PF unbound can’t forward requests from localhost to public DNS servers after PF reload

OP
OP
S

shinx

Member


Messages: 23

#27
$ sudo pfctl -sr
Code:
block drop in log all
block drop in quick inet6 all
pass out quick all flags S/SA keep state
block drop in on lagg1 all
block drop in on ix0 all
block drop in on lagg0 all
pass in on egress inet proto tcp from <__automatic_8698683c_0> to (egress) port = ssh flags S/SA keep state
pass in on egress inet proto tcp from <__automatic_8698683c_1> to (egress) port = 8080 flags S/SA keep state
pass in on lagg0 inet proto tcp from <__automatic_8698683c_6> to any port = ssh flags S/SA keep state
pass in on lagg0 inet proto tcp from <__automatic_8698683c_7> to any port = 8080 flags S/SA keep state
pass in on lagg0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on lagg0 inet proto tcp from any to any port = https flags S/SA keep state
pass in on lagg0 inet proto tcp from <censored_public_ip> to any port = bgp flags S/SA keep state
pass in on lagg0 inet proto tcp from 172.16.55.10 to any flags S/SA keep state
pass in on lagg1 inet proto tcp from <__automatic_8698683c_2> to any port = ssh flags S/SA keep state
pass in on lagg1 inet proto tcp from <__automatic_8698683c_3> to any port = 8080 flags S/SA keep state
pass in on lagg1 inet proto tcp from any to any port = http flags S/SA keep state
pass in on lagg1 inet proto tcp from any to any port = https flags S/SA keep state
pass in on ix0 inet proto tcp from <__automatic_8698683c_4> to any port = ssh flags S/SA keep state
pass in on ix0 inet proto tcp from <__automatic_8698683c_5> to any port = 8080 flags S/SA keep state
pass in on ix0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on ix0 inet proto tcp from any to any port = https flags S/SA keep state
pass in on lagg0 inet proto udp from 172.16.55.10 to any keep state
pass in inet proto icmp all icmp-type echoreq keep state
 
OP
OP
S

shinx

Member


Messages: 23

#31
do I still have to add pass quick on lo0 all if I have set skip on lo in place?

I will try that out and revert back here. Thanks.
 

VladiBG

Well-Known Member

Thanks: 134
Messages: 356

#32
it's the same set skip on lo0 will actually add pass quick on lo0 all in your rules

You have to add the interface number for example lo0, lo1 and etc.

you can check the output of ifconfig
 
OP
OP
S

shinx

Member


Messages: 23

#34
it's the same set skip on lo0 will actually add pass quick on lo0 all in your rules

You have to add the interface number for example lo0, lo1 and etc.

you can check the output of ifconfig
I tried specify lo0 previously, and I got segmentation fault.

Code:
$ sudo pfctl -f /etc/pf.conf
Segmentation fault
Also, the output of pfctl -sr does not show pass quick on lo0 all after specified lo0 in the /etc/pf.conf
Code:
$ sudo pfctl -sr
block drop in log all
block drop in quick inet6 all
pass out quick all flags S/SA keep state
block drop in on lagg1 all
block drop in on ix0 all
block drop in on lagg0 all
pass in on egress inet proto tcp from <__automatic_8ac0178_0> to (egress) port = ssh flags S/SA keep state
pass in on egress inet proto tcp from <__automatic_8ac0178_1> to (egress) port = 8080 flags S/SA keep state
pass in on lagg0 inet proto tcp from <__automatic_8ac0178_6> to any port = ssh flags S/SA keep state
pass in on lagg0 inet proto tcp from <__automatic_8ac0178_7> to any port = 8080 flags S/SA keep state
pass in on lagg0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on lagg0 inet proto tcp from any to any port = https flags S/SA keep state
pass in on lagg0 inet proto tcp from <censored_public_ip> to any port = bgp flags S/SA keep state
pass in on lagg0 inet proto tcp from 172.16.55.10 to any flags S/SA keep state
pass in on lagg1 inet proto tcp from <__automatic_8ac0178_2> to any port = ssh flags S/SA keep state
pass in on lagg1 inet proto tcp from <__automatic_8ac0178_3> to any port = 8080 flags S/SA keep state
pass in on lagg1 inet proto tcp from any to any port = http flags S/SA keep state
pass in on lagg1 inet proto tcp from any to any port = https flags S/SA keep state
pass in on ix0 inet proto tcp from <__automatic_8ac0178_4> to any port = ssh flags S/SA keep state
pass in on ix0 inet proto tcp from <__automatic_8ac0178_5> to any port = 8080 flags S/SA keep state
pass in on ix0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on ix0 inet proto tcp from any to any port = https flags S/SA keep state
pass in on lagg0 inet proto udp from 172.16.55.10 to any keep state
pass in inet proto icmp all icmp-type echoreq keep state
However, I tried adding pass quick on lo0 all in the /etc/pf.conf. And, able to verify it is in the ruleset by running pfctl -sr.

Code:
block drop in log all
block drop in quick inet6 all
pass out quick all flags S/SA keep state
pass quick on lo0 all flags S/SA keep state
block drop in on lagg1 all
block drop in on ix0 all
block drop in on lagg0 all
---- codes removed for brevity purposes
And the issue seems to go away.
Code:
$ sudo pfctl -f /etc/pf.conf
$ drill @127.0.0.1 google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35942
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; google.com.    IN    A

;; ANSWER SECTION:
google.com.    260    IN    A    172.217.27.238

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Oct 31 16:07:49 2018
;; MSG SIZE  rcvd: 44
Next question, do I still have to keep set skip on lo? Because both rules seems to serve the same purposes, except set skip on lo is causing DNS problem but pass quick on lo0 all is not.
 
OP
OP
S

shinx

Member


Messages: 23

#36
what is the name of your loopback interface ? Post the output of ifconfig | grep lo
It is lo0...

Code:
$ ifconfig | grep lo
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
    groups: lo 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
    groups: pflog
 

VladiBG

Well-Known Member

Thanks: 134
Messages: 356

#37
Segmentation fault can be caused by sudo or by pfctl can you try the same config but insted using sudo use su first to login as root and then restart the pf /etc/rc.d/pf . If you get segfault again then you may want to rebuild your 11.2-STABLE or switch to 11.2-RELEASE
 
OP
OP
S

shinx

Member


Messages: 23

#38
Segmentation fault can be caused by sudo or by pfctl can you try the same config but insted using sudo use su first to login as root and then restart the pf /etc/rc.d/pf . If you get segfault again then you may want to rebuild your 11.2-STABLE or switch to 11.2-RELEASE
using su but to no avail.

Tested on another test machine fresh installed with 11.2-STABLE, it's having the same problem too.

The only way seems to work is adding the pass quick on lo0 all, but that would keep the states and maybe will use up more resources I guess?
 
OP
OP
S

shinx

Member


Messages: 23

#39
I'm running 11.2-STABLE:
Sir, can you do the following steps as what I did and see whether you are able to produce the same errors on your side please?

Code:
## make sure local_unbound dns is forwarding requests without errors
$ drill @127.0.0.1 google.com

## add/change config in /etc/pf.conf and save it
set skip on lo

## reload pf config
$ sudo pfctl -f /etc/pf.conf

## testing on local_unbound dns again
$ drill @127.0.0.1 google.com

## change config in/etc/pf.conf and save it
set skip on lo0

## issue usually happens on the first time (segfault)
## reload pf config
$ sudo pfctl -f /etc/pf.conf

## run test on local_unbound DNS
$ drill @127.0.0.1 google.com

## if the DNS test failed, reload the pf.conf once more
$ sudo pfctl -f /etc/pf.conf

## run test on local_unbound DNS (it should works now)
$ drill @127.0.0.1 google.com
 

VladiBG

Well-Known Member

Thanks: 134
Messages: 356

#40
Ok i can confirm that changing the skip interface from
set skip on lo
to
set skip on lo0
and reloading the pf using /etc/rc.d/pf reload cause Segmentation fault on 11.2-STABLE #0 r33973

If you stop and start the pf again it will load without problem. In addition you can check the interfaces that are skip using the following command

pfctl -vv -sI

The right way to reload the rules is:
pfctl -F all -f /etc/pf.conf
 

ShelLuser

Son of Beastie

Thanks: 1,482
Messages: 3,249

#41
Also, I have tried set skip on lo0 previously as suggested by ShelLuser, and the problem still persists.
That's not what you said earlier:

Code:
set skip on lo0
This works perfectly, it seems my unbound able to forward request from localhost to public DNS servers even after I reload the PF config. Thank you so much!
... which is also why I gave up on this thread. You have a working solution to the problem (not the segmentation fault of course, that's a different beast) yet you still insist on using lo while knowing that it doesn't work. I don't get that.
 
OP
OP
S

shinx

Member


Messages: 23

#42
I did mention I have reverted back to set skip on lo so that it does not produce segmentation fault, and all I have to do it reload the config twice for the DNS to work as it used to be.
looks like the problem is not caused by the code...
I have revert back the changes to
Code:
set skip on lo
and reloading the PF config twice make it works perfectly as it used to be.
Anyway, I am still learning and trying to figure out the best solution that works for me. And, I have come to the solutions that set skip on lo0 works best for me.

Appreciate on your inputs too. Cheers!
 
OP
OP
S

shinx

Member


Messages: 23

#43
Ok i can confirm that changing the skip interface from
set skip on lo
to
set skip on lo0
and reloading the pf using /etc/rc.d/pf reload cause Segmentation fault on 11.2-STABLE #0 r33973
If you stop and start the pf again it will load without problem. In addition you can check the interfaces that are skip using the following command
pfctl -vv -sI
The right way to reload the rules is:
pfctl -F all -f /etc/pf.conf
Thank you. But I would prefer not to use pfctl -F all -f /etc/pf.conf if possible, as it would flush all the existing states and causing those who are connecting to my server lost their connection but to re-established once again.

Anyway, I would stick to set skip on lo0 although it throws a segfault error, but it only happens on the very first time. Thank you everyone on your inputs.
 
OP
OP
S

shinx

Member


Messages: 23

#44
Found something interesting to share here...

### FreeBSD 10.3-STABLE
Code:
$ uname -mrs
FreeBSD 10.3-STABLE amd64
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0 (skip)
$ pfctl -f /etc/pf.conf 
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0 (skip)
using set skip on lo will skip on all loopback interfaces including lo and lo0.


### FreeBSD 11.2-STABLE
Code:
$ uname -mrs
FreeBSD 11.2-STABLE amd64
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0 (skip)
using set skip on lo will skip on all loopback interfaces including lo and lo0 too. However....

Code:
$ pfctl -f /etc/pf.conf
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0
$ pfctl -f /etc/pf.conf
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0 (skip)
$ pfctl -f /etc/pf.conf
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0
reloading the /etc/pf.conf alternating on skipping on the interface lo0. I do not know what's the standard to skip on an interface, but I remember I read it somewhere set skip on lo will skip on all loopback interfaces.
Anyhow, I have to specify the interface in order to have a consistent results, or at least when using FreeBSD 11.2-STABLE. Cheers all!
 
Top