seems like packet is lost between pf and interface

Tue, 04 Dec 2007 03:13:09 -0800 

Hallo!

I am observing seemingly perplexing problem on OpenBSD 4.1 firewall.
Some dns queries work from behind firewall towards internet and others
doesnt. For example doesnt work query which has a big response of TXT data.

Firewall has internal interface em1 attached to subnet 10.0.1 (actual
numbers are public but are here substituted) and outer em3 interface,
and working rules are (among many others)

pass in log (all, to pflog1) quick on em1 inet from 10.0.1.89 to
192.168.1.241 flags S/SA keep state
pass out log (all, to pflog1) quick on em3 inet from 10.0.1.89 to
192.168.1.241 flags S/SA keep state
...
scrub in on em3 all fragment reassemble
scrub out on em3 all random-id fragment reassemble

# pfctl -sa | grep frag | grep -v scrub
  fragment                           25318            0.0/s
frag                         30s
frags         hard limit     5000

Since i can see in pflog1 log my packets all right i am sure right rules
are working, for example on inner interface (appropriate entries exist
for outer interface also)

Dec 04 09:48:20.152350 rule 8/(match) pass in on em1:  10.0.1.89.32817 >
192.168.1.241.53:[|domain] (DF)
Dec 04 09:48:20.153173 rule 8/(match) pass out on em1:  192.168.1.241.53
> 10.0.1.89.32817:[|domain]
Dec 04 09:48:24.170777 rule 8/(match) pass in on em1:   10.0.1.89.32817
> 192.168.1.241.53:[|domain] (DF)
Dec 04 09:48:24.171379 rule 8/(match) pass out on em1:  192.168.1.241.53
> 10.0.1.89.32817:[|domain]
Dec 04 09:48:26.186794 rule 8/(match) pass in on em1:   10.0.1.89.32817
> 192.168.1.241.53:[|domain] (DF)
Dec 04 09:48:26.187317 rule 8/(match) pass out on em1:  
192.168.1.241.53 > 10.0.1.89.32817:[|domain]

On the other hand listening on outer interface with tcpdump i see
queries and replies but on inner interface i do not see replies anymore

09:48:20.152335 10.0.1.89.32817 > 192.168.1.241.53: 21147+% [1au] TXT?
domeen.ee. (54) (DF)
09:48:24.170758 10.0.1.89.32817 > 192.168.1.241.53: 10788+% [1au] TXT?  
domeen.ee. (54) (DF)
09:48:26.186778 10.0.1.89.32817 > 192.168.1.241.53: 25954+% [1au] KEY? 
domeen.ee. (54) (DF)
09:48:26.187321 192.168.1.241.53 > 10.0.1.89.32817: 25954* 0/4/2 (645)  (DF)

If someone could explain to me where to look to or what to tune to
regain those packages which seem to be lost somewhere between pf and
interface.


Best regards, Imre

Reply via email to