Sorry for the delay in responding, it has been a tough couple of days. I have spent limited time on your problem, I apologize, but in looking at it and reading as much as I could about this situation, I don't see what the problem is. It is probably something simple that I just can't see, but I hope someone on this list is able to offer their suggestions.
There is obviously something wrong with vlan15 and modulate state. What it is I am not able to tell.
One quick thing I would recommend, however, is to name your interfaces in the 'Macros' section of pf.conf. This makes it easy to apply changes to interface names, devices later if it is at all necessary. I know it has absolutely nothing to do with your problem.
Sorry I am not able to assist with this.
-a
On Friday, Sep 12, 2003, at 16:45 US/East-Indiana, Eaton, Andy wrote:
Sorry for the delayed response, I just needed to do some more work on this myself before I went in depth on this. I figured out today why the packets were not matching the right rules and it had to do with state. However, I am still unable to get state modulation to work properly. Here is everything I know:
I made a mock rule set to make this easy. The following is my ruleset:
pass in quick log-all on { vlan1, vlan3, vlan5, vlan7, vlan9, vlan11, vlan13, vlan15, vlan17, vlan19}
pass out quick log-all all keep state
pass in quick log-all on vlan6 inet proto tcp from 172.16.8.71 to 128.252.21.6 port 135 keep state
pass in quick log all
These rules work perfectly.
tcpdump -n -e -ttt -i pflog0 net 128.252.21.6 and port 135 gives the following:
Sep 12 16:30:24.566762 rule 7/0(match): pass in on vlan15: 172.16.8.71.1372 > 128.252.21.6.135: S 1955247657:1955247657(0) win 65520 <mss 1260,nop,nop,sackOK> (DF)
Sep 12 16:30:24.566767 rule 10/0(match): pass out on vlan14: 172.16.8.71.1372 > 128.252.21.6.135: S 1955247657:1955247657(0) win 65520 <mss 1260,nop,nop,sackOK> (DF)
Sep 12 16:30:24.566964 rule 11/0(match): pass in on vlan6: 172.16.8.71.1372 > 128.252.21.6.135: S 1955247657:1955247657(0) win 65520 <mss 1260,nop,nop,sackOK> (DF)
Sep 12 16:30:24.566969 rule 10/0(match): pass out on vlan7: 172.16.8.71.1372 > 128.252.21.6.135: S 1955247657:1955247657(0) win 65520 <mss 1260,nop,nop,sackOK> (DF)
Sep 12 16:30:24.567368 rule 10/0(match): pass in on vlan7: 128.252.21.6.135 > 172.16.8.71.1372: S 660857943:660857943(0) ack 1955247658 win 65535 <mss 1460,nop,nop,sackOK> (DF)
Sep 12 16:30:24.567370 rule 11/0(match): pass out on vlan6: 128.252.21.6.135 > 172.16.8.71.1372: S 660857943:660857943(0) ack 1955247658 win 65535 <mss 1460,nop,nop,sackOK> (DF)
Sep 12 16:30:24.567573 rule 10/0(match): pass in on vlan14: 128.252.21.6.135 > 172.16.8.71.1372: S 660857943:660857943(0) ack 1955247658 win 65535 <mss 1460,nop,nop,sackOK> (DF)
Sep 12 16:30:24.567575 rule 11/0(match): pass out on vlan15: 128.252.21.6.135 > 172.16.8.71.1372: S 660857943:660857943(0) ack 1955247658 win 65535 <mss 1460,nop,nop,sackOK> (DF)
Sep 12 16:30:24.567978 rule 11/0(match): pass in on vlan15: 172.16.8.71.1372 > 128.252.21.6.135: . ack 1 win 65520 (DF)
Sep 12 16:30:24.567980 rule 10/0(match): pass out on vlan14: 172.16.8.71.1372 > 128.252.21.6.135: . ack 1 win 65520 (DF)
Sep 12 16:30:24.568183 rule 11/0(match): pass in on vlan6: 172.16.8.71.1372 > 128.252.21.6.135: . ack 1 win 65520 (DF)
Sep 12 16:30:24.568185 rule 10/0(match): pass out on vlan7: 172.16.8.71.1372 > 128.252.21.6.135: . ack 1 win 65520 (DF)
etc
If I change the above from keep state to modulate state, I get the following tcpdump.
Sep 12 16:29:51.020110 rule 7/0(match): pass in on vlan15: 172.16.8.71.1371 > 128.252.21.6.135: S 1946850554:1946850554(0) win 65520 <mss 1260,nop,nop,sackOK> (DF)
Sep 12 16:29:51.020114 rule 10/0(match): pass out on vlan14: 172.16.8.71.1371 > 128.252.21.6.135: S 1946850554:1946850554(0) win 65520 <mss 1260,nop,nop,sackOK> (DF)
Sep 12 16:29:51.020313 rule 11/0(match): pass in on vlan6: 172.16.8.71.1371 > 128.252.21.6.135: S 1946850554:1946850554(0) win 65520 <mss 1260,nop,nop,sackOK> (DF)
Sep 12 16:29:54.008437 rule 11/0(match): pass in on vlan15: 172.16.8.71.1371 > 128.252.21.6.135: S 1896601042:1896601042(0) win 65520 <mss 1260,nop,nop,sackOK> (DF)
^C
Where it just hangs and I am not sure why
Thank you,
Andrew Eaton
-----Original Message----- From: Asenchi [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 1:19 AM To: Eaton, Andy Cc: [EMAIL PROTECTED] Subject: Re: tcpdump and rule -1/0
Really the only way anyone on this list can help is by providing your entire ruleset. Until then, most of us will be left in the dark.
-a
On Thursday, Sep 11, 2003, at 17:37 US/East-Indiana, Eaton, Andy wrote:
Hello all,
�
I am having a problem with filtering on a vlan aware bridge.�I am wondering if anyone has seen a tcpdump that looks like the following and what it means.�Particularly the part about the rule -1/0(match).
�
Sep 11 17:35:33.988497 rule -1/0(match): pass in on vlan16: 64.236.34.72.80 > 172.16.0.36.3114: . 63809:64321(512) ack 1 win 4096
Sep 11 17:35:33.988501 rule -1/0(match): pass out on vlan17: 64.236.34.72.80 > 172.16.0.36.3114: . 63809:64321(512) ack 1 win 4096
Sep 11 17:35:33.989717 rule -1/0(match): pass in on vlan17: 172.16.0.36.3114 > 64.236.34.72.80: . ack 64321 win 0 (DF)
Sep 11 17:35:33.989720 rule -1/0(match): pass out on vlan16: 172.16.0.36.3114 > 64.236.34.72.80: . ack 64321 win 0 (DF)
�
I have spent a lot of time debugging this and the rules are not being parsed right.�I thought I might start here.
�
�
Thanks in advance,
�
�
Andrew Eaton
