From owner-freebsd-pf@FreeBSD.ORG Wed May 24 19:51:14 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA22816A721 for ; Wed, 24 May 2006 19:51:13 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85D2B43D5A for ; Wed, 24 May 2006 19:51:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.178.215] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis), id 0ML29c-1FizNq0src-0000fM; Wed, 24 May 2006 21:51:10 +0200 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Wed, 24 May 2006 21:50:57 +0200 User-Agent: KMail/1.9.1 References: <20060524193245.GA31411@marvin.harmless.hu> In-Reply-To: <20060524193245.GA31411@marvin.harmless.hu> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart143597996.dfrIlFpq8p"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200605242151.05171.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: pf-nat with userland ppp source address issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 May 2006 19:51:17 -0000 --nextPart143597996.dfrIlFpq8p Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 24 May 2006 21:32, Gergely CZUCZY wrote: > i've met a very strange issue with NATting. > > i've noticed that only every second outgoing SSH connections succeed, and > this was a bit strange. i've started a few, and tcp dumped them, applied > a filter for S/SA tcp flags, and i've got the following result: > > No. Time Source Destination Protocol > Info 31 4.513136 213.178.116.238 195.56.55.204 TCP =20 > 53480 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2969214 TSER=3D= 0 32 6.542201=20 > 213.178.109.103 195.56.55.204 TCP 56051 > ssh [SYN] > Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2971243 TSER=3D0 73 8.293252 2= 13.178.116.238 > 195.56.55.204 TCP 61535 > ssh [SYN] Seq=3D0 Len=3D0 MS= S=3D1460 > WS=3D1 TSV=3D2972994 TSER=3D0 74 9.834288 213.178.109.103 195.56= =2E55.204=20 > TCP 59672 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV= =3D2974535 > TSER=3D0 115 11.384353 213.178.116.238 195.56.55.204 TCP = =20 > 60708 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2976085 TSER=3D0 > > take a look at the source address > now i've checked the interface configuration: > > # ifconfig tun0 > tun0: flags=3D8051 mtu 1492 > inet 213.178.109.103 --> 195.70.32.11 netmask 0xffffffff > Opened by PID 208 > > for my information i looked them up: > 238.116.178.213.in-addr.arpa domain name pointer > caracas-4334.adsl.interware.hu. 103.109.178.213.in-addr.arpa domain name > pointer caracas-2407.adsl.interware.hu. > > so it appears that's just an other user-IP from my ISP's ADSL-pool. > > now the ppp.log looked like really interesting, here comes the point: > --- chop with axe here --- > May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP: IPADDR[6] changing > address: 213.178.116.238 --> 213. 178.109.103 > --- chop with axe here --- > as you can see, one source IP is the old one i had before, and the other = on > is that i'm using currently. i've tried to re-read pf.conf with pfctl -f, > but that didn't helped, nor -d/-e (disabling and then enabling it). > > this solved it: > # pfctl -d > # pfctl -F nat > # pfctl -F state > # pfctl -F Sources > # pfctl -f /etc/pf.conf > # pfctl -e > > i'm using userland ppp service, as it seems from the tun0 interface. > > is this issue alread known, and is it really a bug, or i'm doing something > wrong? the pf.conf is availabe from here. this is my home gateway, it's > also a testbox, some kind of playground. > > uname -a: > FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD 6.1-STABLE #0: Fri May > 19 14:25:03 CEST 2006 =20 > root@beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386 > > pf.conf: > http://phoemix.harmless.hu/pf.beeblebrox.conf Try using: (tun0:0) in "to", "from" and "->" statements. The ":0" after the interface= =20 name will make sure that we don't use alias addresses on the interface. In= =20 fact this is a bug in ppp, but it was decided that it was non-trivial to fi= x=20 it. I don't remember all the details, but http://www.freebsd.org/cgi/query-pr.cgi?pr=3D69954 was the PR back then. btw, you seem to be missing "()" around $if_ppp in the ftp-proxy rule. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart143597996.dfrIlFpq8p Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBEdLkpXyyEoT62BG0RAsBkAJ9ByWvzw046mo8dOyfH70GR0R4PJQCfRnYL zmt42JaLbUwEOLYqqRdJ4go= =b8WY -----END PGP SIGNATURE----- --nextPart143597996.dfrIlFpq8p--