- Thread Starter
- #26
I have the following line in the PF configUse states and allow the returning traffic via external interface.
Code:
set skip on lo
Also, it should be keeping the states by default according to the
pfctl -sr
.I have the following line in the PF configUse states and allow the returning traffic via external interface.
set skip on lo
pfctl -sr
. $ sudo pfctl -sr
block drop in log all
block drop in quick inet6 all
pass out quick all flags S/SA keep state
block drop in on lagg1 all
block drop in on ix0 all
block drop in on lagg0 all
pass in on egress inet proto tcp from <__automatic_8698683c_0> to (egress) port = ssh flags S/SA keep state
pass in on egress inet proto tcp from <__automatic_8698683c_1> to (egress) port = 8080 flags S/SA keep state
pass in on lagg0 inet proto tcp from <__automatic_8698683c_6> to any port = ssh flags S/SA keep state
pass in on lagg0 inet proto tcp from <__automatic_8698683c_7> to any port = 8080 flags S/SA keep state
pass in on lagg0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on lagg0 inet proto tcp from any to any port = https flags S/SA keep state
pass in on lagg0 inet proto tcp from <censored_public_ip> to any port = bgp flags S/SA keep state
pass in on lagg0 inet proto tcp from 172.16.55.10 to any flags S/SA keep state
pass in on lagg1 inet proto tcp from <__automatic_8698683c_2> to any port = ssh flags S/SA keep state
pass in on lagg1 inet proto tcp from <__automatic_8698683c_3> to any port = 8080 flags S/SA keep state
pass in on lagg1 inet proto tcp from any to any port = http flags S/SA keep state
pass in on lagg1 inet proto tcp from any to any port = https flags S/SA keep state
pass in on ix0 inet proto tcp from <__automatic_8698683c_4> to any port = ssh flags S/SA keep state
pass in on ix0 inet proto tcp from <__automatic_8698683c_5> to any port = 8080 flags S/SA keep state
pass in on ix0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on ix0 inet proto tcp from any to any port = https flags S/SA keep state
pass in on lagg0 inet proto udp from 172.16.55.10 to any keep state
pass in inet proto icmp all icmp-type echoreq keep state
usepass quick on lo0 all
orset skip on lo0
set skip on lo
in my /etc/pf.conf. set skip on lo0
previously as suggested by ShelLuser, and the problem still persists.Ok, that's good. I was just trying to rule out any weird compiler optimization issues.I can't find any /etc/make.conf in my system here.
it's the sameset skip on [B]lo0[/B]
will actually addpass quick on lo0 all
in your rules
You have to add the interface number for example lo0, lo1 and etc.
you can check the output ofifconfig
$ sudo pfctl -f /etc/pf.conf
Segmentation fault
pfctl -sr
does not show pass quick on lo0 all
after specified lo0 in the /etc/pf.conf$ sudo pfctl -sr
block drop in log all
block drop in quick inet6 all
pass out quick all flags S/SA keep state
block drop in on lagg1 all
block drop in on ix0 all
block drop in on lagg0 all
pass in on egress inet proto tcp from <__automatic_8ac0178_0> to (egress) port = ssh flags S/SA keep state
pass in on egress inet proto tcp from <__automatic_8ac0178_1> to (egress) port = 8080 flags S/SA keep state
pass in on lagg0 inet proto tcp from <__automatic_8ac0178_6> to any port = ssh flags S/SA keep state
pass in on lagg0 inet proto tcp from <__automatic_8ac0178_7> to any port = 8080 flags S/SA keep state
pass in on lagg0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on lagg0 inet proto tcp from any to any port = https flags S/SA keep state
pass in on lagg0 inet proto tcp from <censored_public_ip> to any port = bgp flags S/SA keep state
pass in on lagg0 inet proto tcp from 172.16.55.10 to any flags S/SA keep state
pass in on lagg1 inet proto tcp from <__automatic_8ac0178_2> to any port = ssh flags S/SA keep state
pass in on lagg1 inet proto tcp from <__automatic_8ac0178_3> to any port = 8080 flags S/SA keep state
pass in on lagg1 inet proto tcp from any to any port = http flags S/SA keep state
pass in on lagg1 inet proto tcp from any to any port = https flags S/SA keep state
pass in on ix0 inet proto tcp from <__automatic_8ac0178_4> to any port = ssh flags S/SA keep state
pass in on ix0 inet proto tcp from <__automatic_8ac0178_5> to any port = 8080 flags S/SA keep state
pass in on ix0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on ix0 inet proto tcp from any to any port = https flags S/SA keep state
pass in on lagg0 inet proto udp from 172.16.55.10 to any keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass quick on lo0 all
in the /etc/pf.conf. And, able to verify it is in the ruleset by running pfctl -sr
.block drop in log all
block drop in quick inet6 all
pass out quick all flags S/SA keep state
pass quick on lo0 all flags S/SA keep state
block drop in on lagg1 all
block drop in on ix0 all
block drop in on lagg0 all
---- codes removed for brevity purposes
$ sudo pfctl -f /etc/pf.conf
$ drill @127.0.0.1 google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35942
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 260 IN A 172.217.27.238
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed Oct 31 16:07:49 2018
;; MSG SIZE rcvd: 44
set skip on lo
? Because both rules seems to serve the same purposes, except set skip on lo
is causing DNS problem but pass quick on lo0 all
is not.It is lo0...what is the name of your loopback interface ? Post the output ofifconfig | grep lo
$ ifconfig | grep lo
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
groups: lo
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog
Segmentation fault can be caused by sudo or by pfctl can you try the same config but insted using sudo use su first to login as root and then restart the pf /etc/rc.d/pf . If you get segfault again then you may want to rebuild your 11.2-STABLE or switch to 11.2-RELEASE
su
but to no avail. pass quick on lo0 all
, but that would keep the states and maybe will use up more resources I guess?I'm running 11.2-STABLE:
## make sure local_unbound dns is forwarding requests without errors
$ drill @127.0.0.1 google.com
## add/change config in /etc/pf.conf and save it
set skip on lo
## reload pf config
$ sudo pfctl -f /etc/pf.conf
## testing on local_unbound dns again
$ drill @127.0.0.1 google.com
## change config in/etc/pf.conf and save it
set skip on lo0
## issue usually happens on the first time (segfault)
## reload pf config
$ sudo pfctl -f /etc/pf.conf
## run test on local_unbound DNS
$ drill @127.0.0.1 google.com
## if the DNS test failed, reload the pf.conf once more
$ sudo pfctl -f /etc/pf.conf
## run test on local_unbound DNS (it should works now)
$ drill @127.0.0.1 google.com
set skip on lo
set skip on lo0
/etc/rc.d/pf reload
cause Segmentation fault on 11.2-STABLE #0 r33973 pfctl -vv -sI
pfctl -F all -f /etc/pf.conf
That's not what you said earlier:Also, I have triedset skip on lo0
previously as suggested by ShelLuser, and the problem still persists.
... which is also why I gave up on this thread. You have a working solution to the problem (not the segmentation fault of course, that's a different beast) yet you still insist on using lo while knowing that it doesn't work. I don't get that.Code:set skip on lo0
This works perfectly, it seems my unbound able to forward request from localhost to public DNS servers even after I reload the PF config. Thank you so much!
set skip on lo
so that it does not produce segmentation fault, and all I have to do it reload the config twice for the DNS to work as it used to be.looks like the problem is not caused by the code...
I have revert back the changes to
and reloading the PF config twice make it works perfectly as it used to be.Code:set skip on lo
set skip on lo0
works best for me.Ok i can confirm that changing the skip interface from
set skip on lo
to
set skip on lo0
and reloading the pf using/etc/rc.d/pf reload
cause Segmentation fault on 11.2-STABLE #0 r33973
If you stop and start the pf again it will load without problem. In addition you can check the interfaces that are skip using the following command
pfctl -vv -sI
The right way to reload the rules is:
pfctl -F all -f /etc/pf.conf
pfctl -F all -f /etc/pf.conf
if possible, as it would flush all the existing states and causing those who are connecting to my server lost their connection but to re-established once again. set skip on lo0
although it throws a segfault error, but it only happens on the very first time. Thank you everyone on your inputs.$ uname -mrs
FreeBSD 10.3-STABLE amd64
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0 (skip)
$ pfctl -f /etc/pf.conf
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0 (skip)
set skip on lo
will skip on all loopback interfaces including lo and lo0.$ uname -mrs
FreeBSD 11.2-STABLE amd64
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0 (skip)
set skip on lo
will skip on all loopback interfaces including lo and lo0 too. However....$ pfctl -f /etc/pf.conf
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0
$ pfctl -f /etc/pf.conf
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0 (skip)
$ pfctl -f /etc/pf.conf
$ pfctl -v -sI | grep ^lo
No ALTQ support in kernel
ALTQ related functions disabled
lo (skip)
lo0
set skip on lo
will skip on all loopback interfaces.