Hi,
I've been using ipfw(8) for years and have just started with pf(4), but I've hit a pretty simple issue with pf(4) - it just doesn't want to process a straight forward ruleset. What am I missing here?
The server in question is 10.2-STABLE on a HP Proliant server - which gives it dual gbe network interfaces. gbe0 is direct connected to my ISP, gbe1 is unused (although shared with iLo/IPMI). Everything happens over gbe0, it has a primary IPv4 and 1x alias IPv4, both from the same /29 network. All the following tests are to the primary IP.
pf(4) is loaded as modules:
rc.conf is done:
I bought the service up with:
I put together a long, detailed config... but that didn't work, so I've gone back to basics. This config works:
The log shows a successful inbound SMTP test:
When I switch to this config:
It results in the SMTP test being dropped, from the log:
Why is that? Here's how the rule looks:
Maybe I've been looking at this for too long... I can't see the issue. Sorry if it's obvious. I'd appreciate if someone could point it out.
Thanks.
I've been using ipfw(8) for years and have just started with pf(4), but I've hit a pretty simple issue with pf(4) - it just doesn't want to process a straight forward ruleset. What am I missing here?
The server in question is 10.2-STABLE on a HP Proliant server - which gives it dual gbe network interfaces. gbe0 is direct connected to my ISP, gbe1 is unused (although shared with iLo/IPMI). Everything happens over gbe0, it has a primary IPv4 and 1x alias IPv4, both from the same /29 network. All the following tests are to the primary IP.
pf(4) is loaded as modules:
# kldstat | grep pf
Code:
15 2 0xffffffff81428000 2d1ef pf.ko
16 1 0xffffffff81456000 946 pflog.korc.conf is done:
Code:
# grep pf /etc/rc.conf
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"I bought the service up with:
# service pf start
# service pflog startI put together a long, detailed config... but that didn't work, so I've gone back to basics. This config works:
# cat /etc/pf.conf.pass.all.log
Code:
pass in log
pass out logThe log shows a successful inbound SMTP test:
Code:
00:00:00.000000 rule 0..16777216/0(match): pass in on bge0: 121.211.w.x.6054 > 103.60.y.z.25: Flags [ S ], seq 3725767078, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2849393702 ecr 0,sackOK,eol], length 0When I switch to this config:
# cat /etc/pf.conf.simple
Code:
set skip on lo0
pass in log on bge0 proto tcp from any to 103.60.y.z port 25
block in log on bge0 all
pass out on bge0It results in the SMTP test being dropped, from the log:
Code:
00:00:00.000000 rule 1..16777216/0(match): block in on bge0: 121.211.w.x.56475 > 103.60.y.z.25: Flags [ S ], seq 897074830, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 2849823236 ecr 0,sackOK,eol], length 0Why is that? Here's how the rule looks:
# pfctl -Psr
Code:
pass in log on bge0 inet proto tcp from any to 103.60.y.z port = 25 flags S/SA keep state
block drop in log on bge0 all
pass out on bge0 all flags S/SA keep stateMaybe I've been looking at this for too long... I can't see the issue. Sorry if it's obvious. I'd appreciate if someone could point it out.
Thanks.
Last edited by a moderator: