From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:40:03 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 79AB916A4CF; Thu, 16 Sep 2004 03:40:03 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 48702 invoked by uid 1005); 10 Jun 2003 06:11:03 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 48699 invoked from network); 10 Jun 2003 06:11:03 -0000 Received: from moutng.kundenserver.de (212.227.126.187) by pd9530fa8.dip.t-dialin.net with SMTP; 10 Jun 2003 06:11:03 -0000 Received: from [212.227.126.159] (helo=mxng09.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19PdHs-0003L4-00 for max@vampire.homelinux.org; Tue, 10 Jun 2003 09:11:20 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng09.kundenserver.de with esmtp (Exim 3.35 #1) id 19PdHn-0003YY-00 for max@love2party.net; Tue, 10 Jun 2003 09:11:16 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id D545239098A; Tue, 10 Jun 2003 02:05:20 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Tue, 10 Jun 2003 02:05:18 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from ns.kt-is.co.kr (unknown [211.218.149.125]) ESMTP id E2564390982 for ; Tue, 10 Jun 2003 02:05:15 -0500 (EST) Received: from michelle.kt-is.co.kr ([220.76.118.193]) (authenticated bits=0) by ns.kt-is.co.kr (8.12.5/8.12.5) with ESMTP id h5A76gWC065227 verify=FAIL); Tue, 10 Jun 2003 16:06:42 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.8/8.12.8) with ESMTP id h5A79gax001913 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Jun 2003 16:09:42 +0900 (KST) (envelope-from yongari@michelle.kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.8/8.12.8/Submit) id h5A79fdF001912; Tue, 10 Jun 2003 16:09:41 +0900 (KST) (envelope-from yongari) From: Pyun YongHyeon To: pf4freebsd@freelists.org Message-ID: <20030610070936.GA1767@kt-is.co.kr> References: Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Filter-Version: 1.9 (ns.kt-is.co.kr) Content-Transfer-Encoding: 8bit X-archive-position: 26 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: yongari@kt-is.co.kr Precedence: normal X-list: pf4freebsd X-UID: 104 X-Length: 7427 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000 cc: rasgal@palantir.no Subject: [pf4freebsd] Re: Version 1.52 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:40:03 -0000 X-Original-Date: Tue, 10 Jun 2003 16:09:36 +0900 X-List-Received-Date: Thu, 16 Sep 2004 03:40:03 -0000 On Mon, Jun 09, 2003 at 05:59:57PM +0200, Rolf Skaar wrote: > > [snip] > > No problem, I am glad if i can help. > > Here is my network layout; INET <--> GATEWAY <--> WORKSTATION > [ISP_gateway <--> my_tun0_IP ] <--> [xl1:10.10.0.1 <--> xl0:10.10.0.250] > External Internal > > I have configured my box to configure everything at boot time to maximise uptime on my box as im not around all the time, > pf version is pf_freebsd_1.52.tar.gz. > [snip] > > and here is my ppp.linkup: > > MYADDR: > ! sh -c "/sbin/ifconfig pflog0 up" > ! sh -c "/sbin/ifconfig pfsync0 up" > !bg sh -c "/home/rasgal/myscripts/tunnel.sh" > ! sh -c "/usr/local/sbin/pflogd" > ! sh -c "/usr/local/sbin/`pfctl -e -q -Fa -f /home/rasgal/myconfig/pf.conf`" > > this loads all the rules and every thing should be up and running now... > what tunnel.sh does is setting up my ipv6 connection. > You should not do like this. Because the file ppp.linkup is executed whenever tun0's address changes it should contain only a command to set up a new pf rule set or route commands.(i.e. You should have a pf rule update command only.) All the other commands(pflog0 up, pflogd, etc) should be called before pf update command. Also note if your tunnel.sh configures a interface address that pf references it should be run before pf rule set updates. Because you have used background execution to run tunnel.sh, there is no guarantee the script would be completed before you invoke pfctl. > ok, my rule set is somewhat simple (pass all in/out), and blocks only services that i want it to: > > Ext = "tun0" > Int = "xl1" > tunnel = "gif0" > Loop = "lo0" > portblock = "{ 21, 111, 1023 }" > portpass = "{ 53 }" > > scrub in all fragment reassemble > > # IPv4 NAT configuration # > #nat on ! $Int from $Int/24 to any -> $Ext > #nat on $Ext from $Int/24 to any -> $Ext ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You don't have any valid NAT entry. Above rule should be read as follows: nat on $Ext from 10.10.0.0/24 to any -> $Ext > > # Redirect # > rdr on $Ext proto tcp from any to any port 60000:60010 -> 10.10.0.250 port 60000:* > rdr on $Ext proto tcp from any to any port 62003 -> 10.10.0.250 port 62003 > [snip] > > and here is my outout from "pfctl -sa": > > [ _- ~ -_ 4:30:02pm Mon Jun 09 ] > %pfctl -sa > > scrub in all fragment reassemble > block drop in quick on tun0 proto tcp from any to any port = ftp > block drop in quick on tun0 proto tcp from any to any port = sunrpc > block drop in quick on tun0 proto tcp from any to any port = 1023 > pass in quick on lo0 all > pass out quick on lo0 all > pass in quick on tun0 all > pass out quick on tun0 all > pass in quick on gif0 proto ipv6 all > pass out quick on gif0 proto ipv6 all > nat on ! xl1 inet from 10.10.0.0/24 to any -> 80.212.169.91 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ It's strange to me. You don't have any valid NAT in your rule file but pfctl says you have a one. Did you use really a rule really presented here? > rdr on tun0 inet proto tcp from any to any port 60000:60010 -> 10.10.0.250 port 60000:60010 > rdr on tun0 inet proto tcp from any to any port = 62003 -> 10.10.0.250 port 62003 > pfctl: DIOCGETALTQS: Operation not supported by device ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This message should not show up. Do you use ALTQ enabled kernel? According to your kernel configuation you don't use ALTQ at all. Have you rebuild pf kernel module after kernel changes? (i.e. pf kernel module tries to use ALTQ but your kernel do not support ALTQ.) > [snip] Please rebuild your FreeBSD pf first.(Assumes you do not use ALTQ.) #killall pflogd #kldunload pf #kldunload pfaltq(if you have loaded) #kldunload pfsync #kldunload pflog #cd /path/to/pf_source_location #make clean #make && make install Load pf module only after your ppp connection completed. Start from the following simple rule and add more rules when needed. nat on tun0 from 10.10.0.0/24 to any -> tun0 Yes it's a single rule. Thank you. -- Pyun YongHyeon