From owner-freebsd-pf@FreeBSD.ORG Mon Jun 12 19:39:19 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2372316A41A for ; Mon, 12 Jun 2006 19:39:19 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1AF943D49 for ; Mon, 12 Jun 2006 19:39:17 +0000 (GMT) (envelope-from kian.mohageri@gmail.com) Received: by nf-out-0910.google.com with SMTP id d4so896093nfe for ; Mon, 12 Jun 2006 12:39:16 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=ZlUz1E/rKg3WsfBwgl/SQdxR8Ps+Iv1KOy50HxKrrjAb3mAAG+22o+CAFLSfXvL808Kd68B+LDRdc7gmbjyhTwS0l4UQpHH1LIqyQc3jxjpAC3v6FV607xX1u6rUqRmZgiv6p/91+MaRlt5hgj/qUy7FcQkYDVwDtL9jkHQdiPI= Received: by 10.49.92.15 with SMTP id u15mr5157176nfl; Mon, 12 Jun 2006 12:39:16 -0700 (PDT) Received: by 10.48.255.10 with HTTP; Mon, 12 Jun 2006 12:39:16 -0700 (PDT) Message-ID: Date: Mon, 12 Jun 2006 12:39:16 -0700 From: "Kian Mohageri" To: "Ludovit Koren" In-Reply-To: <20060612.104013.74757673.lk@tempest.sk> MIME-Version: 1.0 References: <20060612.104013.74757673.lk@tempest.sk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 6.1-RELEASE + PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 19:39:19 -0000 Perhaps your application needs specific IP options. PF blocks packets with IP options set by default. Append 'allow-opts' to the relevant rules. -Kian On 6/12/06, Ludovit Koren wrote: > > > > Hi, > > I have problem to set up PIM and IGMP communication with pf on FreeBSD > 6.1-RELEASE. > > # pfctl -s state > self igmp 195.28.109.40 -> 224.0.0.2 SINGLE:NO_TRAFFIC > self igmp 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC > self igmp 224.0.0.1 <- 195.28.109.25 NO_TRAFFIC:SINGLE > self igmp 224.0.0.2 <- 195.28.109.40 NO_TRAFFIC:SINGLE > self igmp 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE > self tcp 195.28.109.40:22 -> 195.28.109.37:58349 > ESTABLISHED:ESTABLISHED > self udp 255.255.255.255:8225 <- 195.28.109.29:1025 > NO_TRAFFIC:SINGLE > self pim 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC > self pim 224.0.0.13 <- 195.28.109.25 NO_TRAFFIC:SINGLE > self pim 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE > self pfsync 195.28.109.40 -> 0.0.0.0 SINGLE:NO_TRAFFIC > > > xorp immediately starts to give the following message: > [ 2006/06/09 17:13:24 WARNING xorp_fea XrlMfeaTarget ] Handling method for > mfea/0.1/send_protocol_message4 failed: XrlCmdError 102 Command failed > Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on > vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif > em0) failed: Operation not permitted > [ 2006/06/09 17:13:24 ERROR xorp_pimsm4:18051 PIM +2623 xrl_pim_node.cc > mfea_client_send_protocol_message_cb ] Cannot send a protocol message: 102 > Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to > 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to > 224.0.0.13 on vif em0) failed: Operation not permitted > > # pfctl -s rules > scrub in all fragment reassemble > block drop in log all > pass in on xl0 inet from to 195.28.126.13 keep state > pass out on xl0 inet from 195.28.126.13 to keep state queue dflt > pass out on xl0 inet from 195.28.126.13 to any keep state queue dflt > pass out on em0 inet all keep state queue dfltem > pass out on em1 inet all keep state queue dfltem1 > pass in proto tcp from any to any port = ssh keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > 5060 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 port = 8000 to > 195.28.109.40 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 port = 8001 to > 195.28.109.40 keep state > pass in on em0 inet proto tcp from 195.28.109.36 to 195.28.109.40 port = > nut keep state > pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = > http keep state > pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = > 4445 keep state > pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = > http keep state > pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = > 4445 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port > 9999:20001 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > domain keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > 4520 keep state > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = > 4569 keep state > pass in on em0 all keep state > pass in on em1 all keep state > > when I disable the firewall xorp runs as expected. It does not matter > if I add specific rule for PIM and IGMP or general, i.e. let all > traffic go through. > > Is it a bug in the pf or am I doing something wrong? Any help appreciated. > > Regards, > > lk > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >