Hello.
Recently I upgraded from 9.1 to 10 and got a lot of problems. I hoped, all of them are fixed now, but this one looks tricky.
I found that several times I hit states limit of pf and rewrited jail rules as no state. I turned logging to all blocked packets to see if all running smoothly and forgot to disable it.
Recently I found the log file rather huge.
Most of its entries referenced blocked external https transmissions (in and out). That was very strange, as outgoing https access is opened for external interface.
.
I looked at application logs and found strange connectivity problems accessing https ports. I can describe them as random failures, sometime on the middle of the session.
I'm not sure this is FreeBSD 10 feature, but application logs says connectivity was OK before. I suspect wrong NATing.
1. External interface use 2 aliases.
2. ftp/curl library with keep alive used.
Here is parts of my pf config
I suspect that my problem lies in
Am I guessed correctly?
Recently I upgraded from 9.1 to 10 and got a lot of problems. I hoped, all of them are fixed now, but this one looks tricky.
I found that several times I hit states limit of pf and rewrited jail rules as no state. I turned logging to all blocked packets to see if all running smoothly and forgot to disable it.
Recently I found the log file rather huge.
Most of its entries referenced blocked external https transmissions (in and out). That was very strange, as outgoing https access is opened for external interface.
Code:
block in on re0: xxx.xxx.xxx.xxx.443 > xxx.xxx.xxx.xxx.62063: Flags [P.], seq 1460:2423, ack 1, win 32768, length 963
I looked at application logs and found strange connectivity problems accessing https ports. I can describe them as random failures, sometime on the middle of the session.
I'm not sure this is FreeBSD 10 feature, but application logs says connectivity was OK before. I suspect wrong NATing.
1. External interface use 2 aliases.
2. ftp/curl library with keep alive used.
Here is parts of my pf config
Code:
tcp_out = "{ 22, 23, 80, 443, 9090, spamd, spamd-cfg }" #Allowed outgoing ports
#NAT JAil traffic
nat pass on $ext from $jail:network to any -> $ext
pass out quick on $ext inet proto tcp from $ext:network to any port $tcp_out keep state #TCP POLICY
I suspect that my problem lies in
-> $ext
of NAT rule. If I understand correctly, pf will use random alias of $ext interface every times it NATs traffic and sometime IP is not in state table. pf log above shows it - connections was established with 443 ports, but reply hits another IP and triggered block log all rule.Am I guessed correctly?