From owner-freebsd-pf@FreeBSD.ORG Mon Sep 27 09:27:31 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D919B16A4CE for ; Mon, 27 Sep 2004 09:27:31 +0000 (GMT) Received: from imo-d02.mx.aol.com (imo-d02.mx.aol.com [205.188.157.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F89C43D45 for ; Mon, 27 Sep 2004 09:27:31 +0000 (GMT) (envelope-from AndygreenNet@netscape.net) Received: from AndygreenNet@netscape.net by imo-d02.mx.aol.com (mail_out_v37_r3.7.) id n.c7.daa6119 (16240) for ; Mon, 27 Sep 2004 05:27:24 -0400 (EDT) Received: from netscape.net (mow-d16.webmail.aol.com [205.188.139.132]) by air-in03.mx.aol.com (v101_r1.4) with ESMTP id MAILININ34-3f704157dcfc1fc; Mon, 27 Sep 2004 05:27:24 -0400 Date: Mon, 27 Sep 2004 05:27:24 -0400 From: AndygreenNet@netscape.net To: freebsd-pf@freebsd.org MIME-Version: 1.0 Message-ID: <177F7114.0512876E.0C457E44@netscape.net> X-Mailer: Atlas Mailer 2.0 X-AOL-IP: 62.33.196.200 X-AOL-Language: english Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Can't access rsh listen on lo0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2004 09:27:32 -0000 Hi, everybody! On 26.09.2004 Max Laier max@love2party.net wrote: Max Laier> On Saturday 25 September 2004 06:08, Max Laier> AndygreenNet@netscape.net wrote: >> Hello freebsd-pf, >> >> Help me please. >> >> I have: >> FreeBSD 5_2_1 >> pf-freebsd-2.03 Max Laier> First of all ... to *everybody*: If you want a Max Laier> production use box with pf - Max Laier> please move to a 5.3-BETA installation and get Max Laier> pf out of the box. If you are Max Laier> worried with stability set debug.mpsafenet=0 Max Laier> (PREEMPTION and ULE are off by Max Laier> default). You won't regret it! >> I'm tried to access rsh listen on lo0. >> Connection interrupts with messages: >> rsh: Connection timeout; >> or >> rsh: Connection reset by peer. Max Laier> That is a fairly complicated ruleset you have Max Laier> there, I have some troubles Max Laier> reading it. But you might want to try the following: >> My pf.conf. >> >> # Macros: define common values, so they can be referenced and changed >> easily. ext_if="{ vlan1, fxp2 }" # replace with actual external >> interface name i.e., dc0 >> int_if="fxp0" # replace with actual internal interface name i.e., >> dc1 ext_bridge_if="{ vlan0, vlan2, vlan3 }" Max Laier> unfiltered="{ lo0 }" >> int_bridge_if="{ xl0, vlan4, vlan5 }" >> internal_net_TTK="62.33.196.128/25" >> internal_net_RT_COMM="213.59.235.120/29" >> external_addr_TTK="62.33.196.254" >> external_addr_RT_COMM="213.59.128.130" >> restricted_ports="{ 135, 136, 137, 138, 139, 445 }" >> allow_tcp_ports="{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, imap, >> https, snpp, > 1023}" >> allow_udp_ports="{ domain, > 1023}" >> ARP_in="inet proto { tcp, udp } from any port uarps to any port > 1023" >> ARP_out="inet proto { tcp, udp } from any port > 1023 to any port uarps" >> >> # Options: tune the behavior of pf, default values are given. >> set timeout { interval 10, frag 30 } >> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } >> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } >> set timeout { udp.first 60, udp.single 30, udp.multiple 60 } >> set timeout { icmp.first 20, icmp.error 10 } >> set timeout { other.first 60, other.single 30, other.multiple 60 } >> set timeout { adaptive.start 0, adaptive.end 0 } >> set limit { states 10000, frags 5000 } >> set loginterface none >> set optimization normal >> set block-policy drop >> set require-order yes >> set fingerprints "/usr/local/etc/pf.os" >> >> # Normalization: reassemble fragments and resolve or reduce traffic >> ambiguities. scrub in all >> >> # spamd-setup puts addresses to be redirected into table . >> table persist >> no rdr on lo0 from any to any >> rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 >> Max Laier> #Allow loopback and friends Max Laier> pass quick on $unfiltered >> # Filtering: external interfaces >> block in log quick on $ext_if inet proto { tcp, udp } from any to any port >> $restricted_ports >> pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 } >> pass in quick on $ext_if inet proto tcp from any to any port >> $allow_tcp_ports pass in quick on $ext_if inet proto udp from any port >> $allow_udp_ports to any port $allow_udp_ports >> pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 } >> pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to >> any pass out quick on $ext_if inet proto udp from any port $allow_udp_ports >> to any port $allow_udp_ports >> >> # Filtering: external bridge interfaces >> block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to >> any port $restricted_ports >> pass in quick on $ext_bridge_if $ARP_in >> pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 >> } pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any >> pass out quick on $ext_bridge_if $ARP_out >> pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8 >> } pass out quick on $ext_bridge_if inet proto { tcp, udp } from any to any >> >> # Filtering internal interfaces with keep state, logging blocked packets. >> block in log on $int_if all >> pass in quick on $int_if $ARP_out keep state >> pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state >> pass in quick on $int_if inet proto tcp from { $internal_net_TTK, >> $internal_net_RT_COMM } port $allow_tcp_ports to any keep st >> ate >> pass in quick on $int_if inet proto udp from { $internal_net_TTK, >> $internal_net_RT_COMM } port $allow_udp_ports to any port $a >> llow_udp_ports keep state >> >> # Filtering internal bridge interfaces with keep state, logging blocked >> packets. block in log on $int_bridge_if all >> pass in quick on $int_bridge_if $ARP_out keep state >> pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } keep >> state pass in quick on $int_bridge_if inet proto { tcp, udp } from any to >> any keep state >> >> Where I was mistaken. Max Laier> Not sure ... $pfctl -vsr and pflog0 may tell you. First of all, thanks! I'm create cf.conf with two rules: pass in all pass out all %sudo pftop pfTop: Up Rule 1-2/2, View: label, Cache: 10000 19:06:27 RULE LABEL PKTS BYTES STATES MAX ACTION DIR LOG Q IF PR K 0 757 114280 0 Pass In 1 181 475711 0 Pass Out And then: %sudo rsh -l root show ip accounting rcmd: localhost: Operation timed out %sudo pftcpdump -i pflog0 'host localhost' pftcpdump: WARNING: pflog0: no IPv4 address assigned pftcpdump: listening on pflog0 19:00:17.129118 localhost.shell > localhost.950: . ack 1303722277 win 43008 (DF) 19:00:17.232252 localhost.shell > localhost.950: . ack 30 win 42979 (DF) 19:00:17.232435 localhost.shell > localhost.950: . ack 30 win 42980 (DF) 19:00:17.232518 localhost.shell > localhost.950: . ack 30 win 42981 (DF) 19:00:17.232589 localhost.shell > localhost.950: . ack 30 win 42982 (DF) 19:00:17.232661 localhost.shell > localhost.950: . ack 30 win 42983 (DF) 19:00:17.232736 localhost.shell > localhost.950: . ack 30 win 42984 (DF) 19:00:17.232810 localhost.shell > localhost.950: . ack 30 win 42985 (DF) 19:00:17.232880 localhost.shell > localhost.950: . ack 30 win 42986 (DF) 19:00:17.232951 localhost.shell > localhost.950: . ack 30 win 42987 (DF) 19:00:17.233049 localhost.shell > localhost.950: . ack 30 win 42988 (DF) 19:00:17.233259 localhost.shell > localhost.950: . ack 30 win 42989 (DF) 19:00:17.233334 localhost.shell > localhost.950: . ack 30 win 42990 (DF) 19:00:17.233407 localhost.shell > localhost.950: . ack 30 win 42991 (DF) 19:00:17.233478 localhost.shell > localhost.950: . ack 30 win 42992 (DF) 19:00:17.233549 localhost.shell > localhost.950: . ack 30 win 42993 (DF) 19:00:17.233621 localhost.shell > localhost.950: . ack 30 win 42994 (DF) 19:00:17.233693 localhost.shell > localhost.950: . ack 30 win 42995 (DF) 19:00:17.233765 localhost.shell > localhost.950: . ack 30 win 42996 (DF) 19:00:17.233836 localhost.shell > localhost.950: . ack 30 win 42997 (DF) 19:00:17.233907 localhost.shell > localhost.950: . ack 30 win 42998 (DF) 19:00:17.233979 localhost.shell > localhost.950: . ack 30 win 42999 (DF) 19:00:17.234075 localhost.shell > localhost.950: . ack 30 win 43000 (DF) 19:00:17.234260 localhost.shell > localhost.950: . ack 30 win 43001 (DF) 19:00:17.234337 localhost.shell > localhost.950: . ack 30 win 43002 (DF) 19:00:17.234408 localhost.shell > localhost.950: . ack 30 win 43003 (DF) 19:00:17.234479 localhost.shell > localhost.950: . ack 30 win 43004 (DF) 19:00:17.234551 localhost.shell > localhost.950: . ack 30 win 43005 (DF) 19:00:17.234622 localhost.shell > localhost.950: . ack 30 win 43006 (DF) 19:00:17.234694 localhost.shell > localhost.950: . ack 30 win 43007 (DF) 19:00:17.234767 localhost.shell > localhost.950: . ack 30 win 43008 (DF) 19:00:17.234846 localhost.shell > localhost.950: P 0:1(1) ack 30 win 43008 (DF) 19:00:17.293052 localhost.shell > localhost.950: P 0:4097(4097) ack 30 win 43008 (DF) 19:00:17.332208 localhost.shell > localhost.950: P 0:4097(4097) ack 30 win 43008 (DF) 19:00:17.350636 localhost.shell > localhost.950: P 0:8193(8193) ack 30 win 43008 (DF) 19:00:17.406621 localhost.shell > localhost.950: P 0:12289(12289) ack 30 win 43008 (DF) 19:00:17.437219 localhost.shell > localhost.950: P 0:12289(12289) ack 30 win 43008 (DF) 19:00:17.438332 localhost.shell > localhost.950: P 0:12289(12289) ack 30 win 43008 (DF) 19:00:17.463725 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.521835 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.577827 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.634399 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.643171 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.650303 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.691123 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.747135 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.803602 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.855176 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:17.874296 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:18.079055 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:18.122157 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:18.327024 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:18.418158 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:18.622972 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:18.810154 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:19.014923 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:19.393998 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:19.598834 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:20.361905 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:20.566681 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:22.097648 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:22.302391 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:23.833353 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:24.038109 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:25.569065 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) 19:00:25.773815 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win 43008 (DF) What it is? Why? _____________________________________ Best regards, Andrew Kochetkoff mailto:andrews@mtelecom.chita.ru __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp