From owner-freebsd-pf@FreeBSD.ORG Tue Jan 18 15:01:00 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70A9116A4CE for ; Tue, 18 Jan 2005 15:01:00 +0000 (GMT) Received: from mallaury.noc.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94ECD43D55 for ; Tue, 18 Jan 2005 15:00:57 +0000 (GMT) (envelope-from e-masson@kisoft-services.com) Received: from srvbsdnanssv.interne.kisoft-services.com (kisoft.net1.nerim.net [62.212.107.51]) by mallaury.noc.nerim.net (Postfix) with ESMTP id 6618C62DB1; Tue, 18 Jan 2005 16:00:54 +0100 (CET) Received: from localhost (localhost [127.0.0.1])C3525C21B; Tue, 18 Jan 2005 16:00:53 +0100 (CET) Received: from srvbsdnanssv.interne.kisoft-services.com ([127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00926-06; Tue, 18 Jan 2005 16:00:47 +0100 (CET) Received: by srvbsdnanssv.interne.kisoft-services.com (Postfix, from userid 1001) id 8809BC1F0; Tue, 18 Jan 2005 16:00:47 +0100 (CET) To: Max Laier From: Eric Masson In-Reply-To: <200501181350.21488.max@love2party.net> (Max Laier's message of "Tue, 18 Jan 2005 13:50:13 +0100") References: <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> <86ekgi9avj.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501181350.21488.max@love2party.net> X-Operating-System: FreeBSD 5.3-STABLE i386 Date: Tue, 18 Jan 2005 16:00:47 +0100 Message-ID: <86pt026au8.fsf@srvbsdnanssv.interne.kisoft-services.com> User-Agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.4 (Security Through Obscurity, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Scanned: amavisd-new at interne.kisoft-services.com cc: freebsd-pf@freebsd.org Subject: Re: pf & clonable devices X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 15:01:00 -0000 >>>>> "Max" == Max Laier writes: Max> Okay, that hints that the NAT-rule is to blame. Seems to. Max> Can you check the output of "$pfctl -vvsn" after a reconnect, but Max> before issuing a ruleset reload? This looks a bit like PR Max> kern/69954, in which case you might want to try to write your Max> nat-rule as: Max> nat on $ext_if from $int_if:network to any -> ($ext_if:0) Ok, further refinement, on machine boot, pf refuses to load rules because interface ppp0 doesn't exist (Thanks to dmesg -a, this box is headless) Once pppd has started pfctl -vvsn gives the following results : No ALTQ support in kernel ALTQ related functions disabled Result expected as no nat rules reference ppp0 interface, sigh... After pfctl -F all -f /etc/pf.conf, pfctl -vvsn gives the following results : No ALTQ support in kernel ALTQ related functions disabled @0 nat on ppp0 inet from 192.168.1.0/24 to any -> (ppp0:0) [ Evaluations: 209 Packets: 236 Bytes: 149822 States: 3 ] After that, shutdown of pppd processes, removal of pppX interfaces and startup of pppd processes, then traffic flows fine and is correctly nat'ed. So, your fix seems to be fine :) The next question concerns PF support for clonable interfaces that do not exist at pf startup. Is this a feature that could be added or do I need to mess with anchors in ip-up/ip-down scripts ? Éric -- Pourquoi les internautes français ce mobiliseraient pas pour se regrouper un société ou association pour pouvoir avoir des numéro vert Il faudrait que louer les lignes téléphoniques à FT et on ne paierai qu'un abonnement -+- BT in : Guide du Neuneu Usenet - Neuneu se met au vert -+-