Date: Wed, 24 May 2006 21:50:57 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: pf-nat with userland ppp source address issue Message-ID: <200605242151.05171.max@love2party.net> In-Reply-To: <20060524193245.GA31411@marvin.harmless.hu> References: <20060524193245.GA31411@marvin.harmless.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart143597996.dfrIlFpq8p Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 24 May 2006 21:32, Gergely CZUCZY wrote: > i've met a very strange issue with NATting. > > i've noticed that only every second outgoing SSH connections succeed, and > this was a bit strange. i've started a few, and tcp dumped them, applied > a filter for S/SA tcp flags, and i've got the following result: > > No. Time Source Destination Protocol > Info 31 4.513136 213.178.116.238 195.56.55.204 TCP =20 > 53480 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2969214 TSER=3D= 0 32 6.542201=20 > 213.178.109.103 195.56.55.204 TCP 56051 > ssh [SYN] > Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2971243 TSER=3D0 73 8.293252 2= 13.178.116.238 > 195.56.55.204 TCP 61535 > ssh [SYN] Seq=3D0 Len=3D0 MS= S=3D1460 > WS=3D1 TSV=3D2972994 TSER=3D0 74 9.834288 213.178.109.103 195.56= =2E55.204=20 > TCP 59672 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV= =3D2974535 > TSER=3D0 115 11.384353 213.178.116.238 195.56.55.204 TCP = =20 > 60708 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2976085 TSER=3D0 > > take a look at the source address > now i've checked the interface configuration: > > # ifconfig tun0 > tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 > inet 213.178.109.103 --> 195.70.32.11 netmask 0xffffffff > Opened by PID 208 > > for my information i looked them up: > 238.116.178.213.in-addr.arpa domain name pointer > caracas-4334.adsl.interware.hu. 103.109.178.213.in-addr.arpa domain name > pointer caracas-2407.adsl.interware.hu. > > so it appears that's just an other user-IP from my ISP's ADSL-pool. > > now the ppp.log looked like really interesting, here comes the point: > --- chop with axe here --- > May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP: IPADDR[6] changing > address: 213.178.116.238 --> 213. 178.109.103 > --- chop with axe here --- > as you can see, one source IP is the old one i had before, and the other = on > is that i'm using currently. i've tried to re-read pf.conf with pfctl -f, > but that didn't helped, nor -d/-e (disabling and then enabling it). > > this solved it: > # pfctl -d > # pfctl -F nat > # pfctl -F state > # pfctl -F Sources > # pfctl -f /etc/pf.conf > # pfctl -e > > i'm using userland ppp service, as it seems from the tun0 interface. > > is this issue alread known, and is it really a bug, or i'm doing something > wrong? the pf.conf is availabe from here. this is my home gateway, it's > also a testbox, some kind of playground. > > uname -a: > FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD 6.1-STABLE #0: Fri May > 19 14:25:03 CEST 2006 =20 > root@beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386 > > pf.conf: > http://phoemix.harmless.hu/pf.beeblebrox.conf Try using: (tun0:0) in "to", "from" and "->" statements. The ":0" after the interface= =20 name will make sure that we don't use alias addresses on the interface. In= =20 fact this is a bug in ppp, but it was decided that it was non-trivial to fi= x=20 it. I don't remember all the details, but http://www.freebsd.org/cgi/query-pr.cgi?pr=3D69954 was the PR back then. btw, you seem to be missing "()" around $if_ppp in the ftp-proxy rule. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart143597996.dfrIlFpq8p Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEdLkpXyyEoT62BG0RAsBkAJ9ByWvzw046mo8dOyfH70GR0R4PJQCfRnYL zmt42JaLbUwEOLYqqRdJ4go= =b8WY -----END PGP SIGNATURE----- --nextPart143597996.dfrIlFpq8p--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605242151.05171.max>