From owner-freebsd-questions@FreeBSD.ORG Fri Jun 9 15:21:17 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C84B716A419 for ; Fri, 9 Jun 2006 15:21:17 +0000 (UTC) (envelope-from lk@tempest.sk) Received: from mailgw.dgrp.sk (mailgw.dgrp.sk [195.28.127.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1097B43D70 for ; Fri, 9 Jun 2006 15:21:16 +0000 (GMT) (envelope-from lk@tempest.sk) Received: by mailgw.dgrp.sk (Postfix, from userid 1003) id 22C6234A5D3; Fri, 9 Jun 2006 17:21:10 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mailgw.dgrp.sk X-Spam-Level: X-Spam-Status: No, score=-2.5 required=4.0 tests=AWL,BAYES_00 autolearn=unavailable version=3.1.1 Received: from webmail.tempest.sk (domino1.tempest.sk [195.28.100.38]) by mailgw.dgrp.sk (Postfix) with ESMTP id 8304A34A5D4 for ; Fri, 9 Jun 2006 17:20:57 +0200 (CEST) Received: from lk107.tempest.sk ([195.28.109.37]) by webmail.tempest.sk (Lotus Domino Release 6.5.5) with ESMTP id 2006060917205422-720 ; Fri, 9 Jun 2006 17:20:54 +0200 Received: from localhost (localhost [127.0.0.1]) by lk107.tempest.sk (8.13.6/8.13.4) with ESMTP id k59FL0ue086172 for ; Fri, 9 Jun 2006 17:21:00 +0200 (CEST) (envelope-from lk@tempest.sk) To: freebsd-questions@freebsd.org From: Ludovit Koren X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Message-ID: <20060609.172100.71081351.lk@tempest.sk> Date: Fri, 9 Jun 2006 17:21:00 +0200 X-MIMETrack: Itemize by SMTP Server on Domino1/DGRP(Release 6.5.5|November 30, 2005) at 09.06.2006 17:20:54, Serialize by Router on Domino1/DGRP(Release 6.5.5|November 30, 2005) at 09.06.2006 17:20:57, Serialize complete at 09.06.2006 17:20:57 Content-Transfer-Encoding: 7bit Content-Type: Text/Plain; charset=us-ascii Subject: FreeBSD 6.1-RELEASE + PF X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 15:21:18 -0000 Hi, I have problem to set up PIM and IGMP communication with pf on FreeBSD 6.1-RELEASE. # pfctl -s state self igmp 195.28.109.40 -> 224.0.0.2 SINGLE:NO_TRAFFIC self igmp 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC self igmp 224.0.0.1 <- 195.28.109.25 NO_TRAFFIC:SINGLE self igmp 224.0.0.2 <- 195.28.109.40 NO_TRAFFIC:SINGLE self igmp 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE self tcp 195.28.109.40:22 -> 195.28.109.37:58349 ESTABLISHED:ESTABLISHED self udp 255.255.255.255:8225 <- 195.28.109.29:1025 NO_TRAFFIC:SINGLE self pim 195.28.109.40 -> 224.0.0.13 SINGLE:NO_TRAFFIC self pim 224.0.0.13 <- 195.28.109.25 NO_TRAFFIC:SINGLE self pim 224.0.0.13 <- 195.28.109.40 NO_TRAFFIC:SINGLE self pfsync 195.28.109.40 -> 0.0.0.0 SINGLE:NO_TRAFFIC xorp immediately starts to give the following message: [ 2006/06/09 17:13:24 WARNING xorp_fea XrlMfeaTarget ] Handling method for mfea/0.1/send_protocol_message4 failed: XrlCmdError 102 Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif em0) failed: Operation not permitted [ 2006/06/09 17:13:24 ERROR xorp_pimsm4:18051 PIM +2623 xrl_pim_node.cc mfea_client_send_protocol_message_cb ] Cannot send a protocol message: 102 Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif em0) failed: Operation not permitted # pfctl -s rules scrub in all fragment reassemble block drop in log all pass in on xl0 inet from to 195.28.126.13 keep state pass out on xl0 inet from 195.28.126.13 to keep state queue dflt pass out on xl0 inet from 195.28.126.13 to any keep state queue dflt pass out on em0 inet all keep state queue dfltem pass out on em1 inet all keep state queue dfltem1 pass in proto tcp from any to any port = ssh keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 5060 keep state pass in on em0 inet proto udp from 195.28.109.0/24 port = 8000 to 195.28.109.40 keep state pass in on em0 inet proto udp from 195.28.109.0/24 port = 8001 to 195.28.109.40 keep state pass in on em0 inet proto tcp from 195.28.109.36 to 195.28.109.40 port = nut keep state pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = http keep state pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port = 4445 keep state pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = http keep state pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port = 4445 keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port 9999:20001 keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = domain keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 4520 keep state pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port = 4569 keep state pass in on em0 all keep state pass in on em1 all keep state when I disable the firewall xorp runs as expected. It does not matter if I add specific rule for PIM and IGMP or general, i.e. let all traffic go through. Is it a bug in the pf or am I doing something wrong? Any help appreciated. Regards, lk