Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 31 Jul 2008 19:38:01 +0200
From:      Tilman Linneweh <arved@arved.at>
To:        Max Laier <max@love2party.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pf dropping packets despite pass all rule
Message-ID:  <20080731173801.GB61317@arved.priv.at>
In-Reply-To: <200807311826.51457.max@love2party.net>
References:  <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net>

next in thread | previous in thread | raw e-mail | index | archive | help
* Max Laier [2008-07-31 18:27]:
> > LAN -> Router with PF <- gif tunnel with IPSEC -> Server
> >
> > The router is running FreeBSD 7.0. Protocol is IPv6. ping6  works,
> > but TCPv6 from LAN to Server does not work, unless i disable PF.
> >
> > Excerpt from pf.conf:
> > pass in  quick  on gif0 all keep state
> > pass out quick on gif0 all keep state
> >
> > pflog0 contains some strange packets:
> > http://arved.priv.at/~arved/strangepackets.pcap
> 
> That dump is useless, please cap with "-s0".

Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap

> > IPSEC_FILTERTUNNEL does not make a difference.
> >
> > I don't understand why pf is dropping something on gif0. And i can't decode
> > what kind of packets these are, and why they are necessary for TCPv6.
> >
> > Any ideas?
> 
> I'd suspect ip-options.  Try allow-opts and check "pfctl -si".  If you really 
> want to trust gif0 completely, you could simply add "skip on gif0" and pf will 
> not mess with it at all.
>

Ok, allow-opts does not change anything. skip on gif0 works. 

pfctl -si confirms that there are packets blocked.
Status: Enabled for 0 days 02:37:07           Debug: Urgent

Interface Stats for gif0              IPv4             IPv6
  Bytes In                               0           261859
  Bytes Out                              0           207299
  Packets In
    Passed                               0             2347
    Blocked                              0               90
  Packets Out
    Passed                               0             2185
    Blocked                              0                0

State Table                          Total             Rate
  current entries                       31
  searches                           44046            4.7/s
  inserts                             2768            0.3/s
  removals                            2737            0.3/s
Counters
  match                              13425            1.4/s
  bad-offset                             0            0.0/s
[...rest is all zeros]

...and later:
status: Enabled for 0 days 02:37:21           Debug: Urgent

Interface Stats for gif0              IPv4             IPv6
  Bytes In                               0           263327
  Bytes Out                              0           208711
  Packets In
    Passed                               0             2356
    Blocked                              0               96
  Packets Out
    Passed                               0             2197
    Blocked                              0                0

State Table                          Total             Rate
  current entries                       30
  searches                           44128            4.7/s
  inserts                             2772            0.3/s
  removals                            2742            0.3/s
Counters
  match                              13451            1.4/s
  bad-offset                             0            0.0/s

So yeah, thanks for the "skip on" hint, i can do the filtering on the
non-gif interfaces, but i still would like to know what's going on, and 
why these packets are blocked.

regards
arved



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080731173801.GB61317>