Date: Thu, 22 Mar 2001 06:02:45 -0800 (PST) From: Mike Harding <mvh@ix.netcom.com> To: tim@weeble.org.uk Cc: freebsd-stable@freebsd.org Subject: Re: ipf and ppp on FBSD 4.3-beta (fwd) Message-ID: <20010322140245.79B9E1142A3@netcom1.netcom.com> In-Reply-To: <Pine.BSF.4.33.0103212115510.4261-100000@doubtful.weeble.foo.uk> (message from Tim Joseph on Wed, 21 Mar 2001 21:16:45 %2B0000 (GMT)) References: <Pine.BSF.4.33.0103212115510.4261-100000@doubtful.weeble.foo.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
What changed is that the ipfilter rule set is loaded before the
dynamic interfaces like ppp are added. An 'ipf -y' should be put in
/etc/rc.network after ppp, etc are initialized but isn't there yet.
You also need an 'ipf -y' in ppp.linkup so ipfilter can pick up the
new address...
Hopefully this can get committed for the release, I wasted some time
chasing this down. It's a 2 or so line change.
- Mike H.
Date: Wed, 21 Mar 2001 21:16:45 +0000 (GMT)
From: Tim Joseph <tim@weeble.org.uk>
X-X-Sender: <tim@doubtful.weeble.foo.uk>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
X-Loop: FreeBSD.ORG
Precedence: bulk
No replies on freebsd-questions, so...
---------- Forwarded message ----------
Date: Mon, 19 Mar 2001 21:50:55 +0000 (GMT)
From: Tim Joseph <tim@weeble.org.uk>
To: freebsd-questions@freebsd.org
Subject: ipf and ppp on FBSD 4.3-beta
Hi,
I originally installed FBSD 4.2-release, and setup ipf and ppp to run at
boot. I recompiled the kernel with a default deny for ipfilter. The
relevant bits of my kernel config, rc.conf and ppp.conf below:
*kernel*
...
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
...
*rc.conf*
...
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf -Fa -f"
ipfilter_rules="/etc/ipf.rules"
...
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="NO"
ppp_profile="myisp"
...
*ppp.conf*
...
default:
ident user-ppp VERSION (built COMPILATIONDATE)
set device /dev/cuaa0
set log Phase Chat LCP IPCP CCP tun command
set speed 115200
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
set timeout 120
add default HISADDR
# enable dns
...
myisp:
set phone XXXXXXXXXXXX
# set login
set authname XXXXXXXXXXXX
set authkey XXXXXXXXXXXX
set ifaddr AAA.BBB.CCC.DDD 111.222.333.444 255.255.255.0 0.0.0.0
Where AAA.BBB.CCC.DDD is my fixed ip, and 111.222.333.444 is the ISP's ip.
The ipf rules are a bit long to stick them all here, but suffice to say
that the bits relevant to my dial-up connection look like this:
...
block in log body on tun0 all head 100
block out log body on tun0 all head 150
...
pass out quick proto tcp from any to any port = 80 flags S/SA keep state
keep frags group 150
...
That sort of thing. It's a rule set I've used without hitch on OpenBSD
2.8-stable and on FreeBSD 4.2-release. But on my current version of
4.3-beta (cvsup-ed sometime around 17 March) all packets headed out (and
also in) to the tun0 interface ran through the ipf rules with out any
matches and then hit the default deny in the kernel. Strange.
I assumed I had done something, so I tinkered (cvsup-ing and recompiling
and tweaking configs) but got nowhere. I happened to drop to single user
mode and then back to multiuser, which of course brought up ipf and ppp -
all worked fine! I thought it was solved, but on my next reboot, the same
problem ocurred. I went back to single user and back to multi-user, and
hey presto it worked! I repeated this 3 or 4 times.
I then rebooted and tried "ipf -y" and bingo, packets were matching the
rules and were being passed correctly!
What has changed since 4.2-release that I need to flush the interface list
like this to get things to work? I could put this in a startup script, but
I'd like to know why this is now seems to be needed.
Thanks.
From,
Tim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010322140245.79B9E1142A3>