Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 8 Jan 2005 18:24:41 +0100
From:      Max Laier <max@love2party.net>
To:        Robert Watson <rwatson@freebsd.org>
Cc:        Harald Schmalzbauer <harry@schmalzbauer.de>
Subject:   Re: machine locks with PF (without using user dependent rules)
Message-ID:  <200501081824.49235.max@love2party.net>
In-Reply-To: <Pine.NEB.3.96L.1050108165119.43829D-100000@fledge.watson.org>
References:  <Pine.NEB.3.96L.1050108165119.43829D-100000@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2211051.V2bLLMnbpR
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Saturday 08 January 2005 17:52, Robert Watson wrote:
> On Sat, 8 Jan 2005, Harald Schmalzbauer wrote:
> > my machine hard locks with the attached ruleset.  If I set
> > debug.mpsafenet to 0 everything is fine. This was a wild guess from me,
> > I could nowhere find the info that PF needs this tweaking and I think
> > it's not intended, otherwise it would be done in rc.conf e.g.

Yes, it is not intended.  Please keep in mind that debug.mpsafenet cannot b=
e=20
alterted at runtime, hence rc.conf would be too late anyway.  Just making=20
that clear.

> > I read about user depending rules in IPFW and that one has to disable
> > mpsafenet, but I'm not using user based rules in my PF config!
> > Unfortunately this machine is a CF-Card based Router wher I cannot debug
> > anything, perhaps I can bring a witness-kernel on it, please tell me if
> > this problem is new to you and if I should do that.
>
> I've CC'd Max Laier due to his extensive work with pf on FreeBSD.  I think
> a WITNESS+INVARIANTS kenrel would be quite helpful, if you could.

Yes, WITNESS would be interesting, though I don't expect to see any LORs, a=
s=20
this is not an overly complicated ruleset.  Actually, I am very surprised=20
that it does lock up - what hardware is this?

What version of FreeBSD are you running?  RELENG_5_3?  Could you try to mov=
e=20
`src/sys/contrib/pf' to RELENG_5 instead.  There are some bugfixes in there=
,=20
that might help you.  Specificly there was an endless loop in the state=20
matching code.  Please tell me if that helped.

> > Best regards,
> >
> > -Harry
> >
> > pf.conf: (note that the interface names are changed, so fxp0 is SDSL
> > e.g.)
> >
> > lan_net=3D"172.23.0.0/16"
> > by_net=3D"192.168.0.0/24"
> > sdsl_net=3D"a.b.c.d/29"
> >
> > sdsl_addr=3D"a.b.c.d"
> > lan_addr=3D"172.23.0.1"
> > #pppoe_addr=3D"10.0.0.1"
> > by_addr=3D"192.168.0.1"
> >
> > proxy=3D"a.a.a.a"
> > mta=3D"b.b.b.b"
> > dns=3D"c.c.c.c"
> > web=3D"d.d.d.d"
> > dns2=3D"10.0.0.2"
> >
> > set block-policy return
> > scrub in all
> >
> > nat on SDSL from $lan_net to !$sdsl_net  -> $sdsl_addr
> > rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 ->
> > 172.23.2.1 port 3389
> > block in all
> > block out all
> > pass in on lo0 all
> > pass out on lo0 all
> > pass in on LAN from $lan_net to any keep state
> > pass in on SDSL from 62.245.232.135 to any keep state
> > pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep
> > state pass in on SDSL proto tcp from any to $mta port 25 keep state
> > pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state
> > pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state
> >
> > pass out on SDSL from $sdsl_net keep state
> > pass out on LAN from $lan_addr to $lan_net keep state
> >
> > P.S.: Why do I need the second line with the following rule? Shouldn't
> > the 'keep state' open the internal interface for outgoing packets from
> > the given IP?
> > pass in on SDSL from 62.245.232.135 to any keep state
> > pass out on LAN from 62.245.232.135 to 172.23.2.1

=46or the normal forwarding path that's true, but not for the RDR case.  Yo=
u can=20
use "rdr pass" to circumvent this.

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart2211051.V2bLLMnbpR
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBB4BdhXyyEoT62BG0RAsoJAJ9EuHlvHbHOgwLdz22ELFhwjfZPtwCbBa+d
PVhnqw5Oi2G3TBXhja8NZ2M=
=4BFt
-----END PGP SIGNATURE-----

--nextPart2211051.V2bLLMnbpR--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501081824.49235.max>