Date: Tue, 7 Sep 2004 19:38:54 +0900 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: sparc64@freebsd.org Subject: Re: FreeBSD 5.3BETA2 / Netra T1 & PF problem Message-ID: <20040907103854.GB5532@kt-is.co.kr> In-Reply-To: <010f01c494c4$e4d34b50$51fd210a@EU.COLT> References: <010f01c494c4$e4d34b50$51fd210a@EU.COLT>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 07, 2004 at 12:24:44PM +0200, nanard wrote: > Hi, > > I'm running FreeBSD 5.3beta2 on a Sun Netra T1 box: > > vroum# uname -a > FreeBSD vroum.fr.colt.net 5.3-BETA3 FreeBSD 5.3-BETA3 #1: Mon Sep 6 12:39:27 CEST 2004 root@vroum.fr.colt.net:/usr/src/sys/sparc64/compile/VROUM sparc64 > > I recompiled the kernel with PF/ALTQ support: > > options PFIL_HOOKS # pfil(9) framework > device pf #PF OpenBSD packet-filter firewall > device pflog #logging support interface for PF > options ALTQ > > In /etc/rc.conf, i added this: > > pf_enable="YES" > pflog_enable="YES" > > To test, I modified /etc/pf.conf with only this line: > > vroum# cat /etc/pf.conf > pass log all > vroum# > > I'm connected remotely and localy (port com) from a windows XP to the fbsd box. > > (winXP:10.33.253.81) ----> (Fbsd:10.33.253.145) > > When PF is disable, i can connect by SSH. > > When PF is enable, i can't connect by SSH. (and i lost active ssh connexion) > Sorry. I know this issue. You can disable RX ckecksum offload to work pf at present. However the real cause of this issue is still under investigation. Since without pf, hme(4) works well with checksum offload capability, I guess there is problems in pf code. I'll let you know if I find the cause. Also CCed to Max. > vroum# pfctl -e -f /etc/pf.conf > pf enabled > > I tried to TCPDUMP: > > vroum# tcpdump -nei pflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes > 12:13:41.144040 rule 0/0(match): pass in on hme0: IP 10.33.253.148.68 > 10.33.253.255.67: BOOTP/DHCP, Request [|bootp] > 12:13:47.099150 rule 0/0(match): pass in on hme0: IP 10.33.253.148.68 > 10.33.253.255.67: BOOTP/DHCP, Request [|bootp] > [...] > > > vroum# tcpdump -nei hme0 port 22 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on hme0, link-type EN10MB (Ethernet), capture size 96 bytes > Sep 7 12:14:16 vroum kernel: hme0: promiscuous mode enabled > 12:14:16.668607 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1565 > 10.33.253.145.22: > S 878281676:878281676(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> > 12:14:19.034636 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22: > S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> > 12:14:21.975921 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22: > S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> > 12:14:27.984184 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22: > S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK> > > > ==> Nothing about SSH (i was trying to connect !!!) on PFLOG0 but only on HME0 i can see the paquet arriving. (without answear). > > I tried to ping the box from the win and I ve echo request: > > 12:23:16.615092 rule 0/0(match): pass out on hme0: IP (tos 0x0, ttl 64, id 9003, offset 0, flags [none], length: 60) 10.33.253.145 > 10.33.253.81: icmp 40: echo reply seq 35346 > 12:23:17.634131 rule 0/0(match): pass in on hme0: IP (tos 0x0, ttl 128, id 6037, offset 0, flags [none], length: 60) 10.33.253.81 > 10.33.253.145: icmp 40: echo request seq 35602 > 12:23:17.634152 rule 0/0(match): pass out on hme0: IP (tos 0x0, ttl 64, id 9004, offset 0, flags [none], length: 60) 10.33.253.145 > 10.33.253.81: icmp 40: echo reply seq 35602 > > Here my ifconfig: > > roum# ifconfig > hme0: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=b<RXCSUM,TXCSUM,VLAN_MTU> > inet 10.33.253.145 netmask 0xffffff00 broadcast 10.33.253.255 > ether 08:00:20:d9:b2:e2 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > hme1: flags=108802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 > options=b<RXCSUM,TXCSUM,VLAN_MTU> > ether 08:00:20:d9:b2:e2 > media: Ethernet autoselect > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > > It's the first time i m setting up a Firewall with PF. It's only for test for this moment and i don't understand why it doesn"t work. > > > Thanks in advance. > > Nicolas Li?nard > > PS: here the pfctl -sa results: > > > roum# pfctl -sa > FILTER RULES: > pass log all > > INFO: > Status: Enabled for 0 days 00:05:33 Debug: Urgent > > Hostid: 0xd1edc106 > > Interface Stats for hme0 IPv4 IPv6 > Bytes In 6457405 0 > Bytes Out 15577 0 > Packets In > Passed 12824 0 > Blocked 11315 0 > Packets Out > Passed 271 0 > Blocked 0 0 > > State Table Total Rate > current entries 0 > searches 24081 72.3/s > inserts 5 0.0/s > removals 5 0.0/s > Counters > match 24076 72.3/s > bad-offset 0 0.0/s > fragment 0 0.0/s > short 0 0.0/s > normalize 0 0.0/s > memory 0 0.0/s > > TIMEOUTS: > tcp.first 30s > tcp.opening 5s > tcp.established 18000s > tcp.closing 60s > tcp.finwait 30s > tcp.closed 30s > udp.first 60s > udp.single 30s > udp.multiple 60s > icmp.first 20s > icmp.error 10s > other.first 60s > other.single 30s > other.multiple 60s > frag 15s > interval 5s > adaptive.start 0 states > adaptive.end 0 states > src.track 0s > > LIMITS: > states hard limit 5000 > src-nodes hard limit 0 > frags hard limit 2500 > > OS FINGERPRINTS: > 293 fingerprints loaded > _______________________________________________ > freebsd-sparc64@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-sparc64 > To unsubscribe, send any mail to "freebsd-sparc64-unsubscribe@freebsd.org" > Sorry for inconvenience. Regards, Pyun YongHyeon -- Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040907103854.GB5532>