Date: Tue, 13 Nov 2007 00:50:35 +0100 From: =?ISO-8859-1?Q?Johan_Str=F6m?= <johan@stromnet.se> To: =?ISO-8859-1?Q?Johan_Str=F6m?= <johan@stromnet.se> Cc: freebsd-stable@freebsd.org Subject: Re: Jails and PF states on locahost Message-ID: <188F0806-EB84-4044-A572-C9DCA75229F5@stromnet.se> In-Reply-To: <74777995-192A-4058-ABE5-8BA1676B0654@stromnet.se> References: <74777995-192A-4058-ABE5-8BA1676B0654@stromnet.se>
next in thread | previous in thread | raw e-mail | index | archive | help
No-one with any clues or recommendations? :/ CCing to -stable too.. Thanks -- Johan Str=F6m Stromnet johan@stromnet.se http://www.stromnet.se/ On Oct 29, 2007, at 09:37 , Johan Str=F6m wrote: > Hello > > I got a FreeBSD 6.2 box running a few jails, with a pretty strict =20 > PF ruleset. I got a problem with traffic between two of the jails. =20 > Both have public IPs (one of them have two using the jail-multiple-=20 > ip-patch). The problem I have is when they are to talk with each =20 > other. First let med describe the PF ruleset (somewhat stripped =20 > down but this should be the relevant stuff) > > jail1=3Dxx.xx.xx.131 > jail2a=3Dxx.xx.xx.133 > jail2b=3Dxx.xx.xx.134 > scrub in all > block drop in log > # base system talk to itself > pass in on lo0 inet from 127.0.0.1 to 127.0.0.1 > > # all can talk out > pass out on em0 proto tcp flags S/SA modulate state > pass out on em0 proto udp keep state > > # jails talk to them selfs > pass in on lo0 inet from $jail1 to $jail1 > pass in on lo0 inet from {$jail2a $jail2b} to {$jail2a $jail2b} > > # let smtp in on jail1 > pass in on {lo0 em0} inet proto tcp from any to $jail1 port smtp =20 > flags S/SA modulate state > > Okay, so the problem occurs when jail2 shall talk to jail1 on port =20 > 25 (smtp). =46rom the above rules, when the traffic leaves jail2 =20 > (traffic comes from $jail2b it seems) it should match the last rule =20= > and create a state. And so it does! > > self tcp xx.xx.xx:25 <- xx.xx.xx.134:57557 SYN_SENT:ESTABLISHED > [3014249759 + 65536](+2074393365) wscale 1 [4121000179 + 65536]=20 > (+541973245) wscale 1 > age 00:01:03, expires in 00:00:01, 7:10 pkts, 384:640 bytes > > So the SYN arives at $jail1, but the SYNACK fails to go back to =20 > $jail2b (where the state should let the packet back in?), which is =20 > also seen in the following row from pflog0: > > 09:30:34.370402 rule 1/0(match): block in on lo0: (tos 0x0, ttl =20 > 64, id 35618, offset 0, flags [DF], proto: TCP (6), length: 64) =20 > xx.xx.xx.131.25 > xx.xx.xx.134.57557: S 793675827:793675827(0) ack =20 > 4121000179 win 65535 <mss 1460,nop,wscale 1,[|tcp]> > > So.. What have I missed? The state is created but it doesnt seem to =20= > match enough bytes or something? 384:640 matched packets, so et =20 > matches in both directions? > > Any clues are welcome! Thanks > > -- > Johan Str=F6m > Stromnet > johan@stromnet.se > http://www.stromnet.se/ > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?188F0806-EB84-4044-A572-C9DCA75229F5>