From owner-freebsd-bugs@FreeBSD.ORG Sat Nov 22 01:40:02 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 654FA1065672 for ; Sat, 22 Nov 2008 01:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 314CA8FC1C for ; Sat, 22 Nov 2008 01:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAM1e1IT002166 for ; Sat, 22 Nov 2008 01:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAM1e18A002165; Sat, 22 Nov 2008 01:40:01 GMT (envelope-from gnats) Resent-Date: Sat, 22 Nov 2008 01:40:01 GMT Resent-Message-Id: <200811220140.mAM1e18A002165@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Daniel J. O'Connor" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EA9B1065670 for ; Sat, 22 Nov 2008 01:31:46 +0000 (UTC) (envelope-from darius@midget.dons.net.au) Received: from ipmail01.adl6.internode.on.net (ipmail01.adl6.internode.on.net [203.16.214.146]) by mx1.freebsd.org (Postfix) with ESMTP id 7A1A68FC08 for ; Sat, 22 Nov 2008 01:31:45 +0000 (UTC) (envelope-from darius@midget.dons.net.au) Received: from ppp121-45-35-47.lns10.adl2.internode.on.net (HELO midget.dons.net.au) ([121.45.35.47]) by ipmail01.adl6.internode.on.net with ESMTP; 22 Nov 2008 11:46:26 +1030 Received: from midget.dons.net.au (localhost [127.0.0.1]) by midget.dons.net.au (8.14.3/8.14.3) with ESMTP id mAM1GJOD075029 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 22 Nov 2008 11:46:20 +1030 (CST) (envelope-from darius@midget.dons.net.au) Received: (from darius@localhost) by midget.dons.net.au (8.14.3/8.14.3/Submit) id mAM1GJRI075028; Sat, 22 Nov 2008 11:46:19 +1030 (CST) (envelope-from darius) Message-Id: <200811220116.mAM1GJRI075028@midget.dons.net.au> Date: Sat, 22 Nov 2008 11:46:19 +1030 (CST) From: "Daniel J. O'Connor" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/129060: pf doesn't forget the old tun IP X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Daniel J. O'Connor" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2008 01:40:02 -0000 >Number: 129060 >Category: kern >Synopsis: pf doesn't forget the old tun IP >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Nov 22 01:40:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Daniel J. O'Connor >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: >Environment: System: FreeBSD midget.dons.net.au 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #2: Sun Oct 12 18:17:04 CST 2008 darius@midget.dons.net.au:/data/obj/data/src/sys/GENERIC i386 >Description: If I use ppp to run my PPPoE connection (over my ADSL modem running in bridged mode) and the connection drops out pf does not seem to forget the old IP. When I make new connections every second one doesn't work. The existing SIP connection my ATA uses remains broken as it gets mapped to the old address. If I switch to using mpd then this problem doesn't happen, however I find that applications get "device not configured" errors when trying to send traffic! This only happens infrequently but it seems to "stick" on and restarting mpd doesn't always fix it.. eg Nov 18 19:19:53 midget named[338]: /data/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1179: unexpected error: Nov 18 19:19:53 midget kernel: Nov 18 19:19:53 midget named[338]: /data/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1179: unexpected error: Nov 18 19:19:53 midget named[338]: internal_send: 192.231.203.132#53: Device not configured My pf.conf is below.. ### macros int_if = "em0" ext_if = "tun0" # Incoming TCP services we provide tcp_services = "{ www, https, 6881:6899 }" tcp_services_limited = "{ ssh, imap, imaps, smtp, smtps, pop3, pop3s, \ ftp, ftp-data }" steam_ports = "{27030, 27031}" steam_ips = "{202.136.100.227, 202.72.191.174, 203.24.101.93, 203.34.186.14, 203.46.104.7, 203.46.104.8, 150.101.135.1}" # Game ports game_ports = "{27015}" # ICMP we want to allow icmp_types = "{ echoreq, trace }" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" ### Tables table persist ### Options set block-policy return #set loginterface $ext_if set timeout src.track 10 # Scrub #scrub in all # NAT nat on $ext_if from $int_if:network to any -> ($ext_if) static-port rdr pass on $ext_if inet proto tcp to port 8000 -> 10.0.2.73 port 80 #rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # UPnPd rdr anchor rdr-anchor "miniupnpd" # filter rules # Exempt loopback pass quick on lo0 # Default to blocking block log all # Deny from any known abusive host block in quick from # Block all STEAM... #block out quick on $ext_if proto {tcp, udp} from any to any port $steam_ports #block in quick on $ext_if proto {tcp, udp} from any to any port $steam_ports # Except 'node #pass out quick on $ext_if proto {tcp, udp} from any to $steam_ips port $steam_ports keep state #pass in quick on $ext_if proto {tcp, udp} from $steam_ips port $steam_ports to any keep state # Deny from any host in the PG list #block return in quick proto { tcp, udp } from to any port 6800:6900 # Drop any internal nets appearing from the outside #antispoof for { $ext_if, $int_if, lo0 } # Or this? #block drop in quick on $ext_if from $priv_nets to any #block drop out quick on $ext_if from any to $priv_nets # uPnPd anchor "miniupnpd" # Allow our services in #pass in on $ext_if inet proto tcp from any to ($ext_if) \ # port $tcp_services flags S/SA keep state #pass in proto ipv6 from any to any keep state #pass out proto ipv6 from any to any keep state #pass in proto ipv6-icmp from any to any keep state #pass out proto ipv6-icmp from any to any keep state # Multicast for miniupnpd pass out on $int_if from any to 239.0.0.0/8 keep state pass in on $int_if from any to 239.0.0.0/8 keep state # Telnet for Alex pass in on $ext_if proto tcp from 203.5.217.4 to ($ext_if) \ port 23 flags S/SA keep state # Rate limited TCP services pass in on $ext_if proto tcp from any to ($ext_if) \ port $tcp_services_limited flags S/SA keep state \ (max-src-conn-rate 5/4, overload flush global) # Unlimited TCP services pass in on $ext_if proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state #pass in on $ext_if proto udp from any to ($ext_if) port 12345 keep state #pass in on $ext_if proto udp from any to ($ext_if) port 15345 keep state # Allow ICMP echo pass in inet proto icmp all icmp-type $icmp_types keep state # Allow packets on internal network pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state # Track outgoing TCP connection state pass out on $ext_if proto tcp all flags S/SA keep state # Normal TCP traffic and ACKs/no payload pass out on $ext_if proto tcp from any keep state # DNS queries pass out on $ext_if proto udp from any to any port 53 keep state # Track outgoing UDP state pass out on $ext_if proto udp all keep state # Game traffic pass out on $ext_if proto udp from any to any port $game_ports keep state # Track outgoing ICMP state pass out on $ext_if proto icmp all keep state >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: