Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Sep 2004 19:38:54 +0900
From:      Pyun YongHyeon <yongari@kt-is.co.kr>
To:        sparc64@freebsd.org
Subject:   Re: FreeBSD 5.3BETA2 / Netra T1 & PF problem
Message-ID:  <20040907103854.GB5532@kt-is.co.kr>
In-Reply-To: <010f01c494c4$e4d34b50$51fd210a@EU.COLT>
References:  <010f01c494c4$e4d34b50$51fd210a@EU.COLT>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 07, 2004 at 12:24:44PM +0200, nanard wrote:
 > Hi,
 > 
 > I'm running FreeBSD 5.3beta2 on a Sun Netra T1 box:
 > 
 > vroum# uname -a
 > FreeBSD vroum.fr.colt.net 5.3-BETA3 FreeBSD 5.3-BETA3 #1: Mon Sep  6 12:39:27 CEST 2004     root@vroum.fr.colt.net:/usr/src/sys/sparc64/compile/VROUM  sparc64
 > 
 > I recompiled the kernel with PF/ALTQ support:
 > 
 > options         PFIL_HOOKS              # pfil(9) framework
 > device          pf                      #PF OpenBSD packet-filter firewall
 > device          pflog                   #logging support interface for PF
 > options          ALTQ
 > 
 > In /etc/rc.conf, i added this:
 > 
 > pf_enable="YES"
 > pflog_enable="YES"
 > 
 > To test, I modified /etc/pf.conf with only this line:
 > 
 > vroum# cat /etc/pf.conf
 > pass log all
 > vroum#
 > 
 > I'm connected remotely and localy (port com) from a windows XP to the fbsd box.
 > 
 > (winXP:10.33.253.81) ----> (Fbsd:10.33.253.145)
 > 
 > When PF is disable, i can connect by SSH.
 > 
 > When PF is enable, i can't connect by SSH. (and i lost active ssh connexion)
 > 

Sorry. I know this issue. You can disable RX ckecksum offload to
work pf at present. However the real cause of this issue is still
under investigation. Since without pf, hme(4) works well with checksum
offload capability, I guess there is problems in pf code.
I'll let you know if I find the cause. Also CCed to Max.

 > vroum# pfctl -e -f /etc/pf.conf
 > pf enabled
 > 
 > I tried to TCPDUMP:
 > 
 > vroum# tcpdump -nei pflog0
 > tcpdump: WARNING: pflog0: no IPv4 address assigned
 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
 > 12:13:41.144040 rule 0/0(match): pass in on hme0: IP 10.33.253.148.68 > 10.33.253.255.67: BOOTP/DHCP, Request [|bootp]
 > 12:13:47.099150 rule 0/0(match): pass in on hme0: IP 10.33.253.148.68 > 10.33.253.255.67: BOOTP/DHCP, Request [|bootp]
 > [...]
 > 
 > 
 > vroum# tcpdump -nei hme0 port 22
 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 > listening on hme0, link-type EN10MB (Ethernet), capture size 96 bytes
 > Sep  7 12:14:16 vroum kernel: hme0: promiscuous mode enabled
 > 12:14:16.668607 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1565 > 10.33.253.145.22:
 >  S 878281676:878281676(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
 > 12:14:19.034636 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22:
 >  S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
 > 12:14:21.975921 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22:
 >  S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
 > 12:14:27.984184 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22:
 >  S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
 > 
 > 
 > ==> Nothing about SSH (i was trying to connect !!!) on PFLOG0 but only on HME0 i can see the paquet arriving. (without answear).
 > 
 > I tried to ping the box from the win and I ve echo request:
 > 
 > 12:23:16.615092 rule 0/0(match): pass out on hme0: IP (tos 0x0, ttl  64, id 9003, offset 0, flags [none], length: 60) 10.33.253.145 > 10.33.253.81: icmp 40: echo reply seq 35346
 > 12:23:17.634131 rule 0/0(match): pass in on hme0: IP (tos 0x0, ttl 128, id 6037, offset 0, flags [none], length: 60) 10.33.253.81 > 10.33.253.145: icmp 40: echo request seq 35602
 > 12:23:17.634152 rule 0/0(match): pass out on hme0: IP (tos 0x0, ttl  64, id 9004, offset 0, flags [none], length: 60) 10.33.253.145 > 10.33.253.81: icmp 40: echo reply seq 35602
 > 
 > Here my ifconfig:
 > 
 > roum# ifconfig
 > hme0: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
 >         options=b<RXCSUM,TXCSUM,VLAN_MTU>
 >         inet 10.33.253.145 netmask 0xffffff00 broadcast 10.33.253.255
 >         ether 08:00:20:d9:b2:e2
 >         media: Ethernet autoselect (100baseTX <full-duplex>)
 >         status: active
 > hme1: flags=108802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
 >         options=b<RXCSUM,TXCSUM,VLAN_MTU>
 >         ether 08:00:20:d9:b2:e2
 >         media: Ethernet autoselect
 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
 >         inet 127.0.0.1 netmask 0xff000000
 > 
 > 
 > It's the first time i m setting up a Firewall with PF. It's only for test for this moment and i don't understand why it doesn"t work.
 > 
 > 
 > Thanks in advance.
 > 
 > Nicolas Li?nard
 > 
 > PS: here the pfctl -sa results:
 > 
 > 
 > roum# pfctl -sa
 > FILTER RULES:
 > pass log all
 > 
 > INFO:
 > Status: Enabled for 0 days 00:05:33           Debug: Urgent
 > 
 > Hostid: 0xd1edc106
 > 
 > Interface Stats for hme0              IPv4             IPv6
 >   Bytes In                         6457405                0
 >   Bytes Out                          15577                0
 >   Packets In
 >     Passed                           12824                0
 >     Blocked                          11315                0
 >   Packets Out
 >     Passed                             271                0
 >     Blocked                              0                0
 > 
 > State Table                          Total             Rate
 >   current entries                        0
 >   searches                           24081           72.3/s
 >   inserts                                5            0.0/s
 >   removals                               5            0.0/s
 > Counters
 >   match                              24076           72.3/s
 >   bad-offset                             0            0.0/s
 >   fragment                               0            0.0/s
 >   short                                  0            0.0/s
 >   normalize                              0            0.0/s
 >   memory                                 0            0.0/s
 > 
 > TIMEOUTS:
 > tcp.first                    30s
 > tcp.opening                   5s
 > tcp.established           18000s
 > tcp.closing                  60s
 > tcp.finwait                  30s
 > tcp.closed                   30s
 > udp.first                    60s
 > udp.single                   30s
 > udp.multiple                 60s
 > icmp.first                   20s
 > icmp.error                   10s
 > other.first                  60s
 > other.single                 30s
 > other.multiple               60s
 > frag                         15s
 > interval                      5s
 > adaptive.start                0 states
 > adaptive.end                  0 states
 > src.track                     0s
 > 
 > LIMITS:
 > states     hard limit   5000
 > src-nodes  hard limit      0
 > frags      hard limit   2500
 > 
 > OS FINGERPRINTS:
 > 293 fingerprints loaded
 > _______________________________________________
 > freebsd-sparc64@freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-sparc64
 > To unsubscribe, send any mail to "freebsd-sparc64-unsubscribe@freebsd.org"
 > 

Sorry for inconvenience.

Regards,
Pyun YongHyeon
-- 
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040907103854.GB5532>