On Wed, May 07, 2008 at 04:09:43PM -0400, Steve Johnson wrote:
> I have a new setup with a 4.3 PF firewall that includes CARP addresses,
> trunked VLANs and HA. We've migrated from a different architecture, so the
> rules have never been tested on a different version before. I've tried to
> setup the first unit with my ruleset, but all forwarded packets seem to
> have problems with state. The packets come through, a state table entry is
> created, they reach the system, but when they come back, they are blocked
> by PF.
>
> I have keep state entries for all of my rules, so I don't know where the
> problem could be. The ruleset is available here:
> http://www.sjohnson.info/other/pf.conf
>
> The only thing I've removed from the ruleset are aliases and table
> definitions.
>
> When I check for specific entries in the state table, I see them as
> "CLOSED:SYN_SENT". If I disable PF, the packets make it through properly,
> so it should not be any routing or IP forwarding issue. I also tried
> conservative instead of aggressive optimization, but it didn't change
> anything, as I expected.
>
> Here are the sysctl settings that I hace changed:
> net.inet.ip.forwarding=1
> net.inet.tcp.recvspace=65536
> net.inet.tcp.sendspace=65536
> net.inet.carp.preempt=1
>
> Any clue as to what could be the problem?
Not really, I'm afraid, but some ideas:
- I see you've marked everything as "block log" - is there anything on
pflog0 (pflog(4), tcpdump(8))? If so, which rule is triggered?
- if pf is enabled, can the firewall access and be accessed by all hosts
involved in the testing? (That is, are you sure that routing is the
only thing that fails?)
- does this happen for all protocols (TCP/UDP/ICMP e.a.)?
- if nobody else has a good idea, could you create a dump with tcpdump
and post it (ASCII output should do, I believe)? On all involved
interfaces, please.
- your ruleset could be a lot more compact if you used "{ a, b, c }"
everywhere (antispoof!), and omitted anything unnecessary ("keep state
flags S/SA" has been the default for several releases, and "port =
http" can be written as just "port http"). You might also wish to
reconsider using "quick" for every rule. But this is purely stylistic.
Joachim
--
TFMotD: pod2latex (1) - convert pod documentation to latex format
