PF PF synproxy broken in 11-STABLE

gustopn

Member

Thanks: 2
Messages: 43

#1
So, while updating lately to FreeBSD 11.2-STABLE #8 r336299: Sun Jul 15 03:39:01 CEST 2018
I noticed that I can reproduce synproxy failure. I see that they have been fiddeling around with this in 12 and that they seemed to fix it (MAYBE, I have not tested that yet).
Connections get stuck on PROXY : DST until they time out.
However, it luckily works some time, so that I could SSH into my server. And now I first am going to change that to keep state.

Looks like there was a bug report before:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229477
and of course the commit log:
https://freshbsd.org/commit/freebsd/r336275
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 43

#2
OK, I tested the latest 12, and synproxy seems to work now there, would be nice to move this changes to 11-stable.
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 43

#6
FreeBSD 11.2-STABLE #9 r336597
here, and can NOT confirm working synproxy.
seems to be still broken
furthermore set skip on lo does not work, needs set skip on lo0 for pf not to firewall on localhost.
 

mickey

Well-Known Member

Thanks: 61
Messages: 376

#7
furthermore set skip on lo does not work, needs set skip on lo0 for pf not to firewall on localhost.
I stumbled upon that one too. I had set skip on lo in my pf.conf for quite some time. Then after upgrading to releng 11.2 and rebooting the machine, I noticed there were packets dropped on the lo0 interface. This stopped when I manually reloaded the pf.conf, well at least until the next reboot. Ultimately I had to change set skip on lo to set skip on lo0.
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 43

#8
I stumbled upon that one too. I had set skip on lo in my pf.conf for quite some time. Then after upgrading to releng 11.2 and rebooting the machine, I noticed there were packets dropped on the lo0 interface. This stopped when I manually reloaded the pf.conf, well at least until the next reboot. Ultimately I had to change set skip on lo to set skip on lo0.
see
 
OP
OP
gustopn

gustopn

Member

Thanks: 2
Messages: 43

#9
Actually it is worse, because on 11-stable I can safely test it with turning set skip on lo0 and lo on and off, it drops on lo and doesn't filter on lo0.
 

mickey

Well-Known Member

Thanks: 61
Messages: 376

#10
Actually it is worse, because on 11-stable I can safely test it with turning set skip on lo0 and lo on and off, it drops on lo and doesn't filter on lo0.
With set skip on lo, which is the interface group, it is not supposed to perform filtering on any lo[0-9]+ interface.
 
Top