Re: Strange PF behaviour after 6.0 -> 6.1 upgrade

Edgar Pettijohn Thu, 20 Apr 2017 09:39:04 -0700

The answer may be in an irrelevant section of pf.conf. why not post it's 
entirety.



⁣Sent from BlueMail 

On Apr 20, 2017, 10:15 AM, at 10:15 AM, "Sjöholm Per-Olov" <p...@incedo.org> 
wrote:
>
>> On 20 Apr 2017, at 13:00, Sjöholm Per-Olov <p...@incedo.org> wrote:
>>
>>
>>> On 20 Apr 2017, at 01:18, Sjöholm Per-Olov <p...@incedo.org> wrote:
>>>
>>>
>>>> On 20 Apr 2017, at 00:39, Fred <open...@crowsons.com> wrote:
>>>>
>>>> On 04/19/17 23:30, Sjöholm Per-Olov wrote:
>>>>> Anyone with a clue would be _very_ much appreciated….
>>>>> I upgraded from 6.0 to 6.1 two days ago and **did not change
>anything to the network** stuff at all. After that clients have random
>problems reaching my dmz web server (centos + nginx). I have checked
>the release notes, but could not see any clue there. Se logs below
>>>>> # Relevant rules from PF
>>>>> LAN_INT="vlan2"
>>>>> DMZ1_INT="vlan3"
>>>>> DMZ2_INT="vlan4"
>>>>> GUEST_INT="vlan1003"
>>>>> INTERNET_INT="em3
>>>>> ALL_INTERFACES="{" $LAN_INT $GUEST_INT $DMZ1_INT $DMZ2_INT
>$INTERNET_INT "}"
>>>>> pass out on $ALL_INTERFACES inet proto {tcp gre esp udp icmp ipv6}
>all keep state
>>>>> pass out on $ALL_INTERFACES inet6  proto {tcp gre esp udp icmp6}
>all keep state
>>>>> pass out on $IPV6_TUNNEL_INT inet6 all keep state
>>>>> pass in log quick on $INTERNET_INT inet proto tcp  from any  to
>$DMZ1_DAEDALUS port  { 80 443 } label "webstats:$dstport" flags S/SAFR
>keep state (max-src-nodes 90, max-src-states 150, max-src-conn 150,
>max-src-conn-rate 250/30,  overload <bad_hosts> flush global)
>>>>> # Log that after upgrade shows problems in the logs related to
>this directly after the upgrade
>>>>> root@xanadu:/var/log#tcpdump -e -n -ttt -r /var/log/pflog.6|grep
>block|grep 155.4|grep out |grep ': R'
>>>>> tcpdump: WARNING: snaplen raised from 116 to 160
>>>>> root@xanadu:/var/log#tcpdump -e -n -ttt -r /var/log/pflog.5|grep
>block|grep 155.4|grep out |grep ': R'
>>>>> tcpdump: WARNING: snaplen raised from 116 to 160
>>>>> root@xanadu:/var/log#tcpdump -e -n -ttt -r /var/log/pflog.4|grep
>block|grep 155.4|grep out |grep ': R'
>>>>> tcpdump: WARNING: snaplen raised from 116 to 160
>>>>> root@xanadu:/var/log#tcpdump -e -n -ttt -r /var/log/pflog.3|grep
>block|grep 155.4|grep out |grep ': R'
>>>>> tcpdump: WARNING: snaplen raised from 116 to 160
>>>>> root@xanadu:/var/log#tcpdump -e -n -ttt -r /var/log/pflog.2|grep
>block|grep 155.4|grep out |grep ': R'
>>>>> tcpdump: WARNING: snaplen raised from 116 to 160
>>>>> Apr 17 05:43:36.359067 rule 63/(match) block out on em3:
>155.4.8.28.80 > 164.132.161.92.46942: R 0:0(0) ack 2697518940 win 0
>(DF)
>>>>> Apr 17 05:43:37.358688 rule 63/(match) block out on em3:
>155.4.8.28.80 > 164.132.161.92.46942: R 0:0(0) ack 1 win 0 (DF)
>>>>> Apr 17 05:43:39.362671 rule 63/(match) block out on em3:
>155.4.8.28.80 > 164.132.161.92.46942: R 0:0(0) ack 1 win 0 (DF)
>>>>> Apr 17 06:10:24.490412 rule 63/(match) block out on em3:
>155.4.8.28.80 > 139.162.111.147.33930: R 0:0(0) ack 1409896759 win 0
>(DF)
>>>>> Apr 17 06:32:45.198754 rule 63/(match) block out on em3:
>155.4.8.28.80 > 180.76.15.26.42835: R 0:0(0) ack 3718886589 win 0 (DF)
>>>>> Apr 17 06:32:46.198338 rule 63/(match) block out on em3:
>155.4.8.28.80 > 180.76.15.26.42835: R 0:0(0) ack 1 win 0 (DF)
>>>>> Apr 17 06:41:29.366359 rule 63/(match) block out on em3:
>155.4.8.28.80 > 51.255.65.91.42819: R 0:0(0) ack 4294673273 win 0 (DF)
>>>>> Apr 17 06:41:30.365396 rule 63/(match) block out on em3:
>155.4.8.28.80 > 51.255.65.91.42819: R 0:0(0) ack 1 win 0 (DF)
>>>>> Apr 17 06:41:32.369399 rule 63/(match) block out on em3:
>155.4.8.28.80 > 51.255.65.91.42819: R 0:0(0) ack 1 win 0 (DF)
>>>>> — cut the rest —
>>>>> What have I missed?
>>>>> Tnx in advance
>>>>> Peo
>>>>> Thanks
>>>>> Peo
>>>>
>>>> You might get some clues from:
>>>>
>>>> pfctl -sr -R 63
>>>>
>>>> Cheers
>>>>
>>>> Fred
>>>>
>>>
>>> I know that that rule is my default block…
>>>
>>> root@xanadu:/etc#pfctl -g -sr|grep "@63"
>>> @63 block drop log all
>>> root@xanadu:/etc#
>>>
>>> But why is this happening after upgrade. I have netiher touched
>pf.conf, sysctl.conf  or /etc/hostname* nor found any changes in
>release notes related to this. So I see no reason for the packet to get
>stuck on that rule. But I am probably missing something obvious :)
>>>
>>>
>>> Peo
>>>
>>
>>
>> This is a tricky one…. I would very much appreciate “pro” help :)
>>
>> It seems a reload with pfctl -f /etc/pf.conf make these blocked
>packages go away for two hours or so (and everything is working). After
>that the problem comes back and I again see frequent intermittent block
>out on the internet interface.
>>
>> root@xanadu:/etc#tcpdump -e -n -ttt -r /var/log/pflog|grep block|grep
>155.4|grep out |grep ': R'|tail -20
>> tcpdump: WARNING: snaplen raised from 116 to 160
>> Apr 20 12:34:18.052265 rule 63/(match) block out on em3:
>155.4.8.28.25 > 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:34:21.249292 rule 63/(match) block out on em3:
>155.4.8.28.25 > 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:34:24.449235 rule 63/(match) block out on em3:
>155.4.8.28.25 > 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:34:27.649446 rule 63/(match) block out on em3:
>155.4.8.28.25 > 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:34:30.849380 rule 63/(match) block out on em3:
>155.4.8.28.25 > 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:34:37.049703 rule 63/(match) block out on em3:
>155.4.8.28.25 > 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:34:49.253624 rule 63/(match) block out on em3:
>155.4.8.28.25 > 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:35:13.449340 rule 63/(match) block out on em3:
>155.4.8.28.25 > 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:35:19.053693 rule 63/(match) block out on em3:
>155.4.8.28.25 > 41.78.84.231.50310: R 0:0(0) ack 3874760854 win 0 (DF)
>> Apr 20 12:35:22.048103 rule 63/(match) block out on em3:
>155.4.8.28.25 > 41.78.84.231.50310: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:35:28.045309 rule 63/(match) block out on em3:
>155.4.8.28.25 > 41.78.84.231.50310: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:37:15.284115 rule 63/(match) block out on em3:
>155.4.8.28.25 > 112.215.201.32.20948: R 0:0(0) ack 533408652 win 0 (DF)
>> Apr 20 12:37:18.302353 rule 63/(match) block out on em3:
>155.4.8.28.25 > 112.215.201.32.20948: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:37:24.294055 rule 63/(match) block out on em3:
>155.4.8.28.25 > 112.215.201.32.20948: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:38:24.998973 rule 63/(match) block out on em3:
>155.4.8.28.25 > 209.85.218.51.33714: R 0:0(0) ack 3754971547 win 0 (DF)
>> Apr 20 12:38:25.999057 rule 63/(match) block out on em3:
>155.4.8.28.25 > 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:38:27.999024 rule 63/(match) block out on em3:
>155.4.8.28.25 > 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:38:31.998695 rule 63/(match) block out on em3:
>155.4.8.28.25 > 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:38:39.998591 rule 63/(match) block out on em3:
>155.4.8.28.25 > 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>> Apr 20 12:38:55.998538 rule 63/(match) block out on em3:
>155.4.8.28.25 > 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>> root@xanadu:/etc#
>>
>>
>> Could it be any buffers that is causing this in 6.1 but not in 6.0 ?
>>
>>
>>
>> Peo
>>
>>
>
>
>
>Now it has worked from 12:38, but started to cause problems again at
>16:15. Have not done anything during this time frame. Here is a snippet
>from the command:
>tcpdump -e -n -ttt -r /var/log/pflog|grep block|grep 155.4|grep out
>|grep ': R'
>where we can see that I had approximately 3 hours and 36 minutes
>without a problem between  12:38 and 16:15. This drives me crazy!
>
>
>Why did these errors come after several hours? This happens to both
>smtp as well as webb traffic.
>
>Any suggestions what to look for would be very much appreciated...
>
>
>—snip--
>Apr 20 12:34:37.049703 rule 63/(match) block out on em3: 155.4.8.28.25
>> 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:34:49.253624 rule 63/(match) block out on em3: 155.4.8.28.25
>> 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:35:13.449340 rule 63/(match) block out on em3: 155.4.8.28.25
>> 194.71.64.14.5910: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:35:19.053693 rule 63/(match) block out on em3: 155.4.8.28.25
>> 41.78.84.231.50310: R 0:0(0) ack 3874760854 win 0 (DF)
>Apr 20 12:35:22.048103 rule 63/(match) block out on em3: 155.4.8.28.25
>> 41.78.84.231.50310: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:35:28.045309 rule 63/(match) block out on em3: 155.4.8.28.25
>> 41.78.84.231.50310: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:37:15.284115 rule 63/(match) block out on em3: 155.4.8.28.25
>> 112.215.201.32.20948: R 0:0(0) ack 533408652 win 0 (DF)
>Apr 20 12:37:18.302353 rule 63/(match) block out on em3: 155.4.8.28.25
>> 112.215.201.32.20948: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:37:24.294055 rule 63/(match) block out on em3: 155.4.8.28.25
>> 112.215.201.32.20948: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:38:24.998973 rule 63/(match) block out on em3: 155.4.8.28.25
>> 209.85.218.51.33714: R 0:0(0) ack 3754971547 win 0 (DF)
>Apr 20 12:38:25.999057 rule 63/(match) block out on em3: 155.4.8.28.25
>> 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:38:27.999024 rule 63/(match) block out on em3: 155.4.8.28.25
>> 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:38:31.998695 rule 63/(match) block out on em3: 155.4.8.28.25
>> 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:38:39.998591 rule 63/(match) block out on em3: 155.4.8.28.25
>> 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 12:38:55.998538 rule 63/(match) block out on em3: 155.4.8.28.25
>> 209.85.218.51.33714: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 16:15:09.279725 rule 63/(match) block out on em3: 155.4.8.28.25
>> 181.234.142.153.1954: R 0:0(0) ack 2524568547 win 0 (DF)
>Apr 20 16:15:10.278863 rule 63/(match) block out on em3: 155.4.8.28.25
>> 190.43.107.62.50622: R 0:0(0) ack 892069347 win 0 (DF)
>Apr 20 16:15:12.330771 rule 63/(match) block out on em3: 155.4.8.28.25
>> 181.234.142.153.1954: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 16:15:13.276805 rule 63/(match) block out on em3: 155.4.8.28.25
>> 190.43.107.62.50622: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 16:15:18.235835 rule 63/(match) block out on em3: 155.4.8.28.25
>> 181.234.142.153.1954: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 16:15:19.284027 rule 63/(match) block out on em3: 155.4.8.28.25
>> 190.43.107.62.50622: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 16:17:54.217582 rule 63/(match) block out on em3: 155.4.8.28.25
>> 119.30.45.76.2544: R 0:0(0) ack 3955486675 win 0 (DF)
>Apr 20 16:17:57.197196 rule 63/(match) block out on em3: 155.4.8.28.25
>> 119.30.45.76.2544: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 16:18:03.227666 rule 63/(match) block out on em3: 155.4.8.28.25
>> 119.30.45.76.2545: R 0:0(0) ack 3955486675 win 0 (DF)
>Apr 20 16:24:07.843355 rule 63/(match) block out on em3: 155.4.8.28.25
>> 14.229.78.164.52657: R 0:0(0) ack 1524071302 win 0 (DF)
>Apr 20 16:24:10.843120 rule 63/(match) block out on em3: 155.4.8.28.25
>> 14.229.78.164.52657: R 0:0(0) ack 1 win 0 (DF)
>Apr 20 16:24:16.843130 rule 63/(match) block out on em3: 155.4.8.28.25
>> 14.229.78.164.52657: R 0:0(0) ack 1 win 0 (DF)
>—snip--

Re: Strange PF behaviour after 6.0 -> 6.1 upgrade

Reply via email to