Date: Wed, 24 May 2006 21:57:33 +0200 From: phoemix@harmless.hu (Gergely CZUCZY) To: Max Laier <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: pf-nat with userland ppp source address issue Message-ID: <20060524195733.GA22703@marvin.harmless.hu> In-Reply-To: <200605242151.05171.max@love2party.net> References: <20060524193245.GA31411@marvin.harmless.hu> <200605242151.05171.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--LQksG6bCIzRHxTLp Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 24, 2006 at 09:50:57PM +0200, Max Laier wrote: > On Wednesday 24 May 2006 21:32, Gergely CZUCZY wrote: > > i've met a very strange issue with NATting. > > > > i've noticed that only every second outgoing SSH connections succeed, a= nd > > this was a bit strange. i've started a few, and tcp dumped them, applied > > a filter for S/SA tcp flags, and i've got the following result: > > > > No. Time Source Destination Protocol > > Info 31 4.513136 213.178.116.238 195.56.55.204 TCP = =20 > > 53480 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2969214 TSER= =3D0 32 6.542201=20 > > 213.178.109.103 195.56.55.204 TCP 56051 > ssh [SYN] > > Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2971243 TSER=3D0 73 8.293252 = 213.178.116.238 > > 195.56.55.204 TCP 61535 > ssh [SYN] Seq=3D0 Len=3D0 = MSS=3D1460 > > WS=3D1 TSV=3D2972994 TSER=3D0 74 9.834288 213.178.109.103 195.= 56.55.204=20 > > TCP 59672 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV= =3D2974535 > > TSER=3D0 115 11.384353 213.178.116.238 195.56.55.204 TC= P =20 > > 60708 > ssh [SYN] Seq=3D0 Len=3D0 MSS=3D1460 WS=3D1 TSV=3D2976085 TSER= =3D0 > > > > take a look at the source address > > now i've checked the interface configuration: > > > > # ifconfig tun0 > > tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 > > inet 213.178.109.103 --> 195.70.32.11 netmask 0xffffffff > > Opened by PID 208 > > > > for my information i looked them up: > > 238.116.178.213.in-addr.arpa domain name pointer > > caracas-4334.adsl.interware.hu. 103.109.178.213.in-addr.arpa domain name > > pointer caracas-2407.adsl.interware.hu. > > > > so it appears that's just an other user-IP from my ISP's ADSL-pool. > > > > now the ppp.log looked like really interesting, here comes the point: > > --- chop with axe here --- > > May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP: IPADDR[6] changing > > address: 213.178.116.238 --> 213. 178.109.103 > > --- chop with axe here --- > > as you can see, one source IP is the old one i had before, and the othe= r on > > is that i'm using currently. i've tried to re-read pf.conf with pfctl -= f, > > but that didn't helped, nor -d/-e (disabling and then enabling it). > > > > this solved it: > > # pfctl -d > > # pfctl -F nat > > # pfctl -F state > > # pfctl -F Sources > > # pfctl -f /etc/pf.conf > > # pfctl -e > > > > i'm using userland ppp service, as it seems from the tun0 interface. > > > > is this issue alread known, and is it really a bug, or i'm doing someth= ing > > wrong? the pf.conf is availabe from here. this is my home gateway, it's > > also a testbox, some kind of playground. > > > > uname -a: > > FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD 6.1-STABLE #0: Fri M= ay > > 19 14:25:03 CEST 2006 =20 > > root@beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386 > > > > pf.conf: > > http://phoemix.harmless.hu/pf.beeblebrox.conf >=20 > Try using: >=20 > (tun0:0) in "to", "from" and "->" statements. The ":0" after the interfa= ce > name will make sure that we don't use alias addresses on the interface. = In > fact this is a bug in ppp, but it was decided that it was non-trivial to = fix > it. I don't remember all the details, but > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D69954 yes, seems similar > > was the PR back then. > > btw, you seem to be missing "()" around $if_ppp in the ftp-proxy rule. thanks for this notice i've changed my rules to: nat on $if_ppp from {10.1.0.0/16, 127.0.0.1, $ip_zaphod} to 0.0.0.0/0 -> ($= if_ppp:0) and also correct the non-related ftp-proxy rule :) thanks for the workaround, i've adjusted my config, i hope this will fix the issue for a while Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu PGP: http://phoemix.harmless.hu/phoemix.pgp Weenies test. Geniuses solve problems that arise. --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEdLqtbBsEN0U7BV0RAmAZAKCLAo2NiJjnIxWkXXKSXvD9ECbeYgCg+CnB v2H3IyPi8/mC+gjhE0NLL9w= =fijO -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060524195733.GA22703>