Date: Thu, 31 Jul 2008 20:03:52 +0200 From: Max Laier <max@love2party.net> To: Tilman Linneweh <arved@arved.at> Cc: freebsd-pf@freebsd.org Subject: Re: pf dropping packets despite pass all rule Message-ID: <200807312003.53098.max@love2party.net> In-Reply-To: <20080731173801.GB61317@arved.priv.at> References: <20080731153506.GA61317@arved.priv.at> <200807311826.51457.max@love2party.net> <20080731173801.GB61317@arved.priv.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 31 July 2008 19:38:01 Tilman Linneweh wrote: > * Max Laier [2008-07-31 18:27]: > > > LAN -> Router with PF <- gif tunnel with IPSEC -> Server > > > > > > The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works, > > > but TCPv6 from LAN to Server does not work, unless i disable PF. > > > > > > Excerpt from pf.conf: > > > pass in quick on gif0 all keep state > > > pass out quick on gif0 all keep state > > > > > > pflog0 contains some strange packets: > > > http://arved.priv.at/~arved/strangepackets.pcap > > > > That dump is useless, please cap with "-s0". > > Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap alright ... for some reasons we are blocking the ACKs - i.e. they don't seem to match any state (and the SYN must have gone through somehow). That can happen for two reasons: 1) There is no state created 2) Somethings wrong with the state entry or the involved tcp stacks. To debug this further you could enable pf debug logging (pfctl -xm) and watch the console for state mismatches ... however ... > > > IPSEC_FILTERTUNNEL does not make a difference. > > > > > > I don't understand why pf is dropping something on gif0. And i can't > > > decode what kind of packets these are, and why they are necessary for > > > TCPv6. > > > > > > Any ideas? > > > > I'd suspect ip-options. Try allow-opts and check "pfctl -si". If you > > really want to trust gif0 completely, you could simply add "skip on gif0" > > and pf will not mess with it at all. > > Ok, allow-opts does not change anything. skip on gif0 works. > > pfctl -si confirms that there are packets blocked. > Status: Enabled for 0 days 02:37:07 Debug: Urgent > > Interface Stats for gif0 IPv4 IPv6 > Bytes In 0 261859 > Bytes Out 0 207299 > Packets In > Passed 0 2347 > Blocked 0 90 > Packets Out > Passed 0 2185 > Blocked 0 0 > > State Table Total Rate > current entries 31 > searches 44046 4.7/s > inserts 2768 0.3/s > removals 2737 0.3/s > Counters > match 13425 1.4/s > bad-offset 0 0.0/s > [...rest is all zeros] > > ...and later: > status: Enabled for 0 days 02:37:21 Debug: Urgent > > Interface Stats for gif0 IPv4 IPv6 > Bytes In 0 263327 > Bytes Out 0 208711 > Packets In > Passed 0 2356 > Blocked 0 96 > Packets Out > Passed 0 2197 > Blocked 0 0 > > State Table Total Rate > current entries 30 > searches 44128 4.7/s > inserts 2772 0.3/s > removals 2742 0.3/s > Counters > match 13451 1.4/s > bad-offset 0 0.0/s ... if there is no counter increase on "state-mismatch" (please double-check), it would suggest that no state is created in the first place. Could you provide your complete ruleset with rule numbers? (pfctl -vvvsr) > So yeah, thanks for the "skip on" hint, i can do the filtering on the > non-gif interfaces, but i still would like to know what's going on, and > why these packets are blocked. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807312003.53098.max>