Date: Sat, 8 Jan 2005 18:24:41 +0100 From: Max Laier <max@love2party.net> To: Robert Watson <rwatson@freebsd.org> Cc: Harald Schmalzbauer <harry@schmalzbauer.de> Subject: Re: machine locks with PF (without using user dependent rules) Message-ID: <200501081824.49235.max@love2party.net> In-Reply-To: <Pine.NEB.3.96L.1050108165119.43829D-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1050108165119.43829D-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2211051.V2bLLMnbpR Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 08 January 2005 17:52, Robert Watson wrote: > On Sat, 8 Jan 2005, Harald Schmalzbauer wrote: > > my machine hard locks with the attached ruleset. If I set > > debug.mpsafenet to 0 everything is fine. This was a wild guess from me, > > I could nowhere find the info that PF needs this tweaking and I think > > it's not intended, otherwise it would be done in rc.conf e.g. Yes, it is not intended. Please keep in mind that debug.mpsafenet cannot b= e=20 alterted at runtime, hence rc.conf would be too late anyway. Just making=20 that clear. > > I read about user depending rules in IPFW and that one has to disable > > mpsafenet, but I'm not using user based rules in my PF config! > > Unfortunately this machine is a CF-Card based Router wher I cannot debug > > anything, perhaps I can bring a witness-kernel on it, please tell me if > > this problem is new to you and if I should do that. > > I've CC'd Max Laier due to his extensive work with pf on FreeBSD. I think > a WITNESS+INVARIANTS kenrel would be quite helpful, if you could. Yes, WITNESS would be interesting, though I don't expect to see any LORs, a= s=20 this is not an overly complicated ruleset. Actually, I am very surprised=20 that it does lock up - what hardware is this? What version of FreeBSD are you running? RELENG_5_3? Could you try to mov= e=20 `src/sys/contrib/pf' to RELENG_5 instead. There are some bugfixes in there= ,=20 that might help you. Specificly there was an endless loop in the state=20 matching code. Please tell me if that helped. > > Best regards, > > > > -Harry > > > > pf.conf: (note that the interface names are changed, so fxp0 is SDSL > > e.g.) > > > > lan_net=3D"172.23.0.0/16" > > by_net=3D"192.168.0.0/24" > > sdsl_net=3D"a.b.c.d/29" > > > > sdsl_addr=3D"a.b.c.d" > > lan_addr=3D"172.23.0.1" > > #pppoe_addr=3D"10.0.0.1" > > by_addr=3D"192.168.0.1" > > > > proxy=3D"a.a.a.a" > > mta=3D"b.b.b.b" > > dns=3D"c.c.c.c" > > web=3D"d.d.d.d" > > dns2=3D"10.0.0.2" > > > > set block-policy return > > scrub in all > > > > nat on SDSL from $lan_net to !$sdsl_net -> $sdsl_addr > > rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 -> > > 172.23.2.1 port 3389 > > block in all > > block out all > > pass in on lo0 all > > pass out on lo0 all > > pass in on LAN from $lan_net to any keep state > > pass in on SDSL from 62.245.232.135 to any keep state > > pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep > > state pass in on SDSL proto tcp from any to $mta port 25 keep state > > pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state > > pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state > > > > pass out on SDSL from $sdsl_net keep state > > pass out on LAN from $lan_addr to $lan_net keep state > > > > P.S.: Why do I need the second line with the following rule? Shouldn't > > the 'keep state' open the internal interface for outgoing packets from > > the given IP? > > pass in on SDSL from 62.245.232.135 to any keep state > > pass out on LAN from 62.245.232.135 to 172.23.2.1 =46or the normal forwarding path that's true, but not for the RDR case. Yo= u can=20 use "rdr pass" to circumvent this. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2211051.V2bLLMnbpR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBB4BdhXyyEoT62BG0RAsoJAJ9EuHlvHbHOgwLdz22ELFhwjfZPtwCbBa+d PVhnqw5Oi2G3TBXhja8NZ2M= =4BFt -----END PGP SIGNATURE----- --nextPart2211051.V2bLLMnbpR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501081824.49235.max>