Solved PF not working after upgrading to 12-STABLE

ezraimanuel

ezraimanuel

Hello,

I have multiple FreeBSD machines as firewall/gateway on many locations. All were using 11.2-STABLE and working fine since first installation. yesterday i upgraded them all to 12-STABLE (344664), upgrade succeeded and everything works fine.

After reboot, PF not working at all, it's like it's been disabled somehow. and it's not capturing any packets now.

pfctl -si
State Table Total Rate
current entries 0
searches 0 0.0/s
inserts 0 0.0/s
removals 0 0.0/s
Counters
match 0 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s

I tried to disable/enable, restart, etc... dead end. is there anything i missed here? I didn't change any configuration, upgrade was fresh.

Thanks guys.
 
This is the rules. May I remind that this rules works fine on previous installation, and also, there are no PF errors when parsing.

Code: 
# #############################
# ##### Section 1: MACROS #####
# #############################
#
wan_if = "vlan420 vlan421 vlan901 vlan902 vlan903 vlan904"
skip_if = "lo tap tun vlan210"
TCP_DROP = "0, 7, 9, 13, 17, 19, 69, 111, 135:139, 389, 445, 547, 1433, 1444, 1900"
UDP_DROP = "0:52, 38:52, 54:67, 69:112, 114:122, 124:160, 162:442, 389, 444:449, 501:1024"
WIN_DROP = "135, 137, 138, 139, 411, 445, 552, 800, 1080, 1214, 1433, 2283, 2535, 2745, 3127, 3128, 3410, 4662, 4672, 5554, 6158, 6881:6889, 8787, 9898, 10080, 12345, 12346, 15118, 17300, 20034, 31337, 31338, 54320, 53321"

# #############################
# ##### Section 2: TABLES #####
# #############################
table <ext_block> persist
table <RFC6890> persist file "/etc/pf/rfc6890.txt"
table <attacks> persist file "/etc/pf/attacks.netset"
table <malware> persist file "/etc/pf/malware.netset"
table <ext_blacklist> persist file "/etc/pf/ext_blacklist.txt"
table <ext_whitelist> persist file "/etc/pf/ext_whitelist.txt"
table <sshguard> persist
table <idps_in> persist
table <idps_out> persist
table <ext_lan> persist file "/etc/pf/ext_lan.txt"
table <ext_bgp> const { 111.111.111.111, 2001:2001:2001::1 }

# #####################################
# ##### Section 3: GLOBAL OPTIONS #####
# #####################################
#
set block-policy drop
set fingerprints "/etc/pf.os"
set limit { frags 10000, src-nodes 100000, states 1250000, table-entries 500000 }
set loginterface vlan
set optimization aggressive
set ruleset-optimization basic
set skip on { $skip_if }
set state-policy floating
set timeout { interval 10, frag 10 }
set timeout { tcp.first 15, tcp.opening 10, tcp.established 3600, tcp.closing 10, tcp.finwait 15, tcp.closed 15 }
set timeout { udp.first 60, udp.single 15, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }

# ############################################
# ##### Section 4: TRAFFIC NORMALIZATION #####
# ############################################
#
scrub all fragment reassemble random-id no-df

# #####################################
# ##### Section 5: QUEUEING RULES #####
# #####################################

# ##############################################
# ##### Section 6: TRANSLATION RULES (NAT) #####
# ##############################################

# ###################################
# ##### Section 7: FILTER RULES #####
# ###################################
#
antispoof log quick for { $wan_if }
block in log quick from { urpf-failed no-route } to any
pass in  log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "IPv6 requirements (ICMP)"
pass out log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {129,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in  log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in  log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
block in  log quick on { $wan_if } from { <ext_block> } to { any } label "Temporary external blacklist"
block out log quick on { $wan_if } from { any } to { <ext_block> } label "Temporary external blacklist"
pass in  log quick on { $wan_if } from { <ext_lan> } to { any } keep state label "Trusted network"
pass out log quick on { $wan_if } from { any } to { <ext_lan> } keep state label "Trusted network"
block in  log quick on { $wan_if } from { <RFC6890> } to { any } label "DROP: RFC6890 Special-Purpose IP Address Registries"
block out log quick on { $wan_if } from { any } to { <RFC6890> } label "DROP: RFC6890 Special-Purpose IP Address Registries"
pass  in quick on { $wan_if } inet proto { udp } from { 164.67.62.194 } to { any } port { 123 }
block in quick on { $wan_if } inet proto { udp } from { any } port { 123 } to { any }
block in quick on { $wan_if } inet proto { udp } from { any } to { any } port { 123 }
pass in  log quick on { $wan_if } from { <ext_whitelist> } to any keep state label "Permanent whitelist"
pass out log quick on { $wan_if } from any to { <ext_whitelist> } keep state label "Permanent whitelist"
block in  log quick on { $wan_if } from { <attacks>, <malware> } to { any } label "FireHOL Threats Database"
block out log quick on { $wan_if } from { any } to { <attacks>, <malware> } label "FireHOL Threats Database"
block in  log quick on { $wan_if } proto { tcp } from { !<ext_bgp> } to any port { 179 } label "DROP: Incoming BGP"
block in  log quick on { $wan_if } from { <ext_blacklist> } to any label "DROP: Dynamic Block List"
block out log quick on { $wan_if } from any to { <ext_blacklist> } label "DROP: Dynamic Block List"
block in  log quick on { $wan_if } from { <sshguard> } to any label "DROP: SSH bruteforce"
block in  log quick on { $wan_if } from { <idps_in> } to { any }  label "IDPS captured incoming packet"
block out log quick on { $wan_if } from { any } to { <idps_out> } label "IDPS captured outgoing packet"
block log quick on { $wan_if } proto { tcp } from any port { $TCP_DROP } to any label "TCP $srcport"
block log quick on { $wan_if } proto { tcp } from any to any port { $TCP_DROP } label "TCP $dstport"
block log quick on { $wan_if } proto { udp } from any port { $UDP_DROP } to any label "UDP $srcport"
block log quick on { $wan_if } proto { udp } from any to any port { $UDP_DROP } label "UDP $dstport"
block log quick proto { tcp, udp } from any os "Windows" to any port { $WIN_DROP } label "DROP: Windows"
pass quick all
 
And also check what tcpdump -s0 -pnli pflog0 gives you, if anything.

You are certain that the pf service hasn't only started but also actually activated the pf.conf?
 
I'm pretty sure you're running into an issue introduced by r343287 in CURRENT, and recently MFCd (in r344026). I've MFCd the missing fix for that in r344712.

You can update, or avoiding using interface groups in 'set skip'.
 
DutchDaemon said:
Do pfctl -sr and pfctl -ss give you predictable output? Add -vv as well.
Click to expand...

Every lines shows this:
Code: 
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0  ]

DutchDaemon said:
And also check what tcpdump -s0 -pnli pflog0 gives you, if anything.

You are certain that the pf service hasn't only started but also actually activated the pf.conf?
Click to expand...

tcpdump -s0 -pnli pflog0 gives nothing, it just stuck there. And yes, the pf started, I tried pfctl -e and it says already enabled.

Kristof Provost said:
I'm pretty sure you're running into an issue introduced by r343287 in CURRENT, and recently MFCd (in r344026). I've MFCd the missing fix for that in r344712.

You can update, or avoiding using interface groups in 'set skip'.
Click to expand...

Many thanks, I just finished updating the source tree, it gives me r344715 now.

I see new files seems related to pf:
Code: 
U    /usr/src/sbin/pfctl/pfctl_parser.c
U    /usr/src/sys/netpfil/pf/pf_norm.c

I'll update and let you guys know later

thanks guys!!
 
kudos guys! it's working now after updaing to r344715 and make install /usr/src/sbin. everything went back to normal... thank you all for your help!

Code: 
block drop log quick proto tcp from any os "Windows" to any port = amanda label "DROP: Windows"
  [ Evaluations: 49414     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 20698 State Creations: 0     ]
Code: 
State Table                          Total             Rate
  current entries                      673              
  searches                         2323357         2676.7/s
  inserts                            38206           44.0/s
  removals                           37531           43.2/s
 
Have you any "solid" reasons to run FreeBSD Stable, instead of FreeBSD Release ?
Please, don't be wrong with the name "FreeBSD Stable"

FreeBSD stable doesn't mean it is stable or more stable than the FreeBSD release
"STABLE" is the opposit of "CURRENT". In current nothing is frozen. New components can be added for experiment, but this doesn't mean this component will be integrated in future releases. Components can be removed without notice.

"STABLE" means that world has been frozen to maintain interoperability with FreeBSD release and so binaries are compatible.
Shortly, FreeBSD stable is a development branch for the future Releases branch....
So FreeBSD stable is probably today an alpha/beta development of upcoming FreeBSD 12.1, FreeBSD releases being 12.0 and 11.2; FreeBSD CURRENT being 13

So this doesn't mean at all this is "stable" in a common meaning, so you must keep that in your mind.
Some other issues may occur in the future, it is pretty dangerous to use such version in production (but less dangerous than using CURRENT)
Let's say that "STABLE" may be acceptable when developments reach the "Beta" status

If you have been mistaken with the name, I would advise you to switch to the "real" FreeBSD stable so FreeBSD release 12.0
One can choose stable branch sometimes to take profit of very new drivers.... but FreeBSD Stable will never add major functionalities.

If you knew that... sorry, but this is a very common mistake so it si important to remind that from time to time.
As you are a new member of this forum... we can wonder if you really understood that before you switched.
 
Yes, I understand about the branches, and in -STABLE there will be bugs and improvements along the way. I have my own reason on using -STABLE branch. been using this branch since FreeBSD 6 or 7 as far i can remember. Found issues that puts me in hard way many times, especially on hardware drivers, though this is first time with PF.

And yes i'm sorry i never registered in the forum before, i've been FreeBSD user since 2001.

Thank you for your concern and reminder though.
 
You must log in or register to reply here.
Back
Top