From owner-freebsd-questions@FreeBSD.ORG Tue Jul 29 18:03:09 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3A7437B401 for ; Tue, 29 Jul 2003 18:03:09 -0700 (PDT) Received: from imf25aec.mail.bellsouth.net (imf25aec.mail.bellsouth.net [205.152.59.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC0C343F93 for ; Tue, 29 Jul 2003 18:03:08 -0700 (PDT) (envelope-from dngor@bellsouth.net) Received: from eyrie.homenet ([68.213.211.142]) by imf25aec.mail.bellsouth.netESMTP <20030730010308.XLFF1844.imf25aec.mail.bellsouth.net@eyrie.homenet> for ; Tue, 29 Jul 2003 21:03:08 -0400 Received: from eyrie.homenet (abuse@localhost [127.0.0.1]) by eyrie.homenet (8.12.9/8.12.9) with ESMTP id h6U136vu030055 for ; Tue, 29 Jul 2003 21:03:06 -0400 (EDT) (envelope-from troc@eyrie.homenet) Received: (from troc@localhost) by eyrie.homenet (8.12.9/8.12.9/Submit) id h6U1369h030054 for freebsd-questions@freebsd.org; Tue, 29 Jul 2003 21:03:06 -0400 (EDT) (envelope-from troc) Date: Tue, 29 Jul 2003 21:03:06 -0400 From: Rocco Caputo To: freebsd-questions@freebsd.org Message-ID: <20030730010306.GG54117@eyrie.homenet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: pppoe, can't ping tun0 from dmz machine X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 01:03:10 -0000 I've acquired DSL. I didn't like the modem's NAT and PPPoE, so I switched it to bridged Ethernet and am using ppp(8) for that. I'm using ipfw2 for QOS things (pipes and queues). I'm using ipf for firewalling and ftp proxying. Almost everything works well, except (so far) active FTP and pinging the tun0 interface. tcpdump shows ICMP echo requests and responses, but ping does not see them. Opening ipf (pass in all, pass out all) "fixes" ping. ipfnat's active ftp proxy sees the PORT request and punches a hole through the firewall, but incoming packets don't arrive. Opening ipf "fixes" this, too. Other incoming connections seem to work fine. DNS works fine. TCP works fine. I've read the handbook, the howtos, searched the list archives, usenet, and the web. Nothing solved it. So. What have I overlooked? Where have I gone wrong? Would you like to see my cling-film collection? How about an extensive (but perhaps not exhaustive) excerpt from my system configuration? Ok, it is included. -- Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/ === ppp.conf default: ident user-ppp VERSION (built COMPILATIONDATE) set log CBCP CCP Chat Connect Command IPCP tun Phase Warning papchap: add default HISADDR disable ipv6cp disable vjcomp enable iface-alias enable lqr enable tcpmssfixup nat enable yes nat log yes nat same_ports yes set authkey ***** set authname ***** set cd 5 set crtscts off set device PPPoE:dc0 set dia set ifaddr 68.213.211.142/0 192.168.36.176/0 set login set mru 1492 set mtu 1492 set redial 1 0 set server /var/run/tun0 "" 0177 set speed sync set timeout 0 === netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.36.176 UGSc 80 1377475 tun0 10 link#2 UC 4 0 rl0 10.0.0.7 link#2 UHLW 0 8 rl0 10.0.0.18 00:e0:18:0b:ac:22 UHLW 1 115334 rl0 303 10.0.0.25 00:e0:18:30:68:32 UHLW 0 292874 lo0 10.0.0.100 00:e0:18:30:65:f6 UHLW 1 111019 rl0 163 127.0.0.1 127.0.0.1 UH 6 196295 lo0 192.168.1 link#1 UC 2 0 dc0 192.168.1.25 00:04:5a:59:8e:92 UHLW 0 142112 lo0 192.168.1.254 00:60:0f:31:c7:86 UHLW 0 75153 dc0 865 192.168.36.176 68.213.211.142 UH 76 71059 tun0 === ipfstat -i block in quick on tun0 from 0.0.0.0/8 to any block in quick on tun0 from 127.0.0.0/8 to any block in quick on tun0 from 169.254.0.0/16 to any block in quick on tun0 from 172.16.0.0/12 to any block in quick on tun0 from 192.0.2.0/24 to any block in quick on tun0 from 192.168.0.0/16 to any block in quick on tun0 from 224.0.0.0/4 to any block in quick on tun0 from 240.0.0.0/4 to any pass in quick on lo0 from any to any pass in quick on rl0 from any to any pass in quick on dc0 from any to any pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port = 433 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port 6881 >< 6999 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port = 11512 flags S/FSRPAU keep state keep frags pass in quick on tun0 proto tcp from any to any port 32000 >< 32100 flags S/FSRPAU keep state keep frags block in quick from any to any === ipfstat -o block out quick on tun0 from 0.0.0.0/8 to any block out quick on tun0 from 127.0.0.0/8 to any block out quick on tun0 from 169.254.0.0/16 to any block out quick on tun0 from 172.16.0.0/12 to any block out quick on tun0 from 192.0.2.0/24 to any block out quick on tun0 from 192.168.0.0/16 to any block out quick on tun0 from 224.0.0.0/4 to any block out quick on tun0 from 240.0.0.0/4 to any pass out quick on lo0 from any to any pass out quick on rl0 from any to any pass out quick on dc0 from any to any pass out quick on tun0 proto icmp from any to any keep state pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags pass out quick on tun0 proto udp from any to any keep state keep frags block out quick from any to any === ipnat -l List of active MAP/Redirect filters: map tun0 68.213.211.142/32 -> 68.213.211.142/32 proxy port ftp ftp/tcp List of active sessions: (none) === various rc.conf bits ifconfig_dc0="inet 192.168.1.25 netmask 255.255.255.0" network_interfaces="lo0 rl0 dc0 tun0" firewall_enable="YES" firewall_logging="YES" firewall_type="/etc/rc.firewall.custom" firewall_flags="-p /usr/bin/cpp" ipfilter_enable="YES" ipfilter_program="/sbin/ipf" ipfilter_rules="/etc/ipf.rules" ipnat_enable="YES" ppp_enable="yes" ppp_mode="ddial" ppp_nat="yes" ppp_profile="papchap" === ipfw show 01110 queue 18 icmp from any to any in via tun0 01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput 01120 queue 18 tcp from any to any in via tun0 tcpflags ack 01120 queue 18 tcp from any to any in via tun0 tcpflags ack 01300 queue 14 ip from any to any in via tun0 iptos lowdelay 01310 queue 14 tcp from any 6666-6669 to any in via tun0 01320 queue 14 tcp from any 80 to any in via tun0 01400 queue 11 tcp from any 119 to any in via tun0 01410 queue 11 tcp from any 5999 to any in via tun0 01420 queue 11 tcp from any to any in via tun0 iplen 1500 01430 queue 11 tcp from any 6881-6889 to any in via tun0 01440 queue 11 tcp from any to any dst-port 6881-6889 in via tun0 01900 queue 12 ip from any to any in via tun0 02100 queue 28 icmp from any to any out via tun0 02110 queue 28 ip from any to any out via tun0 iptos lowdelay,throughput 02120 queue 28 tcp from any to any out via tun0 tcpflags ack 02130 queue 28 tcp from any to any out via tun0 setup 02300 queue 24 ip from any to any out via tun0 iptos lowdelay 02310 queue 24 tcp from any to any dst-port 6666-6669 out via tun0 02400 queue 21 tcp from any 80 to any out via tun0 02410 queue 21 tcp from any 443 to any out via tun0 02420 queue 21 tcp from any 11512 to any out via tun0 02430 queue 21 tcp from any to any dst-port 119 out via tun0 02440 queue 21 tcp from any to any dst-port 5999 out via tun0 02450 queue 21 tcp from any to any out via tun0 iplen 1500 02460 queue 21 tcp from any 6881-6889 to any out via tun0 02470 queue 21 tcp from any to any dst-port 6881-6889 out via tun0 02900 queue 22 ip from any to any out via tun0 60000 allow ip from any to any via lo0 60010 allow ip from any to any via rl0 60020 allow ip from any to any via dc0 60030 allow ip from any to any via tun0 60040 allow ip from any to any 65535 deny ip from any to any === ipfw queue show 00010: 368.000 Kbit/s 0 ms 36 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00011: 736.000 Kbit/s 0 ms 73 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00012: 1.472 Mbit/s 0 ms 147 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00020: 64.000 Kbit/s 0 ms 6144 B 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00021: 128.000 Kbit/s 0 ms 12 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00022: 256.000 Kbit/s 0 ms 25 KB 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 === end