From owner-freebsd-sparc64@FreeBSD.ORG Tue Sep 7 10:24:47 2004 Return-Path: Delivered-To: freebsd-sparc64@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A923A16A4CE for ; Tue, 7 Sep 2004 10:24:47 +0000 (GMT) Received: from smtp-ft3.fr.colt.net (smtp-ft3.fr.colt.net [213.41.78.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D4B743D55 for ; Tue, 7 Sep 2004 10:24:46 +0000 (GMT) (envelope-from nanard@tou.nu) Received: from PAR22635 (noc-bes.adm.fr.colt.net [195.68.1.120]) by smtp-ft3.fr.colt.net with SMTP id i87AOi129557 for ; Tue, 7 Sep 2004 12:24:45 +0200 Message-ID: <010f01c494c4$e4d34b50$51fd210a@EU.COLT> From: "nanard" To: Date: Tue, 7 Sep 2004 12:24:44 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: FreeBSD 5.3BETA2 / Netra T1 & PF problem X-BeenThere: freebsd-sparc64@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting FreeBSD to the Sparc List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 10:24:47 -0000 Hi, I'm running FreeBSD 5.3beta2 on a Sun Netra T1 box: vroum# uname -a FreeBSD vroum.fr.colt.net 5.3-BETA3 FreeBSD 5.3-BETA3 #1: Mon Sep 6 = 12:39:27 CEST 2004 = root@vroum.fr.colt.net:/usr/src/sys/sparc64/compile/VROUM sparc64 I recompiled the kernel with PF/ALTQ support: options PFIL_HOOKS # pfil(9) framework device pf #PF OpenBSD packet-filter = firewall device pflog #logging support interface for = PF options ALTQ In /etc/rc.conf, i added this: pf_enable=3D"YES" pflog_enable=3D"YES" To test, I modified /etc/pf.conf with only this line: vroum# cat /etc/pf.conf pass log all vroum# I'm connected remotely and localy (port com) from a windows XP to the = fbsd box. (winXP:10.33.253.81) ----> (Fbsd:10.33.253.145) When PF is disable, i can connect by SSH. When PF is enable, i can't connect by SSH. (and i lost active ssh = connexion) vroum# pfctl -e -f /etc/pf.conf pf enabled I tried to TCPDUMP: vroum# tcpdump -nei pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size = 96 bytes 12:13:41.144040 rule 0/0(match): pass in on hme0: IP 10.33.253.148.68 > = 10.33.253.255.67: BOOTP/DHCP, Request [|bootp] 12:13:47.099150 rule 0/0(match): pass in on hme0: IP 10.33.253.148.68 > = 10.33.253.255.67: BOOTP/DHCP, Request [|bootp] [...] vroum# tcpdump -nei hme0 port 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol = decode listening on hme0, link-type EN10MB (Ethernet), capture size 96 bytes Sep 7 12:14:16 vroum kernel: hme0: promiscuous mode enabled 12:14:16.668607 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 = (0x0800), length 66: IP 10.33.253.81.1565 > 10.33.253.145.22: S 878281676:878281676(0) win 65535 12:14:19.034636 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 = (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22: S 2012258532:2012258532(0) win 65535 12:14:21.975921 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 = (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22: S 2012258532:2012258532(0) win 65535 12:14:27.984184 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 = (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22: S 2012258532:2012258532(0) win 65535 =3D=3D> Nothing about SSH (i was trying to connect !!!) on PFLOG0 but = only on HME0 i can see the paquet arriving. (without answear). I tried to ping the box from the win and I ve echo request: 12:23:16.615092 rule 0/0(match): pass out on hme0: IP (tos 0x0, ttl 64, = id 9003, offset 0, flags [none], length: 60) 10.33.253.145 > = 10.33.253.81: icmp 40: echo reply seq 35346 12:23:17.634131 rule 0/0(match): pass in on hme0: IP (tos 0x0, ttl 128, = id 6037, offset 0, flags [none], length: 60) 10.33.253.81 > = 10.33.253.145: icmp 40: echo request seq 35602 12:23:17.634152 rule 0/0(match): pass out on hme0: IP (tos 0x0, ttl 64, = id 9004, offset 0, flags [none], length: 60) 10.33.253.145 > = 10.33.253.81: icmp 40: echo reply seq 35602 Here my ifconfig: roum# ifconfig hme0: flags=3D108843 mtu 1500 options=3Db inet 10.33.253.145 netmask 0xffffff00 broadcast 10.33.253.255 ether 08:00:20:d9:b2:e2 media: Ethernet autoselect (100baseTX ) status: active hme1: flags=3D108802 mtu 1500 options=3Db ether 08:00:20:d9:b2:e2 media: Ethernet autoselect pflog0: flags=3D141 mtu 33160 lo0: flags=3D8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 It's the first time i m setting up a Firewall with PF. It's only for = test for this moment and i don't understand why it doesn"t work. Thanks in advance. Nicolas Li=E9nard PS: here the pfctl -sa results: roum# pfctl -sa FILTER RULES: pass log all INFO: Status: Enabled for 0 days 00:05:33 Debug: Urgent Hostid: 0xd1edc106 Interface Stats for hme0 IPv4 IPv6 Bytes In 6457405 0 Bytes Out 15577 0 Packets In Passed 12824 0 Blocked 11315 0 Packets Out Passed 271 0 Blocked 0 0 State Table Total Rate current entries 0 searches 24081 72.3/s inserts 5 0.0/s removals 5 0.0/s Counters match 24076 72.3/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s TIMEOUTS: tcp.first 30s tcp.opening 5s tcp.established 18000s tcp.closing 60s tcp.finwait 30s tcp.closed 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 15s interval 5s adaptive.start 0 states adaptive.end 0 states src.track 0s LIMITS: states hard limit 5000 src-nodes hard limit 0 frags hard limit 2500 OS FINGERPRINTS: 293 fingerprints loaded