Date: Sat, 8 Jan 2005 15:46:13 +0100 From: Harald Schmalzbauer <harry@schmalzbauer.de> To: freebsd-stable@freebsd.org Subject: machine locks with PF (without using user dependent rules) Message-ID: <200501081546.17786.harry@schmalzbauer.de>
next in thread | raw e-mail | index | archive | help
--nextPart1165290.JYxgz7i90F
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Dear all,
my machine hard locks with the attached ruleset.
If I set debug.mpsafenet to 0 everything is fine. This was a wild guess fro=
m=20
me, I could nowhere find the info that PF needs this tweaking and I think=20
it's not intended, otherwise it would be done in rc.conf e.g.
I read about user depending rules in IPFW and that one has to disable=20
mpsafenet, but I'm not using user based rules in my PF config!
Unfortunately this machine is a CF-Card based Router wher I cannot debug=20
anything, perhaps I can bring a witness-kernel on it, please tell me if thi=
s=20
problem is new to you and if I should do that.
Best regards,
=2DHarry
pf.conf: (note that the interface names are changed, so fxp0 is SDSL e.g.)
lan_net=3D"172.23.0.0/16"
by_net=3D"192.168.0.0/24"
sdsl_net=3D"a.b.c.d/29"
sdsl_addr=3D"a.b.c.d"
lan_addr=3D"172.23.0.1"
#pppoe_addr=3D"10.0.0.1"
by_addr=3D"192.168.0.1"
proxy=3D"a.a.a.a"
mta=3D"b.b.b.b"
dns=3D"c.c.c.c"
web=3D"d.d.d.d"
dns2=3D"10.0.0.2"
set block-policy return
scrub in all
nat on SDSL from $lan_net to !$sdsl_net -> $sdsl_addr
rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 -> 172.23.2.=
1=20
port 3389
block in all
block out all
pass in on lo0 all
pass out on lo0 all
pass in on LAN from $lan_net to any keep state
pass in on SDSL from 62.245.232.135 to any keep state
pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep state
pass in on SDSL proto tcp from any to $mta port 25 keep state
pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state
pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state
pass out on SDSL from $sdsl_net keep state
pass out on LAN from $lan_addr to $lan_net keep state
P.S.: Why do I need the second line with the following rule? Shouldn't the=
=20
'keep state' open the internal interface for outgoing packets from the give=
n=20
IP?
pass in on SDSL from 62.245.232.135 to any keep state
pass out on LAN from 62.245.232.135 to 172.23.2.1
--nextPart1165290.JYxgz7i90F
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQBB3/I5Bylq0S4AzzwRAuNMAKCTcdx/7jke++Se/1/f6x287AVELgCfQoji
uR2c40pWQILFZsxuK17sZOA=
=UJ9K
-----END PGP SIGNATURE-----
--nextPart1165290.JYxgz7i90F--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501081546.17786.harry>