Date: Sat, 8 Jan 2005 16:52:09 +0000 (GMT) From: Robert Watson <rwatson@freebsd.org> To: Harald Schmalzbauer <harry@schmalzbauer.de> Cc: freebsd-stable@freebsd.org Subject: Re: machine locks with PF (without using user dependent rules) Message-ID: <Pine.NEB.3.96L.1050108165119.43829D-100000@fledge.watson.org> In-Reply-To: <200501081546.17786.harry@schmalzbauer.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Jan 2005, Harald Schmalzbauer wrote:
> my machine hard locks with the attached ruleset. If I set
> debug.mpsafenet to 0 everything is fine. This was a wild guess from me,
> I could nowhere find the info that PF needs this tweaking and I think
> it's not intended, otherwise it would be done in rc.conf e.g.
>
> I read about user depending rules in IPFW and that one has to disable
> mpsafenet, but I'm not using user based rules in my PF config!
> Unfortunately this machine is a CF-Card based Router wher I cannot debug
> anything, perhaps I can bring a witness-kernel on it, please tell me if
> this problem is new to you and if I should do that.
I've CC'd Max Laier due to his extensive work with pf on FreeBSD. I think
a WITNESS+INVARIANTS kenrel would be quite helpful, if you could.
Thanks,
Robert N M Watson
>
> Best regards,
>
> -Harry
>
> pf.conf: (note that the interface names are changed, so fxp0 is SDSL e.g.)
>
> lan_net="172.23.0.0/16"
> by_net="192.168.0.0/24"
> sdsl_net="a.b.c.d/29"
>
> sdsl_addr="a.b.c.d"
> lan_addr="172.23.0.1"
> #pppoe_addr="10.0.0.1"
> by_addr="192.168.0.1"
>
> proxy="a.a.a.a"
> mta="b.b.b.b"
> dns="c.c.c.c"
> web="d.d.d.d"
> dns2="10.0.0.2"
>
> set block-policy return
> scrub in all
>
> nat on SDSL from $lan_net to !$sdsl_net -> $sdsl_addr
> rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 -> 172.23.2.1
> port 3389
> block in all
> block out all
> pass in on lo0 all
> pass out on lo0 all
> pass in on LAN from $lan_net to any keep state
> pass in on SDSL from 62.245.232.135 to any keep state
> pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep state
> pass in on SDSL proto tcp from any to $mta port 25 keep state
> pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state
> pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state
>
> pass out on SDSL from $sdsl_net keep state
> pass out on LAN from $lan_addr to $lan_net keep state
>
> P.S.: Why do I need the second line with the following rule? Shouldn't the
> 'keep state' open the internal interface for outgoing packets from the given
> IP?
> pass in on SDSL from 62.245.232.135 to any keep state
> pass out on LAN from 62.245.232.135 to 172.23.2.1
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1050108165119.43829D-100000>