Re: kernel/4604: [Fwd: fxp nics + pf + bridge = panic]

[Don Feliciano <don_(_dot_)_feliciano_(_at_)_runbox_(_dot_)_com>]

The following reply was made to PR kernel/4604; it has been noted by GNATS.

From: Don Feliciano <don_(_dot_)_feliciano_(_at_)_runbox_(_dot_)_com>
To: gnats_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org, bugs_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
Cc:  
Subject: Re: kernel/4604: [Fwd: fxp nics + pf + bridge = panic]
Date: Wed, 09 Nov 2005 09:29:04 -0500

 Some more info...
 
 I disabled pf, and am running as a plain transparent bridge.  I hammered 
 the box overnight with iperf, and no panic.  I will continue to run this 
 way, but my feeling is that the panic only occurs when pf is enabled.  
 Not sure if that helps.
 
 Here's my ruleset, in case it's of any value:
 
 #########################################################################
 # OpenBSD bridged packet filter /etc/pf.conf
 # Created: Don Feliciano 7/13/2004
 
 # Matching TCP packets based on flags is most often used to filter TCPs
 # packets that are attempting to open a new connection. The TCP flags and
 # their meanings are listed here:
 
 #   * F : Fin - Finish; end of session
 #   * S : SYN - Synchronize; indicates request to start session
 #   * R : RST - Reset; drop a connection
 #   * P : PUSH - Push; packet is sent immediately
 #   * A : ACK - Acknowledgement
 #   * U : URG - Urgent
 #   * E : ECE - Explicit Congestion Notification Echo
 #   * W : CWR - Congestion Window Reduced
 
 tcp_flags = "S/SA"
 
 #### Interface aliases
 # Interface aliases for ease of administration.
 
 ext_if = "fxp0"        # Untrusted (to HYSL LAN)
 int_if = "fxp1"        # Trusted (to isolated switch)
 
 #### Set the interface for which PF should gather statistics such as bytes
 # in/out and packets passed/blocked. Statistics can only be gathered for one
 # interface at a time.
 set loginterface $ext_if
 
 #### Trusted hosts
 # Allow greater access to certain hosts
 table <essbase_servers> {rtfm.mydomain.com}
 table <reports_servers> {obsolete.mydomain.com}
 table <oracle_servers> {rtfm.mydomain.com}
 table <websphere_nodemanagers> {obsolete.mydomain.com}
 table <nfs_servers> {ogre.mydomain.com}
 table <nfs_clients> {rtfm.mydomain.com,obsolete.mydomain.com}
 
 #### Traffic Normalization
 # Prevent fragmentation attacks
 scrub in on $ext_if all fragment reassemble no-df
 scrub out on $ext_if all fragment reassemble random-id no-df
 
 #### Enable queueing on the external interface
 #altq on $ext_if cbq bandwidth 100Mb queue { std_out, wan }
 
 #### Define the parameters for the child queues.
 # std_out      - the standard queue. any filter rule below that does not
 #                explicitly specify a queue will have its traffic added
 #                to this one.
 # wan          - Hyperion Reports traffic
 #queue std_out bandwidth 100Mb cbq(default)
 #queue wan bandwidth 768Kb cbq(red)
 
 ### Pass traffic on the loopback interface in either direction
 pass quick on lo0 all
 
 #### Internal Bridge interface rules
 # Filter on external interface - in bridge mode,
 # we only filter on one interface.
 pass in quick on $int_if all
 pass out quick on $int_if all
 
 #### External Bridge interface rules (main ruleset)
 # Rule order does not matter
 
 # Block (Deny) all inbound by default
 #block return in log on $ext_if all
 block return in on $ext_if all
 
 ### Inbound Filtering Rules
 # Allow selected TCP traffic in to all, full throttle
 # NOTE: Add netbios-ssn to allow mapping of drives
 pass in quick on $ext_if proto tcp from any to any port \
               {ssh,5900,3389} \
               keep state flags $tcp_flags
 
 # Allow DHCP & DNS
 pass in quick on $ext_if proto udp from any to any \
               port {bootpc,domain} keep state
 
 # Allow http through to rtfm
 pass in quick on $ext_if proto tcp from any to rtfm.mydomain.com port http \
               keep state flags $tcp_flags
 
 # Allow license server access through to obsolete
 #pass in quick on $ext_if proto tcp from any to obsolete.mydomain.com 
 port 27000 \
 #              keep state flags $tcp_flags
 
 # Allow Reports traffic to pass through - optionally throttle bandwidth
 #pass in quick on $ext_if proto tcp from any to <reports_servers> port \
 #              { 1098><1105, 8200, 19000 } keep state flags $tcp_flags # 
 queue(wan)
 
 # Allow 9090 in to WebSphere ND Servers
 pass in quick on $ext_if proto tcp from any to <websphere_nodemanagers> \
               port 9090 keep state flags $tcp_flags
 
 # Allow 1521 in to Oracle Servers
 pass in quick on $ext_if proto tcp from any to <oracle_servers> \
               port 1521 keep state flags $tcp_flags
 
 # Allow 1422><1430 in for Essbase
 pass in quick on $ext_if proto tcp from any to <essbase_servers> \
               port { 1422><1430 } keep state flags $tcp_flags
 
 # Allow ALL in from <nfs_servers> to <nfs_clients>
 pass in quick on $ext_if proto {tcp,udp} from <nfs_servers> to 
 <nfs_clients> \
               keep state flags $tcp_flags
 
 # Allow ICMP ping requests
 pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
 
 ### Outbound Filtering Rules
 # Allow ICMP ping requests
 pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
 
 # Allow all UDP/TCP, and keep state
 pass out quick on $ext_if proto udp all keep state
 pass out quick on $ext_if proto tcp all modulate state
 
 ########################################################################
 
 
 Gnats wrote the following on 11/7/2005 12:10 PM:
 
 >Thank you very much for your problem report.
 >It has the internal identification `kernel/4604'.
 >The individual assigned to look at your
 >report is: bugs. 
 >
 >  
 >
 >>Category:       kernel
 >>Responsible:    bugs
 >>Synopsis:       fxp nics + pf + bridge = panic
 >>Arrival-Date:   Mon Nov 07 17:10:02 GMT 2005