a few problems with pf

Reinhold freebsd at violetlan.net
Wed May 14 08:29:02 UTC 2008 

Hi

I'm have a few problems with pf on my FreeBSD 7 STABLE systems, I have two
running 7 and 4 running 6.3 and the problems are only on my 7 systems.

The first problem is that I'm plagued by bad hdr length on both my 7 systems
Here are the unames for them
FreeBSD host1.name.local 7.0-STABLE FreeBSD 7.0-STABLE #0: Mon May 12
20:22:55 BST 2008     edit at host1.name.local:/usr/obj/usr/src/sys/MYKERN 
i386

FreeBSD host.name.local 7.0-STABLE FreeBSD 7.0-STABLE #0: Mon May 12
12:45:19 BST 2008     edit at host.name.local:/usr/obj/usr/src/sys/MYKERN 
i386

>From both of them I see the following when I run
tcpdump -n -e -tttt -r /var/log/pflog
2008-05-07 23:42:06.596965 rule 78/0(match): pass in on ng0:
89.240.55.163.3164 > 192.168.1.5.80:  tcp 20 [bad hdr length 8 - too
short, < 20]
2008-05-07 23:42:07.051043 rule 78/0(match): pass in on ng0:
89.240.55.163.3165 > 192.168.1.5.80:  tcp 20 [bad hdr length 8 - too
short, < 20]
2008-05-07 23:42:25.697087 rule 76/0(match): pass in on ng0:
80.81.242.13.51145 > 192.168.1.5.22:  tcp 36 [bad hdr length 8 - too
short, < 20]
2008-05-07 23:42:30.561467 rule 77/0(match): pass in on ng1:
80.81.242.14.63900 > 192.168.1.5.22:  tcp 36 [bad hdr length 8 - too
short, < 20]

And here are the same log again
tcpdump -n -e -tttt -r /var/log/pflog
2008-05-07 23:42:06.596965 rule 78/0(match): pass in on ng0:
89.240.55.163.3164 > 192.168.1.5.80: S 3008361134:3008361134(0) win 16384
<mss 1360,nop,nop,sackOK>
2008-05-07 23:42:07.051043 rule 78/0(match): pass in on ng0:
89.240.55.163.3165 > 192.168.1.5.80: S 1482992447:1482992447(0) win 16384
<mss 1360,nop,nop,sackOK>
2008-05-07 23:42:25.697087 rule 76/0(match): pass in on ng0:
80.81.242.13.51145 > 192.168.1.5.22: S 555277666:555277666(0) win 65535
<mss 1460,nop,wscale 1,nop,nop,timestamp[|tcp]>
2008-05-07 23:42:30.561467 rule 77/0(match): pass in on ng1:
80.81.242.14.63900 > 192.168.1.5.22: S 966982942:966982942(0) win 65535
<mss 1460,nop,wscale 1,nop,nop,timestamp[|tcp]>

I know these logs are a few days old, but I just enabled pf on
host.name.local and I saw the same things on it.

I've tried a few variables with my scub rules but none seems to help
I've tried all of these
#scrub in  on $ext_if1 all           fragment reassemble max-mss 1452
#scrub out on $ext_if1 all random-id fragment reassemble max-mss 1452
#scrub all random-id max-mss 1452 fragment reassemble
scrub all random-id reassemble tcp max-mss 1452
#scrub on $ext_if1 all reassemble tcp


Here are the ifconfig for both hosts.
host1.name.local
ath0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 2290
        ether 00:0b:6b:0b:62:c8
        media: IEEE 802.11 Wireless Ethernet autoselect <hostap>
(autoselect <hostap>)
        status: associated
        ssid somename channel 2 (2417 Mhz 11g) bssid 00:0b:6b:0b:62:c8
        authmode WPA privacy MIXED deftxkey 3 TKIP 2:128-bit TKIP 3:128-bit
        txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250
        roam:rssi11g 7 roam:rate11g 5 protmode CTS burst dtimperiod 1
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:04:a7:09:81:80
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:04:a7:09:81:7f
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
re0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 1500
        options=3998<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:04:a7:05:88:c0
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu
1500
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether b6:f6:e0:49:1a:ac
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: re0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 55
        member: ath0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 370370
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0
mtu 1492
        inet 217.xx.yy.zz --> 217.xx.yyy.zzz netmask 0xffffffff
ng1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0
mtu 1492
        inet 217.xy.yyz.zzz --> 217.xx.xyy.zzz netmask 0xffffffff

And for host.name.local
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 1500
        options=98<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:13:72:5f:89:b9
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=0<> metric 0 mtu 33204
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ce:4a:be:be:bc:cc
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 2000000
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 1 priority 128 path cost 55
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 1500
        ether 00:bd:e8:60:52:00
        Opened by PID 45164

The other weirdness is that on host.name.local /var/log/pflog is not there.
tcpdump -n -e -tttt -i pflog0
tcpdump: /var/log/pflog: No such file or directory

but tcpdump -n -e -tttt -i pflog0 works fine.

In both systems I have the following in the kernel
# PF
device pf
device pflog
device pfsync

options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ

These problems only exists in my FreeBSD 7.0-STABLE machines and not in
any of the 6.3-STABLE once.

The last bit of help I need is to get pf to allow ssh trough to the qemu
host.

Any help will be appreciated
Thanks
Reinhold

More information about the freebsd-pf mailing list