On 23 Jul 2012, at 01:49, jmat...@clanspum.net wrote: > A few weeks ago (I've been trying to debug it myself since then) my pf > firewall stopped working fully correctly. The symptom is that I can no longer > access a variety of websites when I'm behind the firewall. I have verified > that I can access all of the affected websites from outside my firewall. I > have since stripped down my firewall (and general home server) so that it is > no longer running named, sshguard or any useful firewalling rules in an > attempt to figure out was broken but have been unable to do so. > > Attached are my current /etc/pf.conf and /etc/rc.conf, to ensure that these > are the configurations being used as of my last test I restarted the system > and am still getting the same behavior. This behavior started sometime around > a storm at my house, but since the firewall can see the websites that the > computers behind it can't I don't believe the hardware is an issue. > > Also, some websites (like anything google hosts) are just fine. > > The also, so people can see what my kernel thinks I've attach the output of a > couple of commands below > > [root@ ~]# pfctl -s rules > No ALTQ support in kernel > ALTQ related functions disabled > pass in quick all flags S/SA keep state > pass out quick all flags S/SA keep state > [root@ ~]# pfctl -s nat > No ALTQ support in kernel > ALTQ related functions disabled > nat on xl0 inet from 10.11.10.0/24 to any -> 192.168.0.200 > [root@stilgar ~]# ifconfig > re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > > options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC> > ether 90:e6:ba:60:9a:33 > inet 10.11.10.1 netmask 0xffffff00 broadcast 10.11.10.255 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > options=82009<RXCSUM,VLAN_MTU,WOL_MAGIC,LINKSTATE> > ether 00:01:03:d1:fa:90 > inet 192.168.0.200 netmask 0xffffff00 broadcast 192.168.0.255 > media: Ethernet autoselect (100baseTX > <full-duplex,flowcontrol,rxpause,txpause>) > status: active > plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500 > ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > nd6 options=3<PERFORMNUD,ACCEPT_RTADV> > pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33152 > > I would be very appreciative of any suggestions anyone can offer. > > Jason Mattax >
1/ OS version ? We can't tell from the current info 2/ When the problem appears. Have you tried disabling PF ? (pfctl -d) Does it help ? 3/ The websites wouldn't be using connection recycling per chance ? (linux) We've had a lot of problems with Linux enabled hosts using recycling, having them turn it off solved the problems. There was not a thing we found on our side to fix it. Disabling scrubbing wouldn't help either._______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
