Re: PF not keeping state

Mon, 19 Dec 2005 01:31:01 -0800

You haven't said which version of FreeBSD you are running. Are you aware that hardware VLAN tagging and promiscuous mode mode conflict i.e. you will get packet loss. Have seen this documented for bridges but it wasn't initially for tcpdump. 5.4 default is hardware tags off and 5.3 hardware tags on. If you want to monitor on the interface on the firewall (rather than on your switch) hardware tagging must be turned off using ifconfig. We have a similar config that we are testing. 
Jason Dixon wrote:
I'm taking a stab at the dark here that someone can think of something silly that I've overlooked. I've been working on a fairly complex ruleset for a network of 10 vlans, all with CARP interfaces. I finally realized after much chagrin that the old adage of "always filter on the physical interface" doesn't necessarily apply when you've got vlan (4) and carp (4) involved. After changing all of my nat/binat translations to act on vlan0 (external) and my filter rules to also filter on the vlan interfaces, almost everything is working. 


For some reason, I have one vlan that simply refuses to pass traffic  
*correctly*.  I can confirm that the packets are being filtered by  
the correct rules both inbound on the internal interface and outbound  
on the external (pass in/out log ... keep state).  I can also vouch  
that the states are being created.  However, for some reason, it  
seems as though the system refuses to "honor" the returning packets.   
For ping, it sees a few echo replies before issuing a "host  
unreachable".  For tcp, it acts as though the packets were lost and  
simply retransmits.  The only thing I can think of right now is that  
perhaps it's because I'm filtering in all directions on all  
interfaces, even though the state policy is left as floating.  I  
don't think this is relevant, however, since this behavior only  
happens on a single network.



For the time being, I'm going to avoid posting the pf.conf.  I know  
this is a faux pas, but I'm terribly embarrassed to let anyone see it  
at this point.  Once I've re-introduced the anchors, perhaps.  :)


Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

























					Reply via email to