occasional "Operation not permitted" on state-mismatch
Silver Salonen
silver.salonen at gmail.com
Tue Dec 18 00:03:25 PST 2007
Hello!
I have some FreeBSD-boxes (2x6.3-PRERELEASE (installed on 08.Dec),
1x6.2-RELEASE) with PF configured. They are connected with OpenVPN LAN-to-LAN
and the problem is that a few times per hour connection drops between
computers from one LAN to another. At first I blamed OpenVPN, then I blamed
bridge, but now I've realized that the problem is in PF.
So I've tried increasing TCP-timeouts and setting optimization
to "aggressive", but well, it's still the same.
I monitor connections by sending TCP packets once per second to some other
host and wait for reply. I use Nagios-plugins' check_tcp for that. The script
looks like:
=====
while [ 1 ]; do
pfctl -si |grep mismatch
/usr/local/libexec/nagios/check_tcp -H $host -p $port -t 2
pfctl -si |grep mismatch
sleep 1
done
=====
So if I let this script into action, I see that in 2-3 minutes, check_tcp
gets "Operation not permitted" error and just in this moment packet-mismatch
counter is increased by one (on machine with lesser traffic, I get the timeout
in a few hours). That's on both 6.3-PRERELEASE as well as on 6.2-RELEASE. I've
tried connections:
* along WAN to IPFW-enabled machines
* along WAN to PF-enabled machines
* along LAN to PF-enabled machines
* along LAN to Windows machines
* along VPN to PF-enabled machines
* along VPN to Windows machines
Sometimes I get just some connection timeout: CRITICAL - Socket timeout after
2 seconds (I don't know what could cause that).
I can see this behaviour in about every FreeBSD/PF machine I have.
The basic PF-configuration looks like:
=====
set block-policy return
set loginterface $ext_if
set timeout tcp.closed 15
set optimization aggressive
scrub in all no-df
block drop out quick on $ext_if from ($ext_if) to 0.0.0.0
block log all
pass quick on lo0 all
pass out all modulate state
pass out proto tcp all flags S/SA modulate state
pass on $int_if all modulate state
pass on $int_if proto tcp all flags S/SA modulate state
pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services flags
S/SA modulate state
=====
Is PF buggy or have I misconfigured smth?
--
Silver
More information about the freebsd-pf
mailing list