From owner-freebsd-pf@FreeBSD.ORG Sun Jun 7 09:15:55 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C59882DE for ; Sun, 7 Jun 2015 09:15:55 +0000 (UTC) (envelope-from fjo-lists@ogris.de) Received: from box2.ogris.net (box2.ogris.net [IPv6:2a03:4000:6:2157::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4CC171F8F for ; Sun, 7 Jun 2015 09:15:55 +0000 (UTC) (envelope-from fjo-lists@ogris.de) Received: from [192.168.0.10] (p4FC151B1.dip0.t-ipconnect.de [79.193.81.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by box2.ogris.net (Postfix) with ESMTPSA id 64B7A1AC6; Sun, 7 Jun 2015 11:15:44 +0200 (CEST) Message-ID: <55740BC0.6080908@ogris.de> Date: Sun, 07 Jun 2015 11:15:44 +0200 From: "Felix J. Ogrs" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Graham Menhennitt , freebsd-pf@freebsd.org Subject: Re: converting from ipfw to pf - not working at all References: <5573C050.7070407@menhennitt.com.au> In-Reply-To: <5573C050.7070407@menhennitt.com.au> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2015 09:15:55 -0000 Hi, is ipfw still loaded and activated without any rules? --Felix On 06/07/15 05:53, Graham Menhennitt wrote: > Hello FreeBSD pf list, > > I've been using FreeBSD and ipfw for many years on my router. I recently > decided to move to pf instead of ipfw (trying to get a Chromecast to > work - need UPnP via miniupnpd which only works with pf). But I can't > get anything to work at all. I'm obviously doing something very > basically wrong. > > Firstly, I'm running FreeBSD 10-stable as of a week or so ago. I do not > have ALTQ compiled in my kernel, but I don't believe that I need it. The > contents of /etc/pf.conf, and the output from dmesg, ifconfig, and pfctl > -s all are below. I've replaced IP addresses to protect the innocent. > > If anybody can please help, I'd be very grateful. > > Thanks, > Graham > > I have packet forwarding enabled: > > % sysctl net.inet.ip.forwarding net.inet6.ip6.forwarding > net.inet.ip.forwarding: 1 > net.inet6.ip6.forwarding: 1 > % > > > In /etc/rc.conf, I have: > > pf_enable="YES" > pf_flags="" > pf_rules="/etc/pf.conf" > pflog_enable="YES" > pflog_logfile="/var/log/pflog" > pflog_flags="" > > > After booting, the following processes are running: > > % ps axww|grep pf > 585 - DL 0:00.14 [pf purge] > 594 - Is 0:00.01 pflogd: [priv] (pflogd) > 601 - S 0:00.02 pflogd: [running] -s 116 -i pflog0 -f > /var/log/pflog (pflogd) > 1114 u0 S+ 0:00.00 grep pf > % > > Pinging myself gives errors: > > % ping XXX.2.73.1 > PING XXX.2.73.1 (XXX.2.73.1): 56 data bytes > ping: sendto: Permission denied > ^C > > --- XXX.2.73.1 ping statistics --- > 3 packets transmitted, 0 packets received, 100.0% packet loss > > /etc/pf.conf: > > # internal and external interfaces > int_if = "re0" > ext_if = "re1" > wap_if = "re2" > ipv6_if = "gif0" > > #egress_if = $ext_if > > # interface classes > #insecure_ifs = "{ $ext_if, $wap_if, $ipv6_if }" > #natted_ifs = "{ $int_if, $wap_if }" > > # TCP ports we want to allow access to from insecure interfaces > tcp_services_from_insecure_ifs = "{ ssh, imaps, openvpn }" > > # ping requests > icmp_types = "echoreq" > > # block incoming traffic from unroutable addresses > blocked = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, > 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, > 255.255.255.255/32 }" > > # options > set block-policy drop > set loginterface egress > set skip on lo0 > > # Scrub > scrub in all > > # nat/rdr > match out on egress inet from !(egress:network) to any nat-to (egress:0) > #nat on egress from $int_if:network to any -> (egress) > #nat on egress from $wap_if:network to any -> (egress) > # for UPnP > #rdr-anchor "miniupnpd" > > # filter rules > block all > > # block traffic to/from private networks > block drop in quick from $blocked to any > block drop out quick from any to $blocked > > # allow access to certain TCP services from insecure interfaces > pass in on $ext_if inet proto tcp from any to ($int_if) port > $tcp_services_from_insecure_ifs flags S/SA keep state > #pass in on $wap_if inet proto tcp from any to ($int_if) port > $tcp_services_from_insecure_ifs flags S/SA keep state > #pass in on $ipv6_if inet proto tcp from any to ($int_if) port > $tcp_services_from_insecure_ifs flags S/SA keep state > > # allow in ping replies > pass in inet proto icmp all icmp-type $icmp_types keep state > > # allow all traffic from internal network to internal interface > pass in on $int_if from $int_if:network to any keep state > pass out on $int_if from any to $int_if:network keep state > > # allow all traffic out via external interface > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > # for UPnP > #anchor "miniupnpd" > > > > pfctl -s all: > > TRANSLATION RULES: > nat on egress inet from XXX.2.73.0/25 to any -> (egress) round-robin > > FILTER RULES: > scrub in all fragment reassemble > block drop all > block drop in quick inet from <__automatic_523e5_0> to any > block drop out quick inet from any to <__automatic_523e5_1> > pass in on re1 inet proto tcp from any to (re0) port = ssh flags > S/SA keep state > pass in on re1 inet proto tcp from any to (re0) port = imaps flags > S/SA keep state > pass in on re1 inet proto tcp from any to (re0) port = openvpn flags > S/SA keep state > pass in inet proto icmp all icmp-type echoreq keep state > pass in on re0 inet from XXX.2.73.0/25 to any flags S/SA keep state > pass in on re0 inet6 from 2001:470:1f05:35d::/64 to any flags S/SA > keep state > pass out on re0 inet from any to XXX.2.73.0/25 flags S/SA keep state > pass out on re0 inet6 from any to 2001:470:1f05:35d::/64 flags S/SA > keep state > pass out on re1 proto tcp all flags S/SA modulate state > pass out on re1 proto udp all keep state > pass out on re1 proto icmp all keep state > > STATES: > all tcp 179.60.193.3:443 <- XXX.2.73.72:18969 CLOSED:SYN_SENT > all tcp 179.60.193.3:443 <- XXX.2.73.72:27780 CLOSED:SYN_SENT > all udp XXX.2.73.1:53 <- XXX.2.73.72:19784 NO_TRAFFIC:SINGLE > all udp XXX.2.73.1:53 <- XXX.2.73.72:50987 NO_TRAFFIC:SINGLE > all udp XXX.2.73.1:53 <- XXX.2.73.72:36252 NO_TRAFFIC:SINGLE > all udp XXX.2.73.1:514 <- XXX.2.73.105:1024 NO_TRAFFIC:SINGLE > all udp XXX.2.73.1:53 <- XXX.2.73.72:49728 NO_TRAFFIC:SINGLE > all udp XXX.2.73.1:53 <- XXX.2.73.72:33288 NO_TRAFFIC:SINGLE > all udp XXX.2.73.1:53 <- XXX.2.73.72:33594 NO_TRAFFIC:SINGLE > all udp XXX.2.73.1:53 <- XXX.2.73.72:39265 NO_TRAFFIC:SINGLE > > INFO: > Status: Enabled for 0 days 00:02:00 Debug: Urgent > > Interface Stats for egress IPv4 IPv6 > Bytes In 0 0 > Bytes Out 0 0 > Packets In > Passed 0 0 > Blocked 0 0 > Packets Out > Passed 0 0 > Blocked 0 0 > > State Table Total Rate > current entries 10 > searches 766 6.4/s > inserts 29 0.2/s > removals 19 0.2/s > Counters > match 744 6.2/s > bad-offset 0 0.0/s > fragment 0 0.0/s > short 0 0.0/s > normalize 0 0.0/s > memory 0 0.0/s > bad-timestamp 0 0.0/s > congestion 0 0.0/s > ip-option 0 0.0/s > proto-cksum 0 0.0/s > state-mismatch 0 0.0/s > state-insert 0 0.0/s > state-limit 0 0.0/s > src-limit 0 0.0/s > synproxy 0 0.0/s > > TIMEOUTS: > tcp.first 120s > tcp.opening 30s > tcp.established 86400s > tcp.closing 900s > tcp.finwait 45s > tcp.closed 90s > tcp.tsdiff 30s > udp.first 60s > udp.single 30s > udp.multiple 60s > icmp.first 20s > icmp.error 10s > other.first 60s > other.single 30s > other.multiple 60s > frag 30s > interval 10s > adaptive.start 6000 states > adaptive.end 12000 states > src.track 0s > > LIMITS: > states hard limit 10000 > src-nodes hard limit 10000 > frags hard limit 5000 > table-entries hard limit 200000 > > TABLES: > __automatic_523e5_0 > __automatic_523e5_1 > > OS FINGERPRINTS: > 710 fingerprints loaded > > > > dmesg: > > Copyright (c) 1992-2015 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 > The Regents of the University of California. All rights reserved. > FreeBSD is a registered trademark of The FreeBSD Foundation. > FreeBSD 10.1-STABLE #8 r282466: Wed May 6 23:22:44 AEST 2015 > > gfm@maxwell.menhennitt.com.au:/usr/data/maxwell/obj/usr/data/FreeBSD/src_10-Stable/sys/maxwell > amd64 > FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512 > CPU: AMD G-T40E Processor (1000.02-MHz K8-class CPU) > Origin="AuthenticAMD" Id=0x500f20 Family=0x14 Model=0x2 Stepping=0 > > Features=0x178bfbff > Features2=0x802209 > AMD Features=0x2e500800 > AMD > Features2=0x35ff > SVM: NP,NRIP,NAsids=8 > TSC: P-state invariant, performance statistics > real memory = 4815060992 (4592 MB) > avail memory = 4099497984 (3909 MB) > Event timer "LAPIC" quality 400 > ACPI APIC Table: > FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs > FreeBSD/SMP: 1 package(s) x 2 core(s) > cpu0 (BSP): APIC ID: 0 > cpu1 (AP): APIC ID: 1 > ioapic0 irqs 0-23 on motherboard > random: initialized > acpi0: on motherboard > acpi0: Power Button (fixed) > cpu0: on acpi0 > cpu1: on acpi0 > atrtc0: port 0x70-0x71 irq 8 on acpi0 > Event timer "RTC" frequency 32768 Hz quality 0 > attimer0: port 0x40-0x43 irq 0 on acpi0 > Timecounter "i8254" frequency 1193182 Hz quality 0 > Event timer "i8254" frequency 1193182 Hz quality 100 > hpet0: iomem 0xfed00000-0xfed003ff on acpi0 > Timecounter "HPET" frequency 14318180 Hz quality 950 > Event timer "HPET" frequency 14318180 Hz quality 550 > Event timer "HPET1" frequency 14318180 Hz quality 450 > Timecounter "ACPI-fast" frequency 3579545 Hz quality 900 > acpi_timer0: <32-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0 > pcib0: port 0xcf8-0xcff on acpi0 > pci0: on pcib0 > pcib1: irq 16 at device 4.0 on pci0 > pci1: on pcib1 > re0: > port 0x1000-0x10ff mem 0xf7a00000-0xf7a00fff,0xf7900000-0xf7903fff > irq 16 at device 0.0 on pci1 > re0: Using 1 MSI-X message > re0: ASPM disabled > re0: Chip rev. 0x2c000000 > re0: MAC rev. 0x00200000 > miibus0: on re0 > rgephy0: PHY 1 on > miibus0 > rgephy0: none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, > 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, > 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, > 1000baseT-FDX-flow-master, auto, auto-flow > re0: Using defaults for TSO: 65518/35/2048 > re0: Ethernet address: 00:0d:b9:35:c9:b0 > pcib2: irq 17 at device 5.0 on pci0 > pci2: on pcib2 > re1: > port 0x2000-0x20ff mem 0xf7c00000-0xf7c00fff,0xf7b00000-0xf7b03fff > irq 17 at device 0.0 on pci2 > re1: Using 1 MSI-X message > re1: ASPM disabled > re1: Chip rev. 0x2c000000 > re1: MAC rev. 0x00200000 > miibus1: on re1 > rgephy1: PHY 1 on > miibus1 > rgephy1: none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, > 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, > 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, > 1000baseT-FDX-flow-master, auto, auto-flow > re1: Using defaults for TSO: 65518/35/2048 > re1: Ethernet address: 00:0d:b9:35:c9:b1 > pcib3: irq 18 at device 6.0 on pci0 > pci3: on pcib3 > re2: > port 0x3000-0x30ff mem 0xf7e00000-0xf7e00fff,0xf7d00000-0xf7d03fff > irq 18 at device 0.0 on pci3 > re2: Using 1 MSI-X message > re2: ASPM disabled > re2: Chip rev. 0x2c000000 > re2: MAC rev. 0x00200000 > miibus2: on re2 > rgephy2: PHY 1 on > miibus2 > rgephy2: none, 10baseT, 10baseT-FDX, 10baseT-FDX-flow, 100baseTX, > 100baseTX-FDX, 100baseTX-FDX-flow, 1000baseT, 1000baseT-master, > 1000baseT-FDX, 1000baseT-FDX-master, 1000baseT-FDX-flow, > 1000baseT-FDX-flow-master, auto, auto-flow > re2: Using defaults for TSO: 65518/35/2048 > re2: Ethernet address: 00:0d:b9:35:c9:b2 > ahci0: port > 0x4010-0x4017,0x4020-0x4023,0x4018-0x401f,0x4024-0x4027,0x4000-0x400f mem > 0xf7f04000-0xf7f043ff irq 19 at device 17.0 on pci0 > ahci0: AHCI v1.20 with 6 6Gbps ports, Port Multiplier supported > ahci0: quirks=0x1b5f0 > ahcich0: at channel 0 on ahci0 > ahcich1: at channel 1 on ahci0 > ahcich2: at channel 2 on ahci0 > ahcich3: at channel 3 on ahci0 > ahcich4: at channel 4 on ahci0 > ahcich5: at channel 5 on ahci0 > ohci0: mem > 0xf7f00000-0xf7f00fff irq 18 at device 18.0 on pci0 > usbus0 on ohci0 > ehci0: mem > 0xf7f04400-0xf7f044ff irq 17 at device 18.2 on pci0 > usbus1: EHCI version 1.0 > usbus1 on ehci0 > ohci1: mem > 0xf7f01000-0xf7f01fff irq 18 at device 19.0 on pci0 > usbus2 on ohci1 > ehci1: mem > 0xf7f04500-0xf7f045ff irq 17 at device 19.2 on pci0 > usbus3: EHCI version 1.0 > usbus3 on ehci1 > isab0: at device 20.3 on pci0 > isa0: on isab0 > pcib4: at device 20.4 on pci0 > pci4: on pcib4 > ohci2: mem > 0xf7f02000-0xf7f02fff irq 18 at device 20.5 on pci0 > usbus4 on ohci2 > pcib5: at device 21.0 on pci0 > pci5: on pcib5 > ohci3: mem > 0xf7f03000-0xf7f03fff at device 22.0 on pci0 > usbus5 on ohci3 > ehci2: mem > 0xf7f04600-0xf7f046ff at device 22.2 on pci0 > usbus6: EHCI version 1.0 > usbus6 on ehci2 > acpi_button0: on acpi0 > orm0: at iomem 0xee800-0xeffff on isa0 > uart0: <16550 or compatible> at port 0x3f8-0x3ff irq 4 flags 0x10 on > isa0 > uart0: console (115200,n,8,1) > uart1: <16550 or compatible> at port 0x2f8-0x2ff irq 3 on isa0 > random: unblocking device. > usbus0: 12Mbps Full Speed USB v1.0 > Timecounters tick every 1.000 msec > ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to > deny, logging disabled > usbus1: 480Mbps High Speed USB v2.0 > usbus2: 12Mbps Full Speed USB v1.0 > usbus3: 480Mbps High Speed USB v2.0 > ugen0.1: at usbus0 > uhub0: on usbus0 > ugen1.1: at usbus1 > uhub1: on usbus1 > ugen2.1: at usbus2 > uhub2: on usbus2 > ugen3.1: at usbus3 > uhub3: on usbus3 > usbus4: 12Mbps Full Speed USB v1.0 > usbus5: 12Mbps Full Speed USB v1.0 > usbus6: 480Mbps High Speed USB v2.0 > ugen4.1: at usbus4 > uhub4: on usbus4 > ugen5.1: at usbus5 > uhub5: on usbus5 > ugen6.1: at usbus6 > uhub6: on usbus6 > ada0 at ahcich0 bus 0 scbus0 target 0 lun 0 > ada0: ACS-3 ATA SATA 3.x device > ada0: Serial Number 3AF607491C0800677564 > ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes) > ada0: Command Queueing enabled > ada0: 15272MB (31277232 512 byte sectors: 16H 63S/T 16383C) > ada0: Previously was known as ad4 > ada1 at ahcich1 bus 0 scbus1 target 0 lun 0 > ada1: ATA8-ACS SATA 3.x device > ada1: Serial Number S3PD52ZD > ada1: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes) > ada1: Command Queueing enabled > ada1: 476940MB (976773168 512 byte sectors: 16H 63S/T 16383C) > ada1: quirks=0x1<4K> > ada1: Previously was known as ad6 > uhub4: 2 ports with 2 removable, self powered > uhub0: 5 ports with 5 removable, self powered > uhub2: 5 ports with 5 removable, self powered > uhub5: 4 ports with 4 removable, self powered > SMP: AP CPU #1 Launched! > Timecounter "TSC" frequency 1000022996 Hz quality 800 > Root mount waiting for: usbus6 usbus3 usbus1 > Root mount waiting for: usbus6 usbus3 usbus1 > uhub6: 4 ports with 4 removable, self powered > uhub3: 5 ports with 5 removable, self powered > uhub1: 5 ports with 5 removable, self powered > ugen6.2: at usbus6 > umass0: addr 2> on usbus6 > umass0: SCSI over Bulk-Only; quirks = 0x4001 > umass0:6:0:-1: Attached to scbus6 > Root mount waiting for: usbus1 > da0 at umass-sim0 bus 0 scbus6 target 0 lun 0 > da0: Removable Direct Access SPC-2 SCSI > device > da0: Serial Number 058F63666485 > da0: 40.000MB/s transfers > da0: Attempt to query device size failed: NOT READY, Medium not present > da0: quirks=0x2 > ugen1.2: at usbus1 > uhub7: addr 2> on usbus1 > uhub7: MTT enabled > uhub7: 4 ports with 4 removable, self powered > Root mount waiting for: usbus1 > Root mount waiting for: usbus1 > ugen1.3: at usbus1 > umass1: 3> on usbus1 > umass1: SCSI over Bulk-Only; quirks = 0xc000 > umass1:7:1:-1: Attached to scbus7 > da1 at umass-sim1 bus 1 scbus7 target 0 lun 0 > da1: Removable Direct Access SCSI device > da1: Serial Number 000000009602 > da1: 40.000MB/s transfers > da1: Attempt to query device size failed: NOT READY, Medium not present > da1: quirks=0x3 > da2 at umass-sim1 bus 1 scbus7 target 0 lun 1 > da2: Removable Direct Access SCSI device > da2: Serial Number 000000009602 > da2: 40.000MB/s transfers > da2: Attempt to query device size failed: NOT READY, Medium not present > da2: quirks=0x3 > da3 at umass-sim1 bus 1 scbus7 target 0 lun 2 > da3: Removable Direct Access SCSI device > da3: Serial Number 000000009602 > da3: 40.000MB/s transfers > da3: Attempt to query device size failed: NOT READY, Medium not present > da3: quirks=0x3 > da4 at umass-sim1 bus 1 scbus7 target 0 lun 3 > da4: Removable Direct Access SCSI device > da4: Serial Number 000000009602 > da4: 40.000MB/s transfers > da4: Attempt to query device size failed: NOT READY, Medium not present > da4: quirks=0x3 > ugen1.4: at usbus1 > uhub8: addr 4> on usbus1 > uhub8: MTT enabled > Root mount waiting for: usbus1 > uhub8: 4 ports with 4 removable, self powered > Trying to mount root from ufs:/dev/ada0p2 [rw,noatime]... > NLM: failed to contact remote rpcbind, stat = 3, port = 28416 > NLM: failed to contact remote rpcbind, stat = 3, port = 28416 > Can't start NLM - unable to contact NSM > > ifconfig: > > re0: flags=8843 metric 0 mtu > 1500 > > options=8209b > ether 00:0d:b9:35:c9:b0 > inet6 YYYYYYYYYYYYYY%re0 prefixlen 64 scopeid 0x1 > inet XXX.2.73.1 netmask 0xffffff80 broadcast XXX.2.73.127 > inet6 YYYYYYYYYYYYYY::1 prefixlen 64 > nd6 options=21 > media: Ethernet autoselect (1000baseT ) > status: active > re1: flags=8843 metric 0 mtu > 1500 > > options=8209b > ether 00:0d:b9:35:c9:b1 > inet6 YYYYYYYYY%re1 prefixlen 64 scopeid 0x2 > inet YYY.YYY.YYY.YYY netmask 0xfffff000 broadcast > YYY.YYY.YYY.255 > nd6 options=21 > media: Ethernet autoselect (100baseTX ) > status: active > re2: flags=8843 metric 0 mtu > 1500 > > options=8209b > ether 00:0d:b9:35:c9:b2 > inet XXX.2.73.129 netmask 0xffffff80 broadcast XXX.2.73.255 > inet6 YYYYYYYYYYY%re2 prefixlen 64 scopeid 0x3 > nd6 options=21 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > options=600003 > inet6 ::1 prefixlen 128 > inet6 YYYYYYYYY%lo0 prefixlen 64 scopeid 0x4 > inet 127.0.0.1 netmask 0xff000000 > nd6 options=21 > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >