From owner-freebsd-pf@FreeBSD.ORG Thu Jul 31 17:38:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1622E1065680 for ; Thu, 31 Jul 2008 17:38:09 +0000 (UTC) (envelope-from arved@knut.arved.priv.at) Received: from knut.arved.priv.at (knut.arved.priv.at [213.9.70.77]) by mx1.freebsd.org (Postfix) with ESMTP id B3BCC8FC0C for ; Thu, 31 Jul 2008 17:38:07 +0000 (UTC) (envelope-from arved@knut.arved.priv.at) Received: from knut.arved.priv.at (knut.arved.priv.at [213.9.70.77]) by knut.arved.priv.at (8.14.2/8.14.2) with ESMTP id m6VHc1bI068056; Thu, 31 Jul 2008 19:38:06 +0200 (CEST) (envelope-from arved@knut.arved.priv.at) Received: (from arved@localhost) by knut.arved.priv.at (8.14.2/8.14.2/Submit) id m6VHc1xY068055; Thu, 31 Jul 2008 19:38:01 +0200 (CEST) (envelope-from arved) Date: Thu, 31 Jul 2008 19:38:01 +0200 From: Tilman Linneweh To: Max Laier Message-ID: <20080731173801.GB61317@arved.priv.at> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200807311826.51457.max@love2party.net> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-pf@freebsd.org Subject: Re: pf dropping packets despite pass all rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 17:38:09 -0000 * Max Laier [2008-07-31 18:27]: > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > Excerpt from pf.conf: > > pass in quick on gif0 all keep state > > pass out quick on gif0 all keep state > > > > pflog0 contains some strange packets: > > http://arved.priv.at/~arved/strangepackets.pcap > > That dump is useless, please cap with "-s0". Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap > > IPSEC_FILTERTUNNEL does not make a difference. > > > > I don't understand why pf is dropping something on gif0. And i can't decode > > what kind of packets these are, and why they are necessary for TCPv6. > > > > Any ideas? > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you really > want to trust gif0 completely, you could simply add "skip on gif0" and pf will > not mess with it at all. > Ok, allow-opts does not change anything. skip on gif0 works. pfctl -si confirms that there are packets blocked. Status: Enabled for 0 days 02:37:07 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 261859 Bytes Out 0 207299 Packets In Passed 0 2347 Blocked 0 90 Packets Out Passed 0 2185 Blocked 0 0 State Table Total Rate current entries 31 searches 44046 4.7/s inserts 2768 0.3/s removals 2737 0.3/s Counters match 13425 1.4/s bad-offset 0 0.0/s [...rest is all zeros] ...and later: status: Enabled for 0 days 02:37:21 Debug: Urgent Interface Stats for gif0 IPv4 IPv6 Bytes In 0 263327 Bytes Out 0 208711 Packets In Passed 0 2356 Blocked 0 96 Packets Out Passed 0 2197 Blocked 0 0 State Table Total Rate current entries 30 searches 44128 4.7/s inserts 2772 0.3/s removals 2742 0.3/s Counters match 13451 1.4/s bad-offset 0 0.0/s So yeah, thanks for the "skip on" hint, i can do the filtering on the non-gif interfaces, but i still would like to know what's going on, and why these packets are blocked. regards arved