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=x-received:sender:references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to; bh=uNHFXOYynj9Wle8zusTMpvqsIEM2Gfmd6hgSbqMqGoM=; b=GAYRBs2EPWaUAtqEVcs3hk19dtWJtWHzq3v3T50MHnAseawn5IUHBy8wbrfTUwM4ED zdaj0qnWUyJoTgrHvPP3vZeOSlwDsa8JFlTuDSRCOYvi57KxYtj4YJNAtXO0CAT/zB2f hglaCS7PxSEwLbjdO+kaG5NJOfIuy5DodaDrw= X-Received: by 10.60.19.161 with SMTP id g1mr6246494oee.101.1361769415175; Sun, 24 Feb 2013 21:16:55 -0800 (PST) Received: from DataIX.net (24-231-147-188.dhcp.aldl.mi.charter.com. [24.231.147.188]) by mx.google.com with ESMTPS id bq8sm11501150obc.9.2013.02.24.21.16.53 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 24 Feb 2013 21:16:54 -0800 (PST) Sender: Jason Hellenthal Received: from [192.168.32.201] ([192.168.32.201]) (authenticated bits=0) by DataIX.net (8.14.6/8.14.6) with ESMTP id r1P5GnDY044204 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 25 Feb 2013 00:16:51 -0500 (EST) (envelope-from jhellenthal@DataIX.net) References: <51075.1361751074.6390892036295163904@ffe6.ukr.net> Mime-Version: 1.0 (1.0) In-Reply-To: <51075.1361751074.6390892036295163904@ffe6.ukr.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <00B97EDD-F815-49DE-B045-03A68BD648CD@DataIX.net> X-Mailer: iPhone Mail (10B146) From: Jason Hellenthal Subject: Re: pf bad cksum on loopback Date: Mon, 25 Feb 2013 00:16:49 -0500 To: wishmaster Cc: "freebsd-pf@FreeBSD.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 05:16:56 -0000 Have you attempted to... ifconfig lo0 -txcsum -rxcsum=20 And see if that solves your problem. I've had to do this numerous times with= pf on 8.1 -> 8.3=20 Check syntax of flags though its been a while since I looked at that issue. --=20 Jason Hellenthal JJH48-ARIN - (2^(N-1)) On Feb 24, 2013, at 19:11, "wishmaster" wrote: Hello, In my FreeBSD (9.1-STABLE i386) server there is Jail with nginx/apache + php= + etc stuff... All works fine but with ftp not so good. In the jail I have installed ftp server, listened on ip 10.15.1.1. This ip a= ddress (alias) is on internal interface bridge0. This bridge consist of 3 NI= Cs. I unable to connect to this ftp server not from same jail nor from base host= . With completely disabled PF, connections to ftpd successful. I have figured out that problem in antispoof rule: antispoof log quick for {bridge0 lo0} inet (@4 block drop in log quick on ! bridge0 inet from 10.15.1.0/24 to any) Below tcpdump output: 01:42:27.348025 rule 50..16777216/0(match): pass out on lo0: (tos 0x0, ttl 1= 28, id 8002, offset 0, flags [DF], proto TCP (6), length 60) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), se= q 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 10783= 1611 ecr 0], length 0 01:42:27.348165 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 12= 8, id 8002, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->c= 55a)!) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), se= q 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 10783= 1611 ecr 0], length 0 01:42:30.347549 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 12= 8, id 60408, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->= f8a3)!) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0xf6be (correct), se= q 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 10783= 4611 ecr 0], length 0 01:42:33.547564 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 12= 8, id 12125, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->= b53f)!) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xeafe (correct), seq 3= 376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 10783781= 1 ecr 0], length 0 01:42:36.747569 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 12= 8, id 25338, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 0 (->= 81ae)!) 10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xa6fe (correct), seq 3= 376923564, win 65535, options [mss 16344,sackOK,eol], length 0 The workaround is something like this rule: set skip on lo0 but this is unsuitable for me. For security reason I must use PF to filter t= raffic from jail to the base system. Cheers, Vitaliy _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Feb 25 08:37:36 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A54A891E for ; Mon, 25 Feb 2013 08:37:36 +0000 (UTC) (envelope-from bounces+freebsd-pf=freebsd.org@dynect-mailer.net) Received: from mtaout-242-pao.email7.skillpagesmail.com (mtaout-242-pao.email7.skillpagesmail.com [216.146.32.242]) by mx1.freebsd.org (Postfix) with ESMTP id 700DA6BD for ; Mon, 25 Feb 2013 08:37:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=MTA2; d=skillpagesmail.com; h=MIME-Version:Date:Message-ID:From:To:Subject:Sender:List-Unsubscribe:Content-Type:Reply-To; i=no-reply@skillpagesmail.com; bh=jnWeWw4flhOi9PDVKti/BCpmN+Q=; b=SwZfHvJAKr1Ijp2oe35OTRZnA43QD1e6IeOQXrTdF3wXRPwwS0OHsly39zvApXsKar2emvqc7Zt2 c+JYMkJwqynqBEjl2GoQYNrvZ8hFIwISClKKGF/U8Ru5mrK3RI/N DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=MTA2; d=skillpagesmail.com; b=Zx2bUIel8vwfwEGtGrZ6p3nbB6mUqRBr9vZ53pm+yjI5HLSw9gTTcG6U9HL/r/SR/YzyuAXNcbe9 zXGz4WSPYJm9DA5PMAVEzTb8vLHANJNm730r3a9ie0DMF/osGuvz; Received: from Dynect (216.146.41.17) by mtaout-242-pao.email7.skillpagesmail.com (PowerMTA(TM) v3.5r16) id h5chd018iesd for ; Mon, 25 Feb 2013 08:27:19 +0000 (envelope-from ) MIME-Version: 1.0 Date: Mon, 25 Feb 2013 08:27:02 +0000 Message-ID: <88058B8E86E7B647BFAE71F52D7944620C879AB4@USPRODSVCEML000> X-Priority: 3 (Normal) From: "Muhammad Anwar Mohd Kassim" X-Mailer: www.skillpages.com_CK To: freebsd-pf@freebsd.org Subject: Your invitation from Muhammad Anwar Mohd Kassim is about to expire Sender: "Muhammad Anwar Mohd Kassim via SkillPages Team" X-Skillpagesmail.com-ClientID: {a7217e29-3668-542c-8203-863bc4bfeff9} X-FullCode: Reminder1_Invitation_{0}_NonUser X-EmailId: G-jQ_n8lEeK7ILT9Dq-hRQ2 Errors-To: G-jQ_n8lEeK7ILT9Dq-hRQ2@skillpagesmail.com X-Origin: sl0 X-DynectEmail-Msg-Hash: WpfRqTFmqv694QBxhWWqw/4KOnHQCEircF3xxOFMUesATo7AfKImJ6wv1j56bYGiEJWMfofEdh1y7PXSqKBlu6ZAVBtKfEzAAopDfW1ZZvM= Content-Type: text/plain; charset="iso-8859-1"; format="flowed" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Muhammad Anwar Mohd Kassim List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 08:37:36 -0000 Hi, Unlock new opportunities for you and your contacts. Muhammad Anwar Mohd Kassim Invite sent: 18 February, 2013 Join me on SkillPages freebsd-pf@freebsd.org was invited to join SkillPages by Muhammad Anwar Mohd Kassim. To stop receiving emails from SkillPages click here = . =A9 2013 SkillPages, Blackrock Business Park, Dublin, Ireland and 228 Hamilt= on Avenue, 3rd Floor, Palo Alto, CA 94301. From owner-freebsd-pf@FreeBSD.ORG Mon Feb 25 11:06:53 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3272417E for ; Mon, 25 Feb 2013 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 25CCFE80 for ; Mon, 25 Feb 2013 11:06:53 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r1PB6rLx066700 for ; Mon, 25 Feb 2013 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r1PB6q4x066698 for freebsd-pf@FreeBSD.org; Mon, 25 Feb 2013 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 Feb 2013 11:06:52 GMT Message-Id: <201302251106.r1PB6q4x066698@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 11:06:53 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 49 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Feb 25 17:23:21 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2D06F678 for ; Mon, 25 Feb 2013 17:23:21 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe6.ukr.net (ffe6.ukr.net [195.214.192.56]) by mx1.freebsd.org (Postfix) with ESMTP id D25F09FE for ; Mon, 25 Feb 2013 17:23:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Date:Message-Id:From:To:References:In-Reply-To:Subject:Cc:Content-Type:Content-Transfer-Encoding:MIME-Version; bh=iZId2F7hTe1GEIKGy0LyKWs2JYTrhRgSWa0xizxLpGU=; b=m1SSYkD6Iw0gvU98PlN6yILnnFY1JDljBFzj1thej2LulCjQEgXx7cZ9QptRwhkchTbl88beK1IXUDJkXVAgYh8C8QSWsEV0OnpOkA7kAG2K5VyaP2aRX8DDrM5US9zeIPfxKYvN5XpwxNAzQkc8/LumLne7dM2kmSPB8fXy4m0=; Received: from mail by ffe6.ukr.net with local ID 1UA1ll-000Oum-Ux ; Mon, 25 Feb 2013 19:23:17 +0200 MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: binary Content-Type: text/plain; charset="windows-1251" Subject: Re[2]: pf bad cksum on loopback In-Reply-To: <00B97EDD-F815-49DE-B045-03A68BD648CD@DataIX.net> References: <51075.1361751074.6390892036295163904@ffe6.ukr.net> <00B97EDD-F815-49DE-B045-03A68BD648CD@DataIX.net> To: "Jason Hellenthal" From: "wishmaster" X-Mailer: freemail.ukr.net 4.0 Message-Id: <95067.1361812997.6366597394766954496@ffe6.ukr.net> X-Browser: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Date: Mon, 25 Feb 2013 19:23:17 +0200 Cc: "freebsd-pf@FreeBSD.org" X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 17:23:21 -0000 Hi, thanks for advice. Now all works fine! --- Original message --- From: "Jason Hellenthal" To: "wishmaster" Date: 25 February 2013, 07:16:56 Subject: Re: pf bad cksum on loopback > Have you attempted to... > > ifconfig lo0 -txcsum -rxcsum > > And see if that solves your problem. I've had to do this numerous times with pf on 8.1 -> 8.3 > > Check syntax of flags though its been a while since I looked at that issue. > > > -- > > Jason Hellenthal > JJH48-ARIN > - (2^(N-1)) > > > On Feb 24, 2013, at 19:11, "wishmaster" wrote: > > Hello, > > In my FreeBSD (9.1-STABLE i386) server there is Jail with nginx/apache + php + etc stuff... All works fine but with ftp not so good. > In the jail I have installed ftp server, listened on ip 10.15.1.1. This ip address (alias) is on internal interface bridge0. This bridge consist of 3 NICs. > I unable to connect to this ftp server not from same jail nor from base host. With completely disabled PF, connections to ftpd successful. > > I have figured out that problem in antispoof rule: > > antispoof log quick for {bridge0 lo0} inet > (@4 block drop in log quick on ! bridge0 inet from 10.15.1.0/24 to any) > > Below tcpdump output: > > 01:42:27.348025 rule 50..16777216/0(match): pass out on lo0: (tos 0x0, ttl 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107831611 ecr 0], length 0 > 01:42:27.348165 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->c55a)!) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107831611 ecr 0], length 0 > 01:42:30.347549 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 60408, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->f8a3)!) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0xf6be (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107834611 ecr 0], length 0 > 01:42:33.547564 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 12125, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->b53f)!) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xeafe (correct), seq 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 107837811 ecr 0], length 0 > 01:42:36.747569 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl 128, id 25338, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 0 (->81ae)!) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xa6fe (correct), seq 3376923564, win 65535, options [mss 16344,sackOK,eol], length 0 > > The workaround is something like this rule: > set skip on lo0 > > but this is unsuitable for me. For security reason I must use PF to filter traffic from jail to the base system. > > Cheers, > Vitaliy > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Sat Mar 2 09:20:45 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6806CA2B for ; Sat, 2 Mar 2013 09:20:45 +0000 (UTC) (envelope-from caylajade.hart@gmail.com) Received: from mail-lb0-f176.google.com (mail-lb0-f176.google.com [209.85.217.176]) by mx1.freebsd.org (Postfix) with ESMTP id F109E1C5 for ; Sat, 2 Mar 2013 09:20:44 +0000 (UTC) Received: by mail-lb0-f176.google.com with SMTP id s4so2835643lbc.35 for ; Sat, 02 Mar 2013 01:20:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=KEhba+qh0iklhU1UpiMy4rVRAnA6oZCEEr0pq1ln7Og=; b=tO0IGIbyTvMBHeCZZ8oFO51neeVNqc2Z7Pp15vZ3i0H07itKwp3ztaY46Pz4aDDjqw fLGnMyWJjlnpRk6nF/nmdcE3XkgcbISU1G3ZIezQESYkqiT+9BFEnYQl/JWrAtOfnnHQ o4hijNlSKfBS2wJch6CTvD0nT/iwbjjU2inn816HsSBO/gIEySb1unixnRPtOR4UVnQD goXmHn/Tx3Hn4lnCziG18xrCniEU0yHFDVPQHwbhih9bAiAdpqw4lLf7byS2woJAtQXP fvQ+GSWDt2N9WrqspQPYPgLDzw51CPP5wMb2Ry3IluVxrQdfFV5uaoJoFaVAy6xNO13U 5sJQ== MIME-Version: 1.0 X-Received: by 10.112.98.227 with SMTP id el3mr1577902lbb.131.1362216037927; Sat, 02 Mar 2013 01:20:37 -0800 (PST) Received: by 10.112.52.48 with HTTP; Sat, 2 Mar 2013 01:20:37 -0800 (PST) Date: Sat, 2 Mar 2013 01:20:37 -0800 Message-ID: Subject: Drive A New Car from R499 P/M From: cayla olivier To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Mar 2013 09:20:45 -0000 Hi there where about are your offices in Johannesburg and Port Elizabeth?