Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 22 Oct 2006 00:57:49 +0400
From:      =?koi8-r?B?8M/Qz9cg6cfP0tgg7snLz8zBxdfJ3iA=?= <igorpopov@newmail.ru>
To:        freebsd-ipfw@FreeBSD.org
Subject:   pf drops packets
Message-ID:  <20061021205749.28316.qmail@flock1.newmail.ru>

next in thread | raw e-mail | index | archive | help
 Hi.
My system is 6.2-PRERELEASE with custom kernel (pf and altq are in kernel), it works as gateway between inet and my home network. Squid that lives in jail serve http and ftp requests from inerlan net.
 
# ifconfig nfe0
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 9000
        options=b<RXCSUM,TXCSUM,VLAN_MTU>
        inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
        inet 192.168.10.2 netmask 0xffffff00 broadcast 192.168.10.255
        inet 192.168.10.3 netmask 0xffffff00 broadcast 192.168.10.255
        inet 192.168.10.4 netmask 0xffffff00 broadcast 192.168.10.255
        inet 192.168.10.5 netmask 0xffffff00 broadcast 192.168.10.255
        ether 00:17:31:13:8d:3f
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active

# jls
   JID  IP Address      Hostname                      Path
     1  192.168.10.4    proxy.my.net                  /var/jail_proxy

# cat /etc/pf.conf
ext_if="tun0"
int_if="nfe0"

int_net="(" $int_if:network ")"
ext_addr="(" $ext_if:0 ")"

set loginterface nfe0
set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
set skip on lo0

scrub in on $ext_if

altq on $int_if bandwidth 1000Mb hfsc queue { q_std q_pri q_udp }
#queue  q_root bandwidth 95Mb qlimit 500 { q_std q_pri q_udp }
queue  q_std bandwidth 85% qlimit 500 hfsc( default linkshare 85% red )
queue  q_pri bandwidth 5%  hfsc( linkshare 5% )
queue  q_udp bandwidth 10% hfsc( linkshare 10% )

nat pass on $ext_if from $int_net to ! ($ext_if) -> ($ext_if)
no rdr on lo0 from any to any

block log all

# LOCALNET
pass  in  on $int_if inet proto tcp from $int_net to ($int_if) \
    port { ssh,domain,www,netbios-ssn,microsoft-ds,socks,3128 } \
        flags S/SA modulate state queue(q_std, q_pri)

pass  in  on $int_if inet proto udp from $int_net to ($int_if) \
    port { domain } keep state queue(q_udp)
# netbios
pass  in  on $int_if inet proto udp from $int_net port netbios-ns \
    to $int_net  port netbios-ns keep state queue(q_udp)
pass  in  quick on $int_if inet proto udp from $int_net port netbios-dgm \
    to $int_net port netbios-dgm keep state queue(q_udp)

pass  out on $int_if inet proto tcp to $int_net \
    port { netbios-ssn,microsoft-ds } flags S/SA modulate state queue(q_std, q_pri)
pass  out on $int_if inet proto udp from ($int_if) port netbios-ns \
    to $int_net port netbios-ns keep state queue(q_udp)
pass  out on $int_if inet proto udp from ($int_if) port netbios-dgm \
    to $int_net port netbios-dgm keep state queue(q_udp)
pass  out on $int_if inet proto icmp to $int_net keep state

# INET
pass  out on $ext_if inet proto tcp all flags S/SA modulate state
pass  out on $ext_if inet proto { udp,icmp } all keep state

So I have noticed that mozilla that runs on internal machine take much more time to download page and often can't download pictures.
And what shows # tcpdump -nvvve -i pflog0

23:45:31.881696 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 31092, offset 0, flags [DF], proto: TCP (6), length: 1448) 192.168.10.4.3128 > 192.168.10.6.2023: FP 0:1408(1408) ack 1 win 65535
23:45:32.072675 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 45399, offset 0, flags [DF], proto: TCP (6), length: 1537) 192.168.10.4.3128 > 192.168.10.6.2022: FP 0:1497(1497) ack 1 win 65535
23:45:40.013688 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 59261, offset 0, flags [DF], proto: TCP (6), length: 1537) 192.168.10.4.3128 > 192.168.10.6.2024: FP 0:1497(1497) ack 1 win 65535
23:45:54.776676 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 43279, offset 0, flags [DF], proto: TCP (6), length: 1448) 192.168.10.4.3128 > 192.168.10.6.2017: FP 0:1408(1408) ack 1 win 65535
23:46:01.759672 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 35653, offset 0, flags [DF], proto: TCP (6), length: 1448) 192.168.10.4.3128 > 192.168.10.6.2026: FP 0:1408(1408) ack 1 win 65535
23:46:07.279661 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 58941, offset 0, flags [DF], proto: TCP (6), length: 1447) 192.168.10.4.3128 > 192.168.10.6.2011: RP 1:1408(1407) ack 1 win 65535 [!RST+ TTP/1.0 \354]
23:46:25.073649 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 36688, offset 0, flags [DF], proto: TCP (6), length: 1536) 192.168.10.4.3128 > 192.168.10.6.2021: RP 1:1497(1496) ack 1 win 65535 [!RST+ TTP/1.0 \354]
23:46:35.881639 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 34578, offset 0, flags [DF], proto: TCP (6), length: 1448) 192.168.10.4.3128 > 192.168.10.6.2023: FP 0:1408(1408) ack 1 win 65535
23:46:36.072617 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 13340, offset 0, flags [DF], proto: TCP (6), length: 1536) 192.168.10.4.3128 > 192.168.10.6.2022: RP 1:1497(1496) ack 1 win 65535 [!RST+ TTP/1.0 \017]
23:46:44.013629 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 12812, offset 0, flags [DF], proto: TCP (6), length: 1536) 192.168.10.4.3128 > 192.168.10.6.2024: RP 1:1497(1496) ack 1 win 65535 [!RST+ TTP/1.0 ,]
23:46:58.776605 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 62804, offset 0, flags [DF], proto: TCP (6), length: 1447) 192.168.10.4.3128 > 192.168.10.6.2017: RP 1:1408(1407) ack 1 win 65535 [!RST+ TTP/1.0 ,]
23:47:05.759610 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 56174, offset 0, flags [DF], proto: TCP (6), length: 1448) 192.168.10.4.3128 > 192.168.10.6.2026: FP 0:1408(1408) ack 1 win 65535
23:47:39.881578 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 695, offset 0, flags [DF], proto: TCP (6), length: 1447) 192.168.10.4.3128 > 192.168.10.6.2023: RP 1:1408(1407) ack 1 win 65535 [!RST+ TTP/1.0 ,]
23:48:09.759552 rule 0/0(match): block out on nfe0: (tos 0x0, ttl  64, id 1174, offset 0, flags [DF], proto: TCP (6), length: 1447) 192.168.10.4.3128 > 192.168.10.6.2026: RP 1:1408(1407) ack 1 win 65535 [!RST+ TTP/1.0 ,]
  
What is wrong? I think that rule
pass  in  on $int_if inet proto tcp from $int_net to ($int_if) \
    port { ...,3128 } \
        flags S/SA modulate state queue(q_std, q_pri)
should be enough.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061021205749.28316.qmail>