From owner-freebsd-pf@FreeBSD.ORG  Tue Jun 13 17:13:47 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CCA3616A582
	for <freebsd-pf@freebsd.org>; Tue, 13 Jun 2006 17:13:47 +0000 (UTC)
	(envelope-from lk@tempest.sk)
Received: from proxy.dgrp.sk (proxy.dgrp.sk [195.28.127.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9AF0143D46
	for <freebsd-pf@freebsd.org>; Tue, 13 Jun 2006 17:13:46 +0000 (GMT)
	(envelope-from lk@tempest.sk)
Received: by proxy.dgrp.sk (Postfix, from userid 1003)
	id D95EA801E; Tue, 13 Jun 2006 19:13:44 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on proxy.dgrp.sk
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=4.0 tests=AWL,BAYES_00 autolearn=ham 
	version=3.1.0
Received: from webmail.tempest.sk (domino1.tempest.sk [195.28.100.38])
	by proxy.dgrp.sk (Postfix) with ESMTP id 7B4008008;
	Tue, 13 Jun 2006 19:13:41 +0200 (CEST)
Received: from lk107.tempest.sk ([195.28.109.37])
	by webmail.tempest.sk (Lotus Domino Release 6.5.5)
	with ESMTP id 2006061319134086-306 ; Tue, 13 Jun 2006 19:13:40 +0200 
Received: from localhost (localhost [127.0.0.1])
	by lk107.tempest.sk (8.13.6/8.13.4) with ESMTP id k5DHDml7014213;
	Tue, 13 Jun 2006 19:13:49 +0200 (CEST) (envelope-from lk@tempest.sk)
To: kian.mohageri@gmail.com
From: Ludovit Koren <lk@tempest.sk>
In-reply-to: <fee88ee40606121239y422edb93rdb97c30b48dbeb47@mail.gmail.com>
X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Message-ID: <20060613.191348.78700760.lk@tempest.sk>
Date: Tue, 13 Jun 2006 19:13:48 +0200
X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.5|November 30,
	2005) at 13.06.2006 19:13:40,
	Serialize by Router on Domino1/DGRP(Release 6.5.5|November 30, 2005) at
	13.06.2006 19:13:41, Serialize complete at 13.06.2006 19:13:41
Content-Transfer-Encoding: 7bit
Content-Type: Text/Plain; charset=us-ascii
Cc: freebsd-pf@freebsd.org
Subject: Re: FreeBSD 6.1-RELEASE + PF
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2006 17:13:47 -0000



>>>>> On Mon, 12 Jun 2006 12:39:16 -0700
>>>>> kian.mohageri@gmail.com(Kian Mohageri)  said:
> 
> ------=_Part_7080_30143103.1150141156113
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> Perhaps your application needs specific IP options.  PF blocks packets with
> IP options set by default.
> 
> Append 'allow-opts' to the relevant rules.
> 
> -Kian
> 

thanks. that was it.

lk

> On 6/12/06, Ludovit Koren <lk@tempest.sk> wrote:
> >
> >
> >
> > Hi,
> >
> > I have problem to set up PIM and IGMP communication with pf on FreeBSD
> > 6.1-RELEASE.
> >
> > # pfctl -s state
> > self igmp 195.28.109.40 -> 224.0.0.2       SINGLE:NO_TRAFFIC
> > self igmp 195.28.109.40 -> 224.0.0.13       SINGLE:NO_TRAFFIC
> > self igmp 224.0.0.1 <- 195.28.109.25       NO_TRAFFIC:SINGLE
> > self igmp 224.0.0.2 <- 195.28.109.40       NO_TRAFFIC:SINGLE
> > self igmp 224.0.0.13 <- 195.28.109.40       NO_TRAFFIC:SINGLE
> > self tcp 195.28.109.40:22 -> 195.28.109.37:58349
> > ESTABLISHED:ESTABLISHED
> > self udp 255.255.255.255:8225 <- 195.28.109.29:1025
> > NO_TRAFFIC:SINGLE
> > self pim 195.28.109.40 -> 224.0.0.13       SINGLE:NO_TRAFFIC
> > self pim 224.0.0.13 <- 195.28.109.25       NO_TRAFFIC:SINGLE
> > self pim 224.0.0.13 <- 195.28.109.40       NO_TRAFFIC:SINGLE
> > self pfsync 195.28.109.40 -> 0.0.0.0       SINGLE:NO_TRAFFIC
> >
> >
> > xorp immediately starts to give the following message:
> > [ 2006/06/09 17:13:24 WARNING xorp_fea XrlMfeaTarget ] Handling method for
> > mfea/0.1/send_protocol_message4 failed: XrlCmdError 102 Command failed
> > Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on
> > vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif
> > em0) failed: Operation not permitted
> > [ 2006/06/09 17:13:24  ERROR xorp_pimsm4:18051 PIM +2623 xrl_pim_node.cc
> > mfea_client_send_protocol_message_cb ] Cannot send a protocol message: 102
> > Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to
> > 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to
> > 224.0.0.13 on vif em0) failed: Operation not permitted
> >
> > # pfctl -s rules
> > scrub in all fragment reassemble
> > block drop in log all
> > pass in on xl0 inet from <quadia> to 195.28.126.13 keep state
> > pass out on xl0 inet from 195.28.126.13 to <quadia> keep state queue dflt
> > pass out on xl0 inet from 195.28.126.13 to any keep state queue dflt
> > pass out on em0 inet all keep state queue dfltem
> > pass out on em1 inet all keep state queue dfltem1
> > pass in proto tcp from any to any port = ssh keep state
> > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port =
> > 5060 keep state
> > pass in on em0 inet proto udp from 195.28.109.0/24 port = 8000 to
> > 195.28.109.40 keep state
> > pass in on em0 inet proto udp from 195.28.109.0/24 port = 8001 to
> > 195.28.109.40 keep state
> > pass in on em0 inet proto tcp from 195.28.109.36 to 195.28.109.40 port =
> > nut keep state
> > pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port =
> > http keep state
> > pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port =
> > 4445 keep state
> > pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port =
> > http keep state
> > pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port =
> > 4445 keep state
> > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port
> > 9999:20001 keep state
> > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port =
> > domain keep state
> > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port =
> > 4520 keep state
> > pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port =
> > 4569 keep state
> > pass in on em0 all keep state
> > pass in on em1 all keep state
> >
> > when I disable the firewall xorp runs as expected. It does not matter
> > if I add specific rule for PIM and IGMP or general, i.e. let all
> > traffic go through.
> >
> > Is it a bug in the pf or am I doing something wrong? Any help appreciated.
> >
> > Regards,
> >
> > lk
> > _______________________________________________
> > freebsd-pf@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
> >