From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 04:00:49 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 5FFA216A4D3; Thu, 16 Sep 2004 04:00:46 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 99759 invoked by uid 1005); 2 Feb 2004 02:29:35 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 99756 invoked from network); 2 Feb 2004 02:29:35 -0000 Received: from moutng.kundenserver.de (212.227.126.184) by pd9530283.dip.t-dialin.net with SMTP; 2 Feb 2004 02:29:35 -0000 Received: from [212.227.126.147] (helo=mxng04.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AnTly-0005hS-00 for max@vampire.homelinux.org; Mon, 02 Feb 2004 03:25:14 +0100 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng04.kundenserver.de with esmtp (Exim 3.35 #1) id 1AnTlx-00037q-00 for max@love2party.net; Mon, 02 Feb 2004 03:25:13 +0100 Received: from turing (localhost [127.0.0.1])ESMTP id 47B61394CBE; Sun, 1 Feb 2004 21:18:26 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Sun, 01 Feb 2004 21:18:07 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from ns.kt-is.co.kr (ns.kt-is.co.kr [211.218.149.125]) ESMTP id 9EB0F394DFE for ; Sun, 1 Feb 2004 21:18:03 -0500 (EST) Received: from michelle.kt-is.co.kr (ns2.kt-is.co.kr [220.76.118.193]) (authenticated bits=128) by ns.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i122I4Ah046092 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Mon, 2 Feb 2004 11:18:04 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.10/8.12.10) with ESMTP id i122OZK7000897 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 2 Feb 2004 11:24:35 +0900 (KST) (envelope-from yongari@kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.10/8.12.10/Submit) id i122OYHv000896 for pf4freebsd@freelists.org; Mon, 2 Feb 2004 11:24:34 +0900 (KST) (envelope-from yongari@kt-is.co.kr) From: Pyun YongHyeon To: pf4freebsd@freelists.org Message-ID: <20040202022434.GA676@kt-is.co.kr> References: <20040130123456.GA773@fried.sakeos.net> <20040131070219.GA72233@kt-is.co.kr> <20040131170657.GA5331@fried.sakeos.net> <200402011931.28647.max@love2party.net> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200402011931.28647.max@love2party.net> User-Agent: Mutt/1.4.1i X-Filter-Version: 1.11a (ns.kt-is.co.kr) X-archive-position: 266 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: yongari@kt-is.co.kr Precedence: normal X-list: pf4freebsd Content-Transfer-Encoding: quoted-printable X-Provags-Forward: max@love2party.net -> max@vampire.homelinux.org X-UID: 384 X-Length: 5234 X-Mailman-Approved-At: Thu, 16 Sep 2004 04:05:47 +0000 Subject: [pf4freebsd] Re: problem with 'user' X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 04:00:50 -0000 X-Original-Date: Mon, 2 Feb 2004 11:24:34 +0900 X-List-Received-Date: Thu, 16 Sep 2004 04:00:50 -0000 On Sun, Feb 01, 2004 at 07:31:28PM +0100, Max Laier wrote: > On Saturday 31 January 2004 18:06, jb wrote: > > thanks - patch applies cleanly against 2.02 (out of the port tree).=20 > > All things related for 'user' seem to work, but there's like an anom= aly >=20 > Great, thanks for your report - we will update the port soon. >=20 > > - 'pass all' for an user contaminates ICMP rules. > > > > rules like: > > pass in on lo0 all > > pass out on lo0 all > > block in log all > > block out log all > > > > lock the box (of course). Adding the following: > > pass out all user boludo keep state > > > > allows all users to ping outside. Also adding > > block out log proto icmp > > > > doesnt seem to change anything. >=20 > I wasn't able to reproduce this: >=20 Me too here. > While doing $ping 192.168.4.1 as user 1001 >=20 > >> pfctl -vvsr > @4 pass out all user =3D 1001 keep state > [ Evaluations: 14 Packets: 782 Bytes: 96317 States:= 1 ] > @5 block drop out log proto icmp all > [ Evaluations: 14 Packets: 5 Bytes: 420 States:= 0 ] > >> pftcpdump -s2000 -nvvvei pflog0 > pftcpdump: WARNING: pflog0: no IPv4 address assigned > pftcpdump: listening on pflog0 > 19:26:38.244893 rule 5/0(match): block out on rl0: 192.168.4.88 >=20 > 192.168.4.1: icmp: echo request (ttl 64, id 32357, len 84) >=20 > Can you check if there is a leftover state entry that matches? If you=20 > reload the ruleset the states are not necessarly flushed. Use $pfctl -= Fs=20 > before you load the new ruleset. Or check for matching states with > $pfctl -vss >=20 > Please let us know if that was the case and we can assume that the use= r=20 > stuff is working correctly now. Anyone else seeing this? >=20 As Max mentioned, please check stale-states. If you still have problems, please let us know. Thanks. Regards, Pyun YongHyeon --=20 Pyun YongHyeon