From owner-freebsd-stable@FreeBSD.ORG Sat Jan 8 14:46:27 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7CA416A4CF for ; Sat, 8 Jan 2005 14:46:27 +0000 (GMT) Received: from flb.schmalzbauer.de (flb.schmalzbauer.de [62.245.232.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7803343D3F for ; Sat, 8 Jan 2005 14:46:26 +0000 (GMT) (envelope-from harry@schmalzbauer.de) Received: from korso.flintsbach.schmalzbauer.de ([172.21.2.3]) by flb.schmalzbauer.de (8.13.1/8.13.1) with ESMTP id j08EkM7Z047170 for ; Sat, 8 Jan 2005 15:46:22 +0100 (CET) (envelope-from harry@schmalzbauer.de) Received: from cale.flintsbach.schmalzbauer.de (cale.flintsbach.schmalzbauer.de [172.21.1.250]) by korso.flintsbach.schmalzbauer.de (Postfix) with ESMTP id A98E313F for ; Sat, 8 Jan 2005 15:46:22 +0100 (CET) Received: from cale.flintsbach.schmalzbauer.de (localhost [127.0.0.1]) j08EkKxY006027 for ; Sat, 8 Jan 2005 15:46:20 +0100 (CET) (envelope-from harry@schmalzbauer.de) Received: from localhost (localhost [[UNIX: localhost]]) j08EkI5p006022 for freebsd-stable@freebsd.org; Sat, 8 Jan 2005 15:46:18 +0100 (CET) (envelope-from harry@schmalzbauer.de) X-Authentication-Warning: cale.flintsbach.schmalzbauer.de: harry set sender to harry@schmalzbauer.de using -f From: Harald Schmalzbauer To: freebsd-stable@freebsd.org Date: Sat, 8 Jan 2005 15:46:13 +0100 User-Agent: KMail/1.7.1 X-Birthday: 10/06/72 X-CelPhone: +49 173 9967781 X-Tel: +49 89 18947781 X-Country: Germany X-Address: Munich, 80686 X-OS: FreeBSD MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1165290.JYxgz7i90F"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200501081546.17786.harry@schmalzbauer.de> Subject: machine locks with PF (without using user dependent rules) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 14:46:28 -0000 --nextPart1165290.JYxgz7i90F Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Dear all, my machine hard locks with the attached ruleset. If I set debug.mpsafenet to 0 everything is fine. This was a wild guess fro= m=20 me, I could nowhere find the info that PF needs this tweaking and I think=20 it's not intended, otherwise it would be done in rc.conf e.g. I read about user depending rules in IPFW and that one has to disable=20 mpsafenet, but I'm not using user based rules in my PF config! Unfortunately this machine is a CF-Card based Router wher I cannot debug=20 anything, perhaps I can bring a witness-kernel on it, please tell me if thi= s=20 problem is new to you and if I should do that. Best regards, =2DHarry pf.conf: (note that the interface names are changed, so fxp0 is SDSL e.g.) lan_net=3D"172.23.0.0/16" by_net=3D"192.168.0.0/24" sdsl_net=3D"a.b.c.d/29" sdsl_addr=3D"a.b.c.d" lan_addr=3D"172.23.0.1" #pppoe_addr=3D"10.0.0.1" by_addr=3D"192.168.0.1" proxy=3D"a.a.a.a" mta=3D"b.b.b.b" dns=3D"c.c.c.c" web=3D"d.d.d.d" dns2=3D"10.0.0.2" set block-policy return scrub in all nat on SDSL from $lan_net to !$sdsl_net -> $sdsl_addr rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 -> 172.23.2.= 1=20 port 3389 block in all block out all pass in on lo0 all pass out on lo0 all pass in on LAN from $lan_net to any keep state pass in on SDSL from 62.245.232.135 to any keep state pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep state pass in on SDSL proto tcp from any to $mta port 25 keep state pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state pass out on SDSL from $sdsl_net keep state pass out on LAN from $lan_addr to $lan_net keep state P.S.: Why do I need the second line with the following rule? Shouldn't the= =20 'keep state' open the internal interface for outgoing packets from the give= n=20 IP? pass in on SDSL from 62.245.232.135 to any keep state pass out on LAN from 62.245.232.135 to 172.23.2.1 --nextPart1165290.JYxgz7i90F Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBB3/I5Bylq0S4AzzwRAuNMAKCTcdx/7jke++Se/1/f6x287AVELgCfQoji uR2c40pWQILFZsxuK17sZOA= =UJ9K -----END PGP SIGNATURE----- --nextPart1165290.JYxgz7i90F--