From nobody@FreeBSD.org  Wed Dec 29 07:00:09 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2BA8A16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 29 Dec 2004 07:00:09 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 12F0843D55
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 29 Dec 2004 07:00:09 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id iBT708NX018866
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 29 Dec 2004 07:00:08 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id iBT7081L018865;
	Wed, 29 Dec 2004 07:00:08 GMT
	(envelope-from nobody)
Message-Id: <200412290700.iBT7081L018865@www.freebsd.org>
Date: Wed, 29 Dec 2004 07:00:08 GMT
From: Joe <joe@gaming-tv.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfilter not allowing SSH to box on FreeBSD 5.3
X-Send-Pr-Version: www-2.3

>Number:         75601
>Category:       kern
>Synopsis:       ipfilter not allowing SSH to box on FreeBSD 5.3
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 29 07:00:42 GMT 2004
>Closed-Date:    Mon Jan 10 22:13:22 GMT 2005
>Last-Modified:  Mon Jan 10 22:13:22 GMT 2005
>Originator:     Joe
>Release:        5.3
>Organization:
GTV
>Environment:
FreeBSD titanium.gaming-tv.com 5.3-RELEASE-p1 FreeBSD 5.3-RELEASE-p1 #1: Sun Dec  5 23:28:05 CST 2004     root@titanium.gaming-tv.com:/usr/obj/usr/src/sys/titanium  i386
>Description:
Ever since we upgraded out boxes from FreeBSD 5.2 to FreeBSD 5.3, we have trouble logging in to SSH.  This only occurs when we have ipfilter on.  We have port 22 opened for people to SSH to and from.  If I type ipf -D and disable ipfilter, I can SSH into the box, yet as soon as its active, I can't get in.  It does not stop with SSH either, if I try to access a web page from the box, I can not view it or it takes literally about an hour to load.  Again, when I turn off ipfilter, the issue goes away, and when it is turned back on, the problem appears again.
>How-To-Repeat:
      Just upgraded to 5.3, not sure how to recreate the problem.
>Fix:
      None.
>Release-Note:
>Audit-Trail:

From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Joe <joe@gaming-tv.com>
Cc: bug-followup@freebsd.org
Subject: Re: misc/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Thu, 30 Dec 2004 00:17:11 +0200

 On 2004-12-29 07:00, Joe <joe@gaming-tv.com> wrote:
 > Ever since we upgraded out boxes from FreeBSD 5.2 to FreeBSD 5.3, we
 > have trouble logging in to SSH.  This only occurs when we have
 > ipfilter on.  We have port 22 opened for people to SSH to and from.
 > If I type ipf -D and disable ipfilter, I can SSH into the box, yet as
 > soon as its active, I can't get in.  It does not stop with SSH either,
 > if I try to access a web page from the box, I can not view it or it
 > takes literally about an hour to load.  Again, when I turn off
 > ipfilter, the issue goes away, and when it is turned back on, the
 > problem appears again.
 
 Can we see your ruleset?
 
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Wed Jan 5 01:00:46 GMT 2005 
State-Changed-Why:  
Feedback requested 

http://www.freebsd.org/cgi/query-pr.cgi?pr=75601 

From: "Nick Hale" <nhale@charter.net>
To: <freebsd-gnats-submit@freebsd.org>
Cc:  
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Sun, 9 Jan 2005 05:37:46 -0600

 It isn't a ruleset issue at this time as the following lines are in the 
 rules (at the top)
 
 pass in quick on em0 from <my.ip.add.ress> to any
 pass out quick on em0 from any to <my.ip.add.ress>
 
 The ip address in those first couple of rules are my particular IP address 
 and it's still having issues.  IPFilter is a top-down first match setup so 
 it should match those rules and allow me in and stuff back out to me.  The 
 ruleset on the box is the same exactly as the ruleset we had on the 5.2.1 
 setup.  The only thing that changed was an update was done on everything 
 from 5.2.1 -> 5.3 (both are just the RELENG_x branches, no -current 
 or -stable stuff).  Both world and kernel are sync'd (world and kernel were 
 built from the same source within 30 minutes of eachother) and everything 
 was upgraded without a hitch (minus this).
 
 
 Regards,
 Nick
 harm@gaming-tv.com 
 
 

From: Giorgos Keramidas <keramida@freebsd.org>
To: Nick Hale <nhale@charter.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Mon, 10 Jan 2005 01:58:10 +0200

 Nick Hale <nhale@charter.net> wrote:
 >Giorgos Keramidas <keramida@ceid.upatras.gr> wrote:
 >>On 2004-12-29 07:00, Joe <joe@gaming-tv.com> wrote:
 >>> Ever since we upgraded out boxes from FreeBSD 5.2 to FreeBSD 5.3, we
 >>> have trouble logging in to SSH.  This only occurs when we have
 >>> ipfilter on.  We have port 22 opened for people to SSH to and from.
 >>> If I type ipf -D and disable ipfilter, I can SSH into the box, yet as
 >>> soon as its active, I can't get in.  It does not stop with SSH either,
 >>> if I try to access a web page from the box, I can not view it or it
 >>> takes literally about an hour to load.  Again, when I turn off
 >>> ipfilter, the issue goes away, and when it is turned back on, the
 >>> problem appears again.
 >>
 >> Can we see your ruleset?
 >
 > It isn't a ruleset issue at this time as the following lines are in
 > the rules (at the top)
 >
 > pass in quick on em0 from <my.ip.add.ress> to any
 > pass out quick on em0 from any to <my.ip.add.ress>
 >
 > The ip address in those first couple of rules are my particular IP
 > address and it's still having issues.
 
 Hmmm, if these are the rules you have, then I think you have the `in'
 and `out' directions backwards.
 
 When you use a rule like:
 
 	pass in quick on em0 from any to <your.address>
 
 The "in" direction is packets sent FROM someone else TO you, that enter
 your network interface as "incoming" and parsed by your network stack as
 "input packets".
 
 The reverse applies to packets that YOU sent OUT-wards:
 
 	pass out quick on em0 from <your.address> to any
 
 Make sure the rest of your rules are not reversed in a similar manner,
 or (please) just post the output of `ipfstat -nio' as a followup to this
 problem report (masking any IP addresses you don't want us to see).
 
 - Giorgos
 

From: "Nick Hale" <nhale@charter.net>
To: "Giorgos Keramidas" <keramida@freebsd.org>
Cc: <bug-followup@freebsd.org>
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Sun, 9 Jan 2005 18:07:34 -0600

 Correct.  It should be that way.  Pass in packets from this host to any ip 
 locally and pass out packets from any ip locally to this host is technically 
 what those rules say.  I've been using that setup now since the boxes were 
 running 5.0 without change and it's always worked up until now.  I ran into 
 a similiar problem locally on my devbox and I'm going to attempt to rebuild 
 world/kernel with a libmap.conf with the following in it to see if it 
 changes anything (KDE wouldn't build on my local box without this setup):
 
         libc_r.so.5             libpthread.so.1
         libc_r.so               libpthread.so
 
 
 Regards,
 Nick
 
 
 ----- Original Message ----- 
 From: "Giorgos Keramidas" <keramida@freebsd.org>
 To: "Nick Hale" <nhale@charter.net>
 Cc: <bug-followup@freebsd.org>
 Sent: Sunday, January 09, 2005 17:58
 Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
 
 
 > Nick Hale <nhale@charter.net> wrote:
 >>Giorgos Keramidas <keramida@ceid.upatras.gr> wrote:
 >>>On 2004-12-29 07:00, Joe <joe@gaming-tv.com> wrote:
 >>>> Ever since we upgraded out boxes from FreeBSD 5.2 to FreeBSD 5.3, we
 >>>> have trouble logging in to SSH.  This only occurs when we have
 >>>> ipfilter on.  We have port 22 opened for people to SSH to and from.
 >>>> If I type ipf -D and disable ipfilter, I can SSH into the box, yet as
 >>>> soon as its active, I can't get in.  It does not stop with SSH either,
 >>>> if I try to access a web page from the box, I can not view it or it
 >>>> takes literally about an hour to load.  Again, when I turn off
 >>>> ipfilter, the issue goes away, and when it is turned back on, the
 >>>> problem appears again.
 >>>
 >>> Can we see your ruleset?
 >>
 >> It isn't a ruleset issue at this time as the following lines are in
 >> the rules (at the top)
 >>
 >> pass in quick on em0 from <my.ip.add.ress> to any
 >> pass out quick on em0 from any to <my.ip.add.ress>
 >>
 >> The ip address in those first couple of rules are my particular IP
 >> address and it's still having issues.
 >
 > Hmmm, if these are the rules you have, then I think you have the `in'
 > and `out' directions backwards.
 >
 > When you use a rule like:
 >
 > pass in quick on em0 from any to <your.address>
 >
 > The "in" direction is packets sent FROM someone else TO you, that enter
 > your network interface as "incoming" and parsed by your network stack as
 > "input packets".
 >
 > The reverse applies to packets that YOU sent OUT-wards:
 >
 > pass out quick on em0 from <your.address> to any
 >
 > Make sure the rest of your rules are not reversed in a similar manner,
 > or (please) just post the output of `ipfstat -nio' as a followup to this
 > problem report (masking any IP addresses you don't want us to see).
 >
 > - Giorgos
 >
 > 
 
 

From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Nick Hale <nhale@charter.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Mon, 10 Jan 2005 02:15:04 +0200

 On 2005-01-10 00:10, Nick Hale <nhale@charter.net> wrote:
 >  Correct.  It should be that way.  Pass in packets from this host to
 >  any ip locally and pass out packets from any ip locally to this host
 >  is technically what those rules say.  I've been using that setup now
 >  since the boxes were running 5.0 without change and it's always
 >  worked up until now.
 
 The fact that it worked until 5.0 is probably a happenstance.  It's not
 correct.  The correct filter rules are (as of 5.2.1-RELEASE IIRC):
 
 	pass in any packet destined to a local ip address
 	pass out any packet originating from a local ip address
 

From: "Nick Hale" <nhale@charter.net>
To: "Giorgos Keramidas" <keramida@ceid.upatras.gr>
Cc: <bug-followup@freebsd.org>
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Mon, 10 Jan 2005 04:53:29 -0600

 Lets add this in to the fray (this should help justify why I don't think 
 it's a rules issue...)  This does not happen on all of our boxes (most of 
 which are 5.3 boxes, 2 4.10 boxes).  The ruleset from box to box is 
 IDENTICAL.  diff shows nothing different about the 2 files from 2 different 
 servers.  This being said, we have 2 boxes on the same subnet at a 
 datacenter.  They're sequential IP addresses using the same gateway.  One 
 box has this issue, one does not.  Both were updated the exact same way 
 using the exact same sources from cvsup4 (both updated at the same time). 
 The rulesets, again, are identical.  It seems to be a quasi-sporadic issue 
 that is in no way related to the rulesets we are using (I doublechecked the 
 syntax using man 5 ipf and the syntax is indeed proper.  This is the main 
 reason why I'm so adamant that it is not the ruleset causing this issue.
 
 Both boxes are RELENG_5_3 with world/kernel built the same day within 1 hour 
 of eachother.
 ipf: IP Filter: v3.4.35 (336)
 
 That's the same version running on both boxes.  The kernel configs of the 2 
 boxes are identical as well (both have identical hardware) and the kernel 
 configs were copied from one to the other.  I *highly* doubt at this point 
 that it's going to be a rules issue.
 
 Regards,
 Nick
 
 
 ----- Original Message ----- 
 From: "Giorgos Keramidas" <keramida@ceid.upatras.gr>
 To: "Nick Hale" <nhale@charter.net>
 Cc: <bug-followup@freebsd.org>
 Sent: Sunday, January 09, 2005 18:15
 Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
 
 
 > On 2005-01-10 00:10, Nick Hale <nhale@charter.net> wrote:
 >>  Correct.  It should be that way.  Pass in packets from this host to
 >>  any ip locally and pass out packets from any ip locally to this host
 >>  is technically what those rules say.  I've been using that setup now
 >>  since the boxes were running 5.0 without change and it's always
 >>  worked up until now.
 >
 > The fact that it worked until 5.0 is probably a happenstance.  It's not
 > correct.  The correct filter rules are (as of 5.2.1-RELEASE IIRC):
 >
 > pass in any packet destined to a local ip address
 > pass out any packet originating from a local ip address
 >
 > 
 
 

From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Nick Hale <nhale@charter.net>
Cc: bug-followup@freebsd.org
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Mon, 10 Jan 2005 13:10:20 +0200

 On 2005-01-10 04:53, Nick Hale <nhale@charter.net> wrote:
 > Lets add this in to the fray (this should help justify why I don't
 > think it's a rules issue...)  This does not happen on all of our
 > boxes (most of which are 5.3 boxes, 2 4.10 boxes).  The ruleset from
 > box to box is IDENTICAL.
 
 Which I haven't seen, except for a pair of rules that use in/out in
 the reverse direction of what I understood from the description.
 
 I could be wrong, but I'll just stop posting since I can't help you
 with "ipfilter doesn't work".  More details are needed, which you
 apparently cannot or do now want to supply :-/
 
 - Giorgos
 

From: "Nick Hale" <nhale@charter.net>
To: "Giorgos Keramidas" <keramida@ceid.upatras.gr>
Cc: <bug-followup@freebsd.org>
Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
Date: Mon, 10 Jan 2005 16:06:44 -0600

 Please close this PR.  Rebuilding world/kernel with the libmap.conf in place 
 seems to have repaired the issue at this time.  The ruleset has not changed 
 and yet it's now working properly.
 
 
 Regards,
 Nick
 
 
 ----- Original Message ----- 
 From: "Giorgos Keramidas" <keramida@ceid.upatras.gr>
 To: "Nick Hale" <nhale@charter.net>
 Cc: <bug-followup@freebsd.org>
 Sent: Monday, January 10, 2005 05:10
 Subject: Re: kern/75601: ipfilter not allowing SSH to box on FreeBSD 5.3
 
 
 > On 2005-01-10 04:53, Nick Hale <nhale@charter.net> wrote:
 >> Lets add this in to the fray (this should help justify why I don't
 >> think it's a rules issue...)  This does not happen on all of our
 >> boxes (most of which are 5.3 boxes, 2 4.10 boxes).  The ruleset from
 >> box to box is IDENTICAL.
 >
 > Which I haven't seen, except for a pair of rules that use in/out in
 > the reverse direction of what I understood from the description.
 >
 > I could be wrong, but I'll just stop posting since I can't help you
 > with "ipfilter doesn't work".  More details are needed, which you
 > apparently cannot or do now want to supply :-/
 >
 > - Giorgos
 >
 > 
 
 
State-Changed-From-To: feedback->closed 
State-Changed-By: keramida 
State-Changed-When: Mon Jan 10 22:10:28 GMT 2005 
State-Changed-Why:  
Submitter says the problem has gone away after a buildworld cycle. 

Quoting Nick Hale <nhale@charter.net> 
from message: <000801c4f760$ac6d93c0$2902a8c0@raptor> 

: Rebuilding world/kernel with the libmap.conf in place 
: seems to have repaired the issue at this time.  The ruleset has 
: not changed and yet it's now working properly. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=75601 
>Unformatted:
