On 2019-03-29, Rachel Roch <rr...@tutanota.de> wrote:
> Hi,
>
> Has anyone encountered this before ?
>
> Neighbor AS MsgRcvd MsgSent OutQ Up/Down State/PrfRcvd
> EXT-V6-R2 65515 50 40 0 00:02:55 Active
> EXT-V4-R2 65515 38 37 0 00:27:42 1
> After approx just over 2 minutes, the V6 flaps, bu the V4 remains rock solid.
>
> The boxes are sitting right next to each other, connected over an OpenBSD
> LACP trunk.
>
> I have made the pf rules as simple as possible:
>
> table <my_router_interfaces> counters {self}
> table <bsd_friends> counters {192.0.2.1,2001:DB8::1}
> pass in quick proto {tcp,udp,icmp} from <bsd_friends> to
> <my_router_interfaces> modulate state
> pass out quick proto {tcp,udp,icmp} from <my_router_interfaces> to
> <bsd_friends> modulate state
A few tips:
Start with an explicit "block any" rule so you don't have any traffic
caught by the implicit "pass flags any no state" default. (If you want
some "stateless" traffic as may often be the case on a BGP router, make
it explicit in the ruleset). Otherwise you risk state being created
on something other than a SYN, so PF doesn't know the TCP window scaling
value (which is *only* sent on SYN packets), which can result in the
connection being killed after some traffic passes (state tracking gets
out of sync).
You don't have a rule for icmp6. IPv6's equivalent to ARP runs over icmp6
and you do need a rule for that. It will currently be passed by the implicit
default rule but that will stop when you add "block any"..
"modulate state" really isn't as simple as possible ;)
