Hi, thanks for advice. Now all works fine! --- Original message --- From: "Jason Hellenthal" <[email protected]> To: "wishmaster" <[email protected]> Date: 25 February 2013, 07:16:56 Subject: Re: pf bad cksum on loopback
> Have you attempted to... > > ifconfig lo0 -txcsum -rxcsum > > And see if that solves your problem. I've had to do this numerous times with > pf on 8.1 -> 8.3 > > Check syntax of flags though its been a while since I looked at that issue. > > > -- > > Jason Hellenthal > JJH48-ARIN > - (2^(N-1)) > > > On Feb 24, 2013, at 19:11, "wishmaster" <[email protected]> wrote: > > Hello, > > In my FreeBSD (9.1-STABLE i386) server there is Jail with nginx/apache + php > + etc stuff... All works fine but with ftp not so good. > In the jail I have installed ftp server, listened on ip 10.15.1.1. This ip > address (alias) is on internal interface bridge0. This bridge consist of 3 > NICs. > I unable to connect to this ftp server not from same jail nor from base host. > With completely disabled PF, connections to ftpd successful. > > I have figured out that problem in antispoof rule: > > antispoof log quick for {bridge0 lo0} inet > (@4 block drop in log quick on ! bridge0 inet from 10.15.1.0/24 to any) > > Below tcpdump output: > > 01:42:27.348025 rule 50..16777216/0(match): pass out on lo0: (tos 0x0, ttl > 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq > 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val > 107831611 ecr 0], length 0 > 01:42:27.348165 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl > 128, id 8002, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 > (->c55a)!) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0x0277 (correct), seq > 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val > 107831611 ecr 0], length 0 > 01:42:30.347549 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl > 128, id 60408, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 > (->f8a3)!) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [SEW], cksum 0xf6be (correct), seq > 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val > 107834611 ecr 0], length 0 > 01:42:33.547564 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl > 128, id 12125, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 > (->b53f)!) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xeafe (correct), seq > 3376923564, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val > 107837811 ecr 0], length 0 > 01:42:36.747569 rule 4..16777216/0(match): block in on lo0: (tos 0x0, ttl > 128, id 25338, offset 0, flags [DF], proto TCP (6), length 48, bad cksum 0 > (->81ae)!) > 10.15.1.1.63392 > 10.15.1.1.2121: Flags [S], cksum 0xa6fe (correct), seq > 3376923564, win 65535, options [mss 16344,sackOK,eol], length 0 > > The workaround is something like this rule: > set skip on lo0 > > but this is unsuitable for me. For security reason I must use PF to filter > traffic from jail to the base system. > > Cheers, > Vitaliy > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "[email protected]" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
