Hello, Thank you very much for your answers.
As attachment the Output from the commands "pfctl -vsr" and "pfctl -si" from the primary and secondary server. Thank you in advance SC)bastien Maerker -- SC)bastien Maerker Continum AG Bismarckallee 7b-d 79098 Freiburg i. Br. Tel. +49 761 217 111-77 Fax. +49 761 217 111-99 http://www.continum.net Sitz der Gesellschaft: Freiburg im Breisgau Registergericht: Amtsgericht Freiburg, HRB 6866 Vorstand: Rolf Mathis, Volker T. Mueller Vorsitzender d. Aufsichtsrats: Prof. Dr. Karl-F. Fischbach ----- UrsprC<ngliche Mail ----- Von: "Steven Chamberlain" <[email protected]> An: "Sebastien Maerker, Continum" <[email protected]> CC: "Stuart Henderson" <[email protected]>, [email protected] Gesendet: Dienstag, 6. Dezember 2011 17:05:38 Betreff: Re: Problems with OpenBSD 5.0 and PF On 06/12/11 15:45, Sebastien Maerker, Continum wrote: > We have already tested the "block log all" and "tcpdump -nnei pflog0" with > activated PF on the primary, but we saw nothing/nothing was logged. Hi, Do you really mean that *nothing* was being logged at all? With 'block log all' at the start of your ruleset, I'd expect pretty much *everything* to be logged (because the 'log' flag also applies to packets that are later matched by a pass rule). Otherwise maybe you need to flush the state table with 'pfctl -F states' after starting tcpdump, before you see any new traffic logged. But be careful -- if you're controlling the server via ssh I imagine it would close the connection, so you'd better check first that your firewall ruleset accepts new connections to the ssh port. Perhaps share with us the output of 'pfctl -vsr' to show the active ruleset and the 'pfctl -si' counters, after enabling PF on the machine. Regards, -- Steven Chamberlain [email protected] block return log all [ Evaluations: 22976373 Packets: 1612 Bytes: 163183 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass in on em0 inet proto tcp from LOCAL to PRIMARY port = ssh flags S/SA [ Evaluations: 22976373 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass in on em0 inet proto tcp from LOCAL to PRIMARY port = ssh flags S/SA [ Evaluations: 162859 Packets: 11545 Bytes: 1366076 States: 3 ] [ Inserted: uid 0 pid 23494 State Creations: 3 ] pass in on em0 inet proto tcp from LOCAL to PRIMARY port = ssh flags S/SA [ Evaluations: 162859 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass in on em0 inet proto tcp from LOCAL to PRIMARY port = ssh flags S/SA [ Evaluations: 162859 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass in on em0 inet proto tcp from any to PRIMARY port = domain flags S/SA [ Evaluations: 162859 Packets: 1952486 Bytes: 156996419 States: 39 ] [ Inserted: uid 0 pid 23494 State Creations: 149175] pass out on em0 inet proto tcp from PRIMARY to LOCAL port = smtp flags S/SA [ Evaluations: 165390 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass out on em0 inet proto tcp from PRIMARY to LOCAL port = smtp flags S/SA [ Evaluations: 5 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass out on em0 inet proto tcp from PRIMARY to any port = ssh flags S/SA [ Evaluations: 5 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass out on em0 inet proto tcp from PRIMARY to any port = domain flags S/SA [ Evaluations: 5 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass out on em0 inet proto tcp from PRIMARY to OPENBSDMIRROR port = www flags S/SA [ Evaluations: 5 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 0 ] pass out on em0 inet proto udp from PRIMARY to any port = domain [ Evaluations: 22813514 Packets: 1758 Bytes: 108460 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 877 ] pass out on em0 inet proto udp from PRIMARY to TIMESERVER port = ntp [ Evaluations: 2525 Packets: 4956 Bytes: 376656 States: 1 ] [ Inserted: uid 0 pid 23494 State Creations: 1166 ] pass out on em0 inet proto icmp all icmp-type echoreq code 0 [ Evaluations: 2531 Packets: 133450 Bytes: 11209800 States: 1 ] [ Inserted: uid 0 pid 23494 State Creations: 1 ] pass in on em0 inet proto udp from any to PRIMARY port = domain [ Evaluations: 22976373 Packets: 53894775 Bytes: 6413293719 States: 8861 ] [ Inserted: uid 0 pid 23494 State Creations: 22803973] pass in on em0 inet proto icmp all icmp-type echoreq code 0 [ Evaluations: 22973842 Packets: 466 Bytes: 39012 States: 0 ] [ Inserted: uid 0 pid 23494 State Creations: 227 ] Status: Enabled for 0 days 18:50:28 Debug: err Interface Stats for em0 IPv4 IPv6 Bytes In 12503041499 0 Bytes Out 28691622514 64 Packets In Passed 175648715 0 Blocked 128572 0 Packets Out Passed 174795842 1 Blocked 1966 0 State Table Total Rate current entries 9142 searches 56005712 825.7/s inserts 22949290 338.3/s removals 22940152 338.2/s Counters match 22970249 338.7/s bad-offset 0 0.0/s fragment 0 0.0/s short 11022 0.2/s normalize 0 0.0/s memory 19339 0.3/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s block return log all [ Evaluations: 150044 Packets: 240 Bytes: 13567 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass in on bge0 inet proto tcp from LOCAL to SECONDARY port = ssh flags S/SA keep state [ Evaluations: 150044 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass in on bge0 inet proto tcp from LOCAL to SECONDARY port = ssh flags S/SA keep state [ Evaluations: 236 Packets: 4332 Bytes: 459888 States: 2 ] [ Inserted: uid 0 pid 23716 State Creations: 2 ] pass in on bge0 inet proto tcp from LOCAL to SECONDARY port = ssh flags S/SA keep state [ Evaluations: 236 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass in on bge0 inet proto tcp from LOCAL to SECONDARY port = ssh flags S/SA keep state [ Evaluations: 236 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass in on bge0 inet proto tcp from any to SECONDARY port = domain flags S/SA keep state [ Evaluations: 236 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass out on bge0 inet proto tcp from SECONDARY to LOCAL port = smtp flags S/SA keep state [ Evaluations: 149470 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass out on bge0 inet proto tcp from SECONDARY to LOCAL port = smtp flags S/SA keep state [ Evaluations: 149017 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass out on bge0 inet proto tcp from SECONDARY to any port = ssh flags S/SA keep state [ Evaluations: 149017 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass out on bge0 inet proto tcp from SECONDARY to any port = domain flags S/SA keep state [ Evaluations: 149017 Packets: 1962846 Bytes: 157462919 States: 63 ] [ Inserted: uid 0 pid 23716 State Creations: 149015] pass out on bge0 inet proto tcp from SECONDARY to OPENBSDMIRROR port = www flags S/SA keep state [ Evaluations: 149017 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass out on bge0 inet proto udp from SECONDARY to any port = domain keep state [ Evaluations: 149808 Packets: 320 Bytes: 26296 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 160 ] pass out on bge0 inet proto udp from SECONDARY to TIMESERVER port = ntp keep state [ Evaluations: 217 Packets: 111 Bytes: 8436 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 57 ] pass out on bge0 inet proto icmp all icmp-type echoreq code 0 keep state [ Evaluations: 149234 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 0 ] pass in on bge0 inet proto udp from any to SECONDARY port = domain keep state [ Evaluations: 150044 Packets: 1132 Bytes: 69162 States: 0 ] [ Inserted: uid 0 pid 23716 State Creations: 564 ] pass in on bge0 inet proto icmp all icmp-type echoreq code 0 keep state [ Evaluations: 810 Packets: 135186 Bytes: 11355400 States: 1 ] [ Inserted: uid 0 pid 23716 State Creations: 6 ] Status: Enabled for 0 days 19:00:08 Debug: err Interface Stats for bge0 IPv4 IPv6 Bytes In 3534472098 0 Bytes Out 5672369615 64 Packets In Passed 45292784 0 Blocked 6675 0 Packets Out Passed 46795234 1 Blocked 216 0 State Table Total Rate current entries 60 searches 2104339 30.8/s inserts 149810 2.2/s removals 149752 2.2/s Counters match 150053 2.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 4 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 2 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s
