From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:40:18 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id A8C4B16A4CF; Thu, 16 Sep 2004 03:40:18 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 13914 invoked by uid 1005); 12 Jun 2003 04:30:35 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 13911 invoked from network); 12 Jun 2003 04:30:35 -0000 Received: from moutng.kundenserver.de (212.227.126.186) by pd9530974.dip.t-dialin.net with SMTP; 12 Jun 2003 04:30:35 -0000 Received: from [212.227.126.159] (helo=mxng09.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19QKdV-0001ej-00 for max@vampire.homelinux.org; Thu, 12 Jun 2003 07:28:33 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng09.kundenserver.de with esmtp (Exim 3.35 #1) id 19QKdQ-0000HC-00 for max@love2party.net; Thu, 12 Jun 2003 07:28:29 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id B77F5390AC8; Thu, 12 Jun 2003 00:23:21 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Thu, 12 Jun 2003 00:23:19 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from ns.kt-is.co.kr (unknown [211.218.149.125]) ESMTP id 3737C390ABA for ; Thu, 12 Jun 2003 00:23:17 -0500 (EST) Received: from michelle.kt-is.co.kr ([220.76.118.193]) (authenticated bits=0) by ns.kt-is.co.kr (8.12.5/8.12.5) with ESMTP id h5C5OXPD074947 verify=FAIL); Thu, 12 Jun 2003 14:24:34 +0900 (KST) Received: from michelle.kt-is.co.kr (localhost.kt-is.co.kr [127.0.0.1]) by michelle.kt-is.co.kr (8.12.9/8.12.9) with ESMTP id h5C5RXBO040683 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Jun 2003 14:27:33 +0900 (KST) (envelope-from yongari@michelle.kt-is.co.kr) Received: (from yongari@localhost) by michelle.kt-is.co.kr (8.12.9/8.12.9/Submit) id h5C5RVsX040682; Thu, 12 Jun 2003 14:27:31 +0900 (KST) (envelope-from yongari) From: Pyun YongHyeon To: pf4freebsd@freelists.org Message-ID: <20030612052722.GA40573@kt-is.co.kr> References: Mime-Version: 1.0 Content-type: text/plain; charset=euc-kr Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.1i X-Filter-Version: 1.9 (ns.kt-is.co.kr) X-archive-position: 29 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: yongari@kt-is.co.kr Precedence: normal X-list: pf4freebsd X-UID: 109 X-Length: 6080 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000 cc: rasgal@palantir.no Subject: [pf4freebsd] Re: Version 1.52 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:40:18 -0000 X-Original-Date: Thu, 12 Jun 2003 14:27:22 +0900 X-List-Received-Date: Thu, 16 Sep 2004 03:40:18 -0000 On Wed, Jun 11, 2003 at 01:50:33AM +0200, Rolf Sk?r wrote: > [snip] > > Ehh, ops, I began the mail before i started test, forgot to uncomment the hash on this rule "#nat on ! $Int from $Int/24 to any -> $Ext" in the mail. > > Sorry. > > The rule was parsed in the test.. (nat on ! $Int from $Int/24 to any -> $Ext) > > OK. hmm, i have found out that pf is updated only when i do it manually, but it fails when the update process is invoked trough ppp.linkup. It seems that there is a problem script invocation. > No matter what.. so i set up an 3 stage configuration. > > current ppp.linkup file: > > MYADDR: > ! sh -c "/home/rasgal/myscripts/`tunnel.sh dynamic`" <-- sets up ipv6 through gif0 > ! sh -c "/home/rasgal/myscripts/tun0ip.sh" <-- gets new ip. > > current tun0ip.sh file: > > #!/bin/sh > > ifconfig tun0 | grep inet | tr ' ' '\n' | tail -6 | head -1 > /home/rasgal/temp/NEW.IP > > current pf.sh file: > this file was rewritten with pf.sh.sample as base. > this file is crontab'ed to run with pppupdate variable at every 10 min. to compare current ip and stored ip at this interval. There is no need to run program via crontab. ppp.linkup file is just for this prupose. Due to currrent FreeBSD pf's lack of detection of address changes, it is somewhat tricky to use pf with xDSL. FreeBSD pf modules should be loaded before any other network setup such as ppp. After ppp connection established, pf rule should be activated. I use mpd to use kernel mode PPPoE and use rc.local to load FreeBSD pf kernel module and set up like this. # # rc.local # # kernel mode PPPoE setup # # First, load pf kernel module # if [ -f /boot/kernel/pf.ko]; then /sbin/kldload pflog /sbin/kldload pfsync /sbin/ifconfig pflog0 up /sbin/ifconfig pfsync0 up /sbin/pflogd /sbin/kldload pf echo 'pf module loaded.' fi # # Then, invoke mpd # if [ -x /usr/local/sbin/mpd -a -f /usr/local/etc/mpd/mpd.conf ]; then /sbin/kldload ng_ether echo -n " mpd"; /usr/local/sbin/mpd -b fi mpd also has a script to be run after PPPoE connection established. My script for this purpose is #!/bin/sh # # mpd startup scrip for pf /sbin/pfctl -Fa -e -f /etc/pf.conf The file's mode is 0555. Also note option -e is required because I have not enabled the pf after load. Whenever my IP address changes the script would be invoked by mpd and this time option -e is no harm. Though above example is for mpd, it is still valid for ppp(8) also. Did check /var/log/ppp.log file? ppp(8) will record almost all events. The log can reveal more hidden facts.(Your scrip might not executed due to unexpected reasons. The log will record this too.) > [snip] > > This message " pfctl: DIOCGETALTQS: Operation not supported by device" has not gone away. > I have recompiled my pf, and i'm 100% sure my kernel in not compiled with "options ALTQ" OK. I'll check FreeBSD pf source. > > Thank you, for helping me Pyun YongHyeon. > No problem! Hope this works for you. Thank you. > Regards > > Rolf Sk?r > -- Pyun YongHyeon