服务器 Gind.cn
  1. 服务器 Gind.cn
  3. PF在混杂模式下似乎不是有状态的
Intereting Posts
如何列出在启动时启动的服务/守护进程_and_检查它们的加载顺序 将网站移至其他主机 当subprocess更改磁盘上的文件时,Bash循环失败 为什么Linux软件包pipe理如此复杂? Azure SQL Server缓慢地打开连接 如何在生产服务器上在线扩展DRBD设备? 将Cacti从Windows迁移到Linux 计算机GPO未被应用 – SYSVOL问题 POD意外重启 在s3中备份mysql的最佳方法是什么? 如何列出Linux上的分区的所有文件? nginx + php-fpm非常慢 如何在Debian Squeeze上安装openssh v6.2? 地理位置的Web服务器考虑? Nginx,CakePHP:错误:在文件中创build下面的类Index.phpController:App / Controller / Index.phpController.php

PF在混杂模式下似乎不是有状态的

在创build一些具有Bhyve + IPv6的虚拟机时,我必须创build一个网桥 ,因此主网卡必须处于混杂的 promisc模式。

最后,我pipe理虚拟机的工作,但开始注意到主机上的一个奇怪的行为(主要是超时和非常缓慢的响应),而试图更新软件包或只是获取/curl。 当使用获取这是输出: 

 fetch: /file.txt appears to be truncated: 0/1296 bytes

目前使用PF的服务器和通过检查日志: 

 tcpdump -n -e -ttt -i pflog0 ip6

做了像pkg update或简单的curl google.com一些trafic后,我得到这个日志: 

  00:00:00.000000 rule 3/0(match): block in on igb0: 2001:4860:4860::8844.53 > 2a01:4f8:350:84ec::1.53939: 19426 1/0/1 A 216.58.210.14 (55) 00:00:00.400845 rule 3/0(match): block in on igb0: 2001:4860:4860::8844.53 > 2a01:4f8:350:84ec::1.36699: 23499 1/0/1 A 216.58.210.14 (55) 00:00:00.385682 rule 3/0(match): block in on igb0: 2a01:4f8:0:a0a1::add:1010.53 > 2a01:4f8:350:84ec::1.25247: 22918 1/0/1 AAAA 2a00:1450:4001:81c::200e (67) 00:00:00.400351 rule 3/0(match): block in on igb0: 2a01:4f8:0:a0a1::add:1010.53 > 2a01:4f8:350:84ec::1.54634: 50020 1/0/1 AAAA 2a00:1450:4001:81c::200e (67) 00:00:01.418975 rule 3/0(match): block in on igb0: 2a00:1450:4001:81d::200e.80 > 2a01:4f8:350:84ec::1.12922: Flags [S.], seq 1243698502, ack 2222250217, win 27200, options [mss 1360,nop,nop,sackOK], length 0 00:00:00.300047 rule 3/0(match): block in on igb0: 2a00:1450:4001:81d::200e.80 > 2a01:4f8:350:84ec::1.12922: Flags [S.], seq 1243698502, ack 2222250217, win 27200, options [mss 1360,nop,nop,sackOK], length 0

由于未知的原因,所有返回的stream量都被阻塞(SYN-ACK),就像在promisc模式下,PF不处于ipv6状态。

重要的是,尽pipe日志条目,当一个站点同时支持ipv4/ipv6 ,它需要时间,但它确实连接,日志确实只阻止返回的ipv6stream量,似乎尝试第一ipv6和回退到ipv4。

这是我正在使用的PF规则: 

 public_if = "igb0" public_tcp_ports = "{ 80 443 }" public_udp_ports = "{ 53 }" set block-policy drop set limit { states 1000000, frags 1000000, src-nodes 100000, table-entries 1000000 } set loginterface $public_if set optimization aggressive set skip on {lo0, bridge0, tap} set state-policy if-bound set timeout frag 30 set timeout interval 10 scrub in all fragment reassemble no-df max-mss 1440 nat on $public_if from {172.16.8.0/21} to any -> ($public_if) antispoof log for $public_if block log all block in log quick from no-route to any block drop in log quick on $public_if inet proto tcp from any to any flags FUP/FUP pass in quick on $public_if proto tcp from any to any port $public_tcp_ports flags S/SA keep state pass in quick on $public_if proto udp from any to any port $public_udp_ports keep state pass in quick on $public_if proto {esp, ipencap} from any to any keep state pass in quick proto ipencap all icmp_types="{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types keep state pass proto ipv6-icmp from any to any pass out quick proto tcp all flags S/SA keep state pass out all keep state

任何想法可以做什么,不阻止返回的请求,或使系统或优先考虑ipv4通过ipv6,希望这可以避免延误。

提前致谢。