Date: Wed, 24 May 2006 21:32:45 +0200 From: phoemix@harmless.hu (Gergely CZUCZY) To: freebsd-pf@freebsd.org Subject: pf-nat with userland ppp source address issue Message-ID: <20060524193245.GA31411@marvin.harmless.hu>
next in thread | raw e-mail | index | archive | help
--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
hello
i've met a very strange issue with NATting.
i've noticed that only every second outgoing SSH connections succeed, and
this was a bit strange. i've started a few, and tcp dumped them, applied
a filter for S/SA tcp flags, and i've got the following result:
No. Time Source Destination Protocol Info
31 4.513136 213.178.116.238 195.56.55.204 TCP 53480 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2969214 TSER=0
32 6.542201 213.178.109.103 195.56.55.204 TCP 56051 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2971243 TSER=0
73 8.293252 213.178.116.238 195.56.55.204 TCP 61535 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2972994 TSER=0
74 9.834288 213.178.109.103 195.56.55.204 TCP 59672 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2974535 TSER=0
115 11.384353 213.178.116.238 195.56.55.204 TCP 60708 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1 TSV=2976085 TSER=0
take a look at the source address
now i've checked the interface configuration:
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
inet 213.178.109.103 --> 195.70.32.11 netmask 0xffffffff
Opened by PID 208
for my information i looked them up:
238.116.178.213.in-addr.arpa domain name pointer caracas-4334.adsl.interware.hu.
103.109.178.213.in-addr.arpa domain name pointer caracas-2407.adsl.interware.hu.
so it appears that's just an other user-IP from my ISP's ADSL-pool.
now the ppp.log looked like really interesting, here comes the point:
--- chop with axe here ---
May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP: IPADDR[6] changing address: 213.178.116.238 --> 213.
178.109.103
--- chop with axe here ---
as you can see, one source IP is the old one i had before, and the other on is that i'm using
currently. i've tried to re-read pf.conf with pfctl -f, but that didn't helped, nor -d/-e (disabling
and then enabling it).
this solved it:
# pfctl -d
# pfctl -F nat
# pfctl -F state
# pfctl -F Sources
# pfctl -f /etc/pf.conf
# pfctl -e
i'm using userland ppp service, as it seems from the tun0 interface.
is this issue alread known, and is it really a bug, or i'm doing something wrong?
the pf.conf is availabe from here. this is my home gateway, it's also a testbox, some
kind of playground.
uname -a:
FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD 6.1-STABLE #0: Fri May 19 14:25:03 CEST 2006 root@beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386
pf.conf:
http://phoemix.harmless.hu/pf.beeblebrox.conf
Bye,
Gergely Czuczy
mailto: gergely.czuczy@harmless.hu
PGP: http://phoemix.harmless.hu/phoemix.pgp
Weenies test. Geniuses solve problems that arise.
--3MwIy2ne0vdjdPXF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEdLTdbBsEN0U7BV0RAkJcAJ9UzCa8718ZHVPmnjfCjX7gPkRrdACgoqX7
cgfJH/mN1ctcZCt2jx874DU=
=q2xO
-----END PGP SIGNATURE-----
--3MwIy2ne0vdjdPXF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060524193245.GA31411>