From owner-freebsd-pf@FreeBSD.ORG Thu Jul 31 18:03:57 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 067C71065672 for ; Thu, 31 Jul 2008 18:03:57 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 8D4858FC0C for ; Thu, 31 Jul 2008 18:03:56 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-193.pools.arcor-ip.net [88.66.21.193]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1KOcVF3UzS-0005Ar; Thu, 31 Jul 2008 20:03:54 +0200 Received: (qmail 48306 invoked from network); 31 Jul 2008 18:03:53 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by laiers.local with SMTP; 31 Jul 2008 18:03:53 -0000 From: Max Laier Organization: FreeBSD To: Tilman Linneweh Date: Thu, 31 Jul 2008 20:03:52 +0200 User-Agent: KMail/1.9.52 (FreeBSD/8.0-CURRENT; KDE/4.0.83; i386; ; ) References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> <20080731173801.GB61317@arved.priv.at> In-Reply-To: <20080731173801.GB61317@arved.priv.at> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807312003.53098.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/ri5SPkLuAsf1bSBn51GF/oDna9WQ0NemdpdB 27Q+6Z254TLm2D19AG8jN8g8P/WJA8DpH/b4kD3FD8hVyqtn7/ VXANme75Rzcs9Hmxf38HQ== Cc: freebsd-pf@freebsd.org Subject: Re: pf dropping packets despite pass all rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2008 18:03:57 -0000 On Thursday 31 July 2008 19:38:01 Tilman Linneweh wrote: > * Max Laier [2008-07-31 18:27]: > > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > > > Excerpt from pf.conf: > > > pass in quick on gif0 all keep state > > > pass out quick on gif0 all keep state > > > > > > pflog0 contains some strange packets: > > > http://arved.priv.at/~arved/strangepackets.pcap > > > > That dump is useless, please cap with "-s0". > > Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap alright ... for some reasons we are blocking the ACKs - i.e. they don't seem to match any state (and the SYN must have gone through somehow). That can happen for two reasons: 1) There is no state created 2) Somethings wrong with the state entry or the involved tcp stacks. To debug this further you could enable pf debug logging (pfctl -xm) and watch the console for state mismatches ... however ... > > > IPSEC_FILTERTUNNEL does not make a difference. > > > > > > I don't understand why pf is dropping something on gif0. And i can't > > > decode what kind of packets these are, and why they are necessary for > > > TCPv6. > > > > > > Any ideas? > > > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you > > really want to trust gif0 completely, you could simply add "skip on gif0" > > and pf will not mess with it at all. > > Ok, allow-opts does not change anything. skip on gif0 works. > > pfctl -si confirms that there are packets blocked. > Status: Enabled for 0 days 02:37:07 Debug: Urgent > > Interface Stats for gif0 IPv4 IPv6 > Bytes In 0 261859 > Bytes Out 0 207299 > Packets In > Passed 0 2347 > Blocked 0 90 > Packets Out > Passed 0 2185 > Blocked 0 0 > > State Table Total Rate > current entries 31 > searches 44046 4.7/s > inserts 2768 0.3/s > removals 2737 0.3/s > Counters > match 13425 1.4/s > bad-offset 0 0.0/s > [...rest is all zeros] > > ...and later: > status: Enabled for 0 days 02:37:21 Debug: Urgent > > Interface Stats for gif0 IPv4 IPv6 > Bytes In 0 263327 > Bytes Out 0 208711 > Packets In > Passed 0 2356 > Blocked 0 96 > Packets Out > Passed 0 2197 > Blocked 0 0 > > State Table Total Rate > current entries 30 > searches 44128 4.7/s > inserts 2772 0.3/s > removals 2742 0.3/s > Counters > match 13451 1.4/s > bad-offset 0 0.0/s ... if there is no counter increase on "state-mismatch" (please double-check), it would suggest that no state is created in the first place. Could you provide your complete ruleset with rule numbers? (pfctl -vvvsr) > So yeah, thanks for the "skip on" hint, i can do the filtering on the > non-gif interfaces, but i still would like to know what's going on, and > why these packets are blocked. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News