From owner-freebsd-bugs@FreeBSD.ORG  Thu Mar 23 20:40:19 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 35D8616A422
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 23 Mar 2006 20:40:19 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 577D543D4C
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 23 Mar 2006 20:40:18 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2NKeIj2026191
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 23 Mar 2006 20:40:18 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2NKeIvq026190;
	Thu, 23 Mar 2006 20:40:18 GMT (envelope-from gnats)
Resent-Date: Thu, 23 Mar 2006 20:40:18 GMT
Resent-Message-Id: <200603232040.k2NKeIvq026190@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Erik Norgaard <norgaard@locolomo.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 12E4216A400
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 23 Mar 2006 20:39:05 +0000 (UTC)
	(envelope-from norgaard@daemonsecurity.com)
Received: from strange.daemonsecurity.com
	(59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D347443D77
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 23 Mar 2006 20:38:56 +0000 (GMT)
	(envelope-from norgaard@daemonsecurity.com)
Received: by strange.daemonsecurity.com (Postfix, from userid 1024)
	id 9338D2E0AF; Thu, 23 Mar 2006 21:39:02 +0100 (CET)
Message-Id: <20060323203902.9338D2E0AF@strange.daemonsecurity.com>
Date: Thu, 23 Mar 2006 21:39:02 +0100 (CET)
From: Erik Norgaard <norgaard@locolomo.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/94877: packet filter blocks outgoing traffic after boot
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Erik Norgaard <norgaard@locolomo.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2006 20:40:19 -0000


>Number:         94877
>Category:       kern
>Synopsis:       packet filter blocks outgoing traffic after boot
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 23 20:40:17 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Erik Norgaard
>Release:        FreeBSD 6.1-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD charm 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Thu Mar 23 09:12:55 CET 2006 root@charm:/usr/obj/usr/src/sys/GENERIC i386

	
>Description:

pf ruleset is loaded correctly at boot, but outgoing connections are blocked: icmp, tcp and udp. This was verified with ping (operation not permitted), host (timeout) and tcping (operation not permitted).

arp traffic is allowed, confirmed with arping.

It has been verified with snort that no packets leave the interface, the problem is not that responses are blocked.

Reloading the ruleset with 

  # pfctl -Fr && pfctl -Rf /etc/pf.conf

solves the problem. The fact that it is the same ruleset seems to prove that the
ruleset is ok.

This has been observed on two systems more or less same snap of source, different networks. Also, incoming traffic is accepted.

Both systems have interfaces configured with dhclient which run before the ruleset is loaded. In rc.conf is background_dhclient="NO", ensuring that the interface is configured before proceeding. 

If the interface is not configured pf will fail loading the ruleset as the macros interface and interface:network are used in the rulesets. 

The problem can be repeated by rebooting.

>How-To-Repeat:

A transcript of the actions done and produced output is found here:

  http://www.locolomo.org/pub/pf/debug.charm

Snort packets captured for the above session

  http://www.locolomo.org/pub/pf/snort.charm

The used pf ruleset is found here:

  http://www.locolomo.org/pub/pf/pf.conf

System info here:

  http://www.locolomo.org/pub/pf/dmesg.charm
  http://www.locolomo.org/pub/pf/sysctl.charm

>Fix:

Workaround: Reload the ruleset after each boot with 

  # pfctl -Fr && pfctl -Rf <ruleset>

>Release-Note:
>Audit-Trail:
>Unformatted: