From owner-freebsd-stable@FreeBSD.ORG Sat Jan 8 16:56:00 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6770116A4CF; Sat, 8 Jan 2005 16:56:00 +0000 (GMT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9812443D5C; Sat, 8 Jan 2005 16:55:59 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.13.1/8.13.1) with ESMTP id j08Gq9pD045142; Sat, 8 Jan 2005 11:52:09 -0500 (EST) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)j08Gq9NN045139; Sat, 8 Jan 2005 16:52:09 GMT (envelope-from robert@fledge.watson.org) Date: Sat, 8 Jan 2005 16:52:09 +0000 (GMT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Harald Schmalzbauer In-Reply-To: <200501081546.17786.harry@schmalzbauer.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: mlaier@freebsd.org cc: freebsd-stable@freebsd.org Subject: Re: machine locks with PF (without using user dependent rules) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 16:56:00 -0000 On Sat, 8 Jan 2005, Harald Schmalzbauer wrote: > my machine hard locks with the attached ruleset. If I set > debug.mpsafenet to 0 everything is fine. This was a wild guess from me, > I could nowhere find the info that PF needs this tweaking and I think > it's not intended, otherwise it would be done in rc.conf e.g. > > I read about user depending rules in IPFW and that one has to disable > mpsafenet, but I'm not using user based rules in my PF config! > Unfortunately this machine is a CF-Card based Router wher I cannot debug > anything, perhaps I can bring a witness-kernel on it, please tell me if > this problem is new to you and if I should do that. I've CC'd Max Laier due to his extensive work with pf on FreeBSD. I think a WITNESS+INVARIANTS kenrel would be quite helpful, if you could. Thanks, Robert N M Watson > > Best regards, > > -Harry > > pf.conf: (note that the interface names are changed, so fxp0 is SDSL e.g.) > > lan_net="172.23.0.0/16" > by_net="192.168.0.0/24" > sdsl_net="a.b.c.d/29" > > sdsl_addr="a.b.c.d" > lan_addr="172.23.0.1" > #pppoe_addr="10.0.0.1" > by_addr="192.168.0.1" > > proxy="a.a.a.a" > mta="b.b.b.b" > dns="c.c.c.c" > web="d.d.d.d" > dns2="10.0.0.2" > > set block-policy return > scrub in all > > nat on SDSL from $lan_net to !$sdsl_net -> $sdsl_addr > rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 -> 172.23.2.1 > port 3389 > block in all > block out all > pass in on lo0 all > pass out on lo0 all > pass in on LAN from $lan_net to any keep state > pass in on SDSL from 62.245.232.135 to any keep state > pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep state > pass in on SDSL proto tcp from any to $mta port 25 keep state > pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state > pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state > > pass out on SDSL from $sdsl_net keep state > pass out on LAN from $lan_addr to $lan_net keep state > > P.S.: Why do I need the second line with the following rule? Shouldn't the > 'keep state' open the internal interface for outgoing packets from the given > IP? > pass in on SDSL from 62.245.232.135 to any keep state > pass out on LAN from 62.245.232.135 to 172.23.2.1 >