Steve Johnson wrote: > > Hi, > > I have a new setup with a 4.3 PF firewall that includes CARP addresses, > trunked VLANs and HA. We've migrated from a different architecture, so > the rules have never been tested on a different version before. I've > tried to setup the first unit with my ruleset, but all forwarded packets > seem to have problems with state. The packets come through, a state > table entry is created, they reach the system, but when they come back, > they are blocked by PF. > > I have keep state entries for all of my rules, so I don't know where the > problem could be. The ruleset is available here: > http://www.sjohnson.info/other/pf.conf > > The only thing I've removed from the ruleset are aliases and table > definitions. > > When I check for specific entries in the state table, I see them as > "CLOSED:SYN_SENT". If I disable PF, the packets make it through > properly, so it should not be any routing or IP forwarding issue. I also > tried conservative instead of aggressive optimization, but it didn't > change anything, as I expected. > > Here are the sysctl settings that I hace changed: > net.inet.ip.forwarding=1 > net.inet.tcp.recvspace=65536 > net.inet.tcp.sendspace=65536 > net.inet.carp.preempt=1 > > Any clue as to what could be the problem? > > Thanks a lot, > Steve Johnson >
You appear making use of the default pass rule for all your outbound traffic, as I didn't notice a single rule that applied to outbound traffic (other than your block port 0, CARP, PFSync, and ping rules). I don't believe that can be counted on to establish state. So a packet arrives on an interface, is allowed in with a "pass in quick on XX" and state is established. The packet is then routed out YY, which is allowed since there is no rule to block it. There is, however, no state established on interface YY, so the return packet is dropped unless you have a rule explicitly allowing that packet in. Try dropping a pass out all into the rule set to see if things get better. (As a test, think about the implications before you put that into production.) --Jon Radel [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
