Date: Thu, 31 Jul 2003 10:33:31 -0400 From: Rocco Caputo <rcaputo@pobox.com> To: freebsd-net@freebsd.org Subject: Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work" Message-ID: <20030731143331.GD37634@eyrie.homenet> In-Reply-To: <20030731082103.GA17861@carpediem.epita.fr> References: <20030730191530.GD36116@eyrie.homenet> <Pine.BSF.4.21.0307301250130.23956-100000@InterJet.elischer.org> <20030730213229.GA37634@eyrie.homenet> <20030731082103.GA17861@carpediem.epita.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 31, 2003 at 10:21:03AM +0200, jeremie le-hen wrote: > Rocco Caputo wrote: > > The combination served me well when I was using ppp(8) to drive a serial > > modem. Now that I've switched to ADSL and PPPoE, things seem subtly > > broken. I blame the user (myself), but I haven't found a solution after > > beating on the problem for several days. > > Could you show us your ipf(8), ipnat(8) and ipfw(8) configuration files ? > Foolish note: You can see echo requets leaving your box, and even echo replies > comine back; for me, it smells you forgot to use the "keep state" statement > in the rule which allows outgoing echo requests. But maybe I am missing > something. I think you're right about "keep state" being a problem. ipfstat -t shows several open states for tun0 -> tun0. The 10sec interval is how often I ping it. 68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:50 68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:30 68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:00 68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:10 68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:40 68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:20 It looks like state is being kept, but the echo replies aren't matching. I've verified that the packets cross tun0: 3) eyrie:/home/troc/firewall# tcpdump -i tun0 \ > 'src 68.213.211.142 and dst 68.213.211.142 and icmp' tcpdump: listening on tun0 10:23:44.035184 68.213.211.142 > 68.213.211.142: icmp: echo request 10:23:44.037761 68.213.211.142 > 68.213.211.142: icmp: echo request 10:23:44.037843 68.213.211.142 > 68.213.211.142: icmp: echo reply 10:23:44.038069 68.213.211.142 > 68.213.211.142: icmp: echo reply That's odd, though. I'm only pinging the address once every ten seconds, but tcpdump shows two requests and replies. The firewall configurations were included at the start of this thread, but I'm including them again. The other files are omitted. === ipfstat -i block in quick on tun0 from 0.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 169.254.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 192.0.2.0/24 to any block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 224.0.0.0/4 to any block in quick on tun0 from 240.0.0.0/4 to any pass in quick on lo0 from any to any pass in quick on rl0 from any to any pass in quick on dc0 from any to any pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port = 433 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port 6881 >< 6999 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port = 11512 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port 32000 >< 32100 flags S/FSRPAU keep state keep frags block in quick from any to any === ipfstat -o block out quick on tun0 from 0.0.0.0/8 to any block out quick on tun0 from 127.0.0.0/8 to any block out quick on tun0 from 169.254.0.0/16 to any block out quick on tun0 from 172.16.0.0/12 to any block out quick on tun0 from 192.0.2.0/24 to any block out quick on tun0 from 192.168.0.0/16 to any block out quick on tun0 from 224.0.0.0/4 to any block out quick on tun0 from 240.0.0.0/4 to any pass out quick on lo0 from any to any pass out quick on rl0 from any to any pass out quick on dc0 from any to any pass out quick on tun0 proto icmp from any to any keep state pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags pass out quick on tun0 proto udp from any to any keep state keep frags block out quick from any to any === ipnat -l List of active MAP/Redirect filters: map tun0 68.213.211.142/32 -> 68.213.211.142/32 proxy port ftp ftp/tcp List of active sessions: (none) === ipfw show 01110 queue 18 icmp from any to any in via tun0 01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput 01120 queue 18 tcp from any to any in via tun0 tcpflags ack 01120 queue 18 tcp from any to any in via tun0 tcpflags ack 01300 queue 14 ip from any to any in via tun0 iptos lowdelay 01310 queue 14 tcp from any 6666-6669 to any in via tun0 01320 queue 14 tcp from any 80 to any in via tun0 01400 queue 11 tcp from any 119 to any in via tun0 01410 queue 11 tcp from any 5999 to any in via tun0 01420 queue 11 tcp from any to any in via tun0 iplen 1500 01430 queue 11 tcp from any 6881-6889 to any in via tun0 01440 queue 11 tcp from any to any dst-port 6881-6889 in via tun0 01900 queue 12 ip from any to any in via tun0 02100 queue 28 icmp from any to any out via tun0 02110 queue 28 ip from any to any out via tun0 iptos lowdelay,throughput 02120 queue 28 tcp from any to any out via tun0 tcpflags ack 02130 queue 28 tcp from any to any out via tun0 setup 02300 queue 24 ip from any to any out via tun0 iptos lowdelay 02310 queue 24 tcp from any to any dst-port 6666-6669 out via tun0 02400 queue 21 tcp from any 80 to any out via tun0 02410 queue 21 tcp from any 443 to any out via tun0 02420 queue 21 tcp from any 11512 to any out via tun0 02430 queue 21 tcp from any to any dst-port 119 out via tun0 02440 queue 21 tcp from any to any dst-port 5999 out via tun0 02450 queue 21 tcp from any to any out via tun0 iplen 1500 02460 queue 21 tcp from any 6881-6889 to any out via tun0 02470 queue 21 tcp from any to any dst-port 6881-6889 out via tun0 02900 queue 22 ip from any to any out via tun0 60000 allow ip from any to any via lo0 60010 allow ip from any to any via rl0 60020 allow ip from any to any via dc0 60030 allow ip from any to any via tun0 60040 allow ip from any to any 65535 deny ip from any to any === ipfw queue show 00010: 368.000 Kbit/s 0 ms 36 KB 0 queues (1 buckets) droptail 00011: 736.000 Kbit/s 0 ms 73 KB 0 queues (1 buckets) droptail 00012: 1.472 Mbit/s 0 ms 147 KB 0 queues (1 buckets) droptail 00020: 64.000 Kbit/s 0 ms 6144 B 0 queues (1 buckets) droptail 00021: 128.000 Kbit/s 0 ms 12 KB 0 queues (1 buckets) droptail 00022: 256.000 Kbit/s 0 ms 25 KB 0 queues (1 buckets) droptail === end -- Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030731143331.GD37634>