Date: Wed, 31 Oct 2007 10:15:39 +0100 From: "Frank Behrens" <frank@pinky.sax.de> To: freebsd-pf@freebsd.org Subject: Re: pf eates syn packet? Message-ID: <200710310915.l9V9Fdld027372@post.frank-behrens.de> In-Reply-To: <200708021537.l72Fb69k004919@pinky.frank-behrens.de> References: <200708021715.25167.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Although this is an old thread, the problem is still present. Lets remember: As I wrote in http://lists.freebsd.org/pipermail/freebsd-pf/2007-August/003642.html and related mails I want to do policy based routing with pf. The basic rules are nat inet from !tun2-address to any port = http -> tun2-address nat on tun0 inet from <intern> to any -> tun0-address .... pass out quick on tun0 route-to (tun2 tun2-peer) inet from tun2-address to any keep state pass out quick on tun2 route-to (tun0 tun0-peer) inet from tun0-address to any keep state I see the result, that the 1st syn packet can not pass the pf firewall, because a state insertion fails. Now I tried to debug this state handling and inserted some debug print statements in pf.c. A typical session (with associated packets) is 09:44:29 pfdbg: insert_state TCP 192.168.50.02:1948 84.182.202.81:57560 192.109.108.33:80 [lo=3608055223 high=3608055225 win=32768 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 rule: 0 nat_rule: 0 09:44:29 pfdbg: insert_state TCP 84.182.202.81:57560 84.182.202.81:57560 192.109.108.33:80 [lo=3608055223 high=3608055225 win=32768 modulator=0] [lo=0 high=1 win=1 modulator=0] 2:0 rule: 2 09:44:29 pf: state insert failed: tree_ext_gwy lan: 84.182.202.81:57560 gwy: 84.182.202.81:57560 ext: 192.109.108.33:80 09:44:29.475380 IP (tos 0x0, ttl 128, id 51971, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.1948 > 192.109.108.33.80: S, cksum 0x010e (correct), 3608055223:3608055223(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> 09:44:32.573436 IP (tos 0x0, ttl 128, id 51988, offset 0, flags [DF], proto: TCP (6), length: 52) 192.168.50.02.1948 > 192.109.108.33.80: S, cksum 0x010e (correct), 3608055223:3608055223(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> The repeated SYN after 3 seconds passes the firewall and the tcp session continues without any problems. The debug messages are created on pf.c (v1.45 2007/07/03) with @@ -892,6 +892,16 @@ int pf_insert_state(struct pfi_kif *kif, struct pf_state *state) { + if (pf_status.debug >= PF_DEBUG_MISC) { + printf("pfdbg: insert_state "); + pf_print_state(state); + if (state->rule.ptr) + printf(" rule: %x", (int)state->rule.ptr->nr); + if (state->nat_rule.ptr) + printf(" nat_rule: %x", (int)state->nat_rule.ptr->nr); + printf("\n"); + } + Now my questions: 1. Is my setup correct or should I use other rules? 2. Is it right, that pf tries to insert an additional state entry with lan and gwy addresses being the same, although a NAT entry is already inserted? Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200710310915.l9V9Fdld027372>