On Jul 31, 2008, at 20:03, Max Laier wrote:
LAN -> Router with PF <- gif tunnel with IPSEC -> Server
The router is running FreeBSD 7.0. Protocol is IPv6. ping6 works,
but TCPv6 from LAN to Server does not work, unless i disable PF.
Excerpt from pf.conf:
pass in quick on gif0 all keep state
pass out quick on gif0 all keep state
Hm indeed, sorry, http://arved.priv.at/~arved/strangepackets2.pcap
alright ... for some reasons we are blocking the ACKs - i.e. they
don't seem
to match any state (and the SYN must have gone through somehow).
That can
happen for two reasons: 1) There is no state created 2) Somethings
wrong with
the state entry or the involved tcp stacks.
To debug this further you could enable pf debug logging (pfctl -xm)
and watch
the console for state mismatches ... however ...
pfctl -si confirms that there are packets blocked.
Status: Enabled for 0 days 02:37:07 Debug: Urgent
Interface Stats for gif0 IPv4 IPv6
Bytes In 0 261859
Bytes Out 0 207299
Packets In
Passed 0 2347
Blocked 0 90
Packets Out
Passed 0 2185
Blocked 0 0
State Table Total Rate
current entries 31
searches 44046 4.7/s
inserts 2768 0.3/s
removals 2737 0.3/s
Counters
match 13425 1.4/s
bad-offset 0 0.0/s
[...rest is all zeros]
...and later:
status: Enabled for 0 days 02:37:21 Debug: Urgent
Interface Stats for gif0 IPv4 IPv6
Bytes In 0 263327
Bytes Out 0 208711
Packets In
Passed 0 2356
Blocked 0 96
Packets Out
Passed 0 2197
Blocked 0 0
State Table Total Rate
current entries 30
searches 44128 4.7/s
inserts 2772 0.3/s
removals 2742 0.3/s
Counters
match 13451 1.4/s
bad-offset 0 0.0/s
... if there is no counter increase on "state-mismatch" (please
double-check),
it would suggest that no state is created in the first place.
Could you
provide your complete ruleset with rule numbers? (pfctl -vvvsr)
There is now a single state-mismatch. But that could be something
else. The debug-logging shows nothing about state mismatch.
@0 scrub in all fragment reassemble
[ Evaluations: 3890 Packets: 2146 Bytes: 255350
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@0 pass in all flags S/SA keep state
[ Evaluations: 75 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@1 pass out all flags S/SA keep state
[ Evaluations: 75 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@2 block return log all
[ Evaluations: 75 Packets: 23 Bytes: 7440
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@3 pass in quick on sis0 proto tcp from any to any port = ssh flags S/
SA keep state
[ Evaluations: 75 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@4 pass in quick on sis0 proto tcp from any to any port = domain
flags S/SA keep state
[ Evaluations: 2 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@5 pass in quick on sis0 proto tcp from any to any port = smtp flags
S/SA keep state
[ Evaluations: 2 Packets: 30 Bytes: 2340
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@6 pass in quick on sis0 proto udp from any to any port = ssh keep state
[ Evaluations: 22 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@7 pass in quick on sis0 proto udp from any to any port = domain keep
state
[ Evaluations: 22 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@8 pass in quick on sis0 proto udp from any to any port = smtp keep
state
[ Evaluations: 22 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@9 block return out quick on sis0 inet proto udp from 62.178.208.15
to any port = who
[ Evaluations: 43 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@10 pass in on sis1 inet from 192.168.1.0/24 to any flags S/SA keep
state allow-opts
[ Evaluations: 73 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@11 pass in on sis1 inet6 from 2001:6f8:13fb:3::/64 to any flags S/SA
keep state allow-opts
[ Evaluations: 23 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@12 pass out on sis1 inet from any to 192.168.1.0/24 flags S/SA keep
state allow-opts
[ Evaluations: 25 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@13 pass out on sis1 inet6 from any to 2001:6f8:13fb:3::/64 flags S/
SA keep state allow-opts
[ Evaluations: 2 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@14 pass in on sis1 inet6 all flags S/SA keep state
[ Evaluations: 25 Packets: 2 Bytes: 144
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@15 pass out on sis1 inet6 all flags S/SA keep state
[ Evaluations: 4 Packets: 2 Bytes: 136
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@16 pass in on sis1 inet from 192.168.0.0/16 to any flags S/SA keep
state
[ Evaluations: 25 Packets: 180 Bytes: 51414
States: 21 ]
[ Inserted: uid 0 pid 2258 ]
@17 pass out on sis1 inet from any to 192.168.0.0/16 flags S/SA keep
state
[ Evaluations: 23 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@18 pass in inet proto icmp all icmp-type echoreq keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@19 pass out inet proto icmp all keep state
[ Evaluations: 24 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@20 pass out on sis0 proto tcp all flags S/SA keep state
[ Evaluations: 73 Packets: 160 Bytes: 49118
States: 11 ]
[ Inserted: uid 0 pid 2258 ]
@21 pass out on sis0 proto udp all keep state
[ Evaluations: 21 Packets: 21 Bytes: 2100
States: 10 ]
[ Inserted: uid 0 pid 2258 ]
@22 pass in quick on gif0 all flags S/SA keep state allow-opts
[ Evaluations: 73 Packets: 382 Bytes: 27496
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@23 pass out quick on gif0 all flags S/SA keep state allow-opts
[ Evaluations: 2 Packets: 3 Bytes: 288
States: 2 ]
[ Inserted: uid 0 pid 2258 ]
@24 pass in quick on sis0 inet proto ipv6 from any to 62.178.208.15
keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@25 pass out quick on sis0 inet proto ipv6 from 62.178.208.15 to any
keep state
[ Evaluations: 21 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@26 pass in quick proto esp all keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@27 pass in quick proto ipencap all keep state
[ Evaluations: 45 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@28 pass in quick proto udp from any port = isakmp to any port =
isakmp keep state
[ Evaluations: 45 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@29 pass in quick proto tcp from any port = isakmp to any port =
isakmp flags S/SA keep state
[ Evaluations: 11 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@30 pass out quick proto esp all keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@31 pass out quick proto ipencap all keep state
[ Evaluations: 24 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@32 pass out quick proto udp from any port = isakmp to any port =
isakmp keep state
[ Evaluations: 24 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@33 pass out quick proto tcp from any port = isakmp to any port =
isakmp flags S/SA keep state
[ Evaluations: 13 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@34 anchor "ftp-proxy/*" all
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@35 pass out inet6 proto tcp from ::1 to any port = ftp flags S/SA
keep state
[ Evaluations: 69 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
@36 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/
SA keep state
[ Evaluations: 21 Packets: 0 Bytes: 0
States: 0 ]
[ Inserted: uid 0 pid 2258 ]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
