From norgaard@daemonsecurity.com  Thu Mar 23 20:39:05 2006
Return-Path: <norgaard@daemonsecurity.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 12E4216A400
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Mar 2006 20:39:05 +0000 (UTC)
	(envelope-from norgaard@daemonsecurity.com)
Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D347443D77
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 23 Mar 2006 20:38:56 +0000 (GMT)
	(envelope-from norgaard@daemonsecurity.com)
Received: by strange.daemonsecurity.com (Postfix, from userid 1024)
	id 9338D2E0AF; Thu, 23 Mar 2006 21:39:02 +0100 (CET)
Message-Id: <20060323203902.9338D2E0AF@strange.daemonsecurity.com>
Date: Thu, 23 Mar 2006 21:39:02 +0100 (CET)
From: Erik Norgaard <norgaard@locolomo.org>
Reply-To: Erik Norgaard <norgaard@locolomo.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: packet filter blocks outgoing traffic after boot
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         94877
>Category:       kern
>Synopsis:       [pf] packet filter blocks outgoing traffic after boot
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-pf
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Mar 23 20:40:17 GMT 2006
>Closed-Date:    Tue Mar 28 13:02:35 GMT 2006
>Last-Modified:  Tue Mar 28 13:02:35 GMT 2006
>Originator:     Erik Norgaard
>Release:        FreeBSD 6.1-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD charm 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Thu Mar 23 09:12:55 CET 2006 root@charm:/usr/obj/usr/src/sys/GENERIC i386

	
>Description:

pf ruleset is loaded correctly at boot, but outgoing connections are blocked: icmp, tcp and udp. This was verified with ping (operation not permitted), host (timeout) and tcping (operation not permitted).

arp traffic is allowed, confirmed with arping.

It has been verified with snort that no packets leave the interface, the problem is not that responses are blocked.

Reloading the ruleset with 

  # pfctl -Fr && pfctl -Rf /etc/pf.conf

solves the problem. The fact that it is the same ruleset seems to prove that the
ruleset is ok.

This has been observed on two systems more or less same snap of source, different networks. Also, incoming traffic is accepted.

Both systems have interfaces configured with dhclient which run before the ruleset is loaded. In rc.conf is background_dhclient="NO", ensuring that the interface is configured before proceeding. 

If the interface is not configured pf will fail loading the ruleset as the macros interface and interface:network are used in the rulesets. 

The problem can be repeated by rebooting.

>How-To-Repeat:

A transcript of the actions done and produced output is found here:

  http://www.locolomo.org/pub/pf/debug.charm

Snort packets captured for the above session

  http://www.locolomo.org/pub/pf/snort.charm

The used pf ruleset is found here:

  http://www.locolomo.org/pub/pf/pf.conf

System info here:

  http://www.locolomo.org/pub/pf/dmesg.charm
  http://www.locolomo.org/pub/pf/sysctl.charm

>Fix:

Workaround: Reload the ruleset after each boot with 

  # pfctl -Fr && pfctl -Rf <ruleset>

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Mar 24 04:32:10 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94877 

From: Max Laier <max@love2party.net>
To: bug-followup@freebsd.org,
 norgaard@locolomo.org
Cc:  
Subject: Re: kern/94877: [pf] packet filter blocks outgoing traffic after boot
Date: Fri, 24 Mar 2006 06:27:37 +0100

 If you want pf to track address changes on interfaces (like the dhcp you 
 describe) you have to enclose the interface name in "(" ")" as documented in 
 the pf.conf(5) manual page.  Can you confirm that is the source of the 
 problem?
 -- 
   Max

From: =?UTF-8?B?RXJpayBOw7hyZ2FhcmQ=?= <norgaard@locolomo.org>
To: bug-followup@FreeBSD.org,  norgaard@locolomo.org
Cc:  
Subject: Re: kern/94877: [pf] packet filter blocks outgoing traffic after
 boot
Date: Fri, 24 Mar 2006 19:50:02 +0100

 Please close this pr!
 
 Adding "(" and ")" solved the problem.
 
 I am awfully sorry about the noise on the line, I worked on this five 
 days before submitting the pr :(
 
 Thanks a lot! And thank you for the good job you're doing on FreeBSD.
 
 Cheers, Erik
 
 -- 
 Ph: +34.666334818                                  web: www.locolomo.org
State-Changed-From-To: open->closed 
State-Changed-By: mlaier 
State-Changed-When: Tue Mar 28 13:01:58 UTC 2006 
State-Changed-Why:  
Closed on request by originator. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94877 
>Unformatted:
