From owner-freebsd-stable Thu Mar 22 6: 3:40 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mclean.mail.mindspring.net (mclean.mail.mindspring.net [207.69.200.57]) by hub.freebsd.org (Postfix) with ESMTP id D826337B71D for ; Thu, 22 Mar 2001 06:03:34 -0800 (PST) (envelope-from mvh@ix.netcom.com) Received: from netcom1.netcom.com (lai-ca3a-201.ix.netcom.com [209.110.240.201]) by mclean.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id JAA20560; Thu, 22 Mar 2001 09:03:13 -0500 (EST) Received: by netcom1.netcom.com (Postfix, from userid 1000) id 79B9E1142A3; Thu, 22 Mar 2001 06:02:45 -0800 (PST) From: Mike Harding To: tim@weeble.org.uk Sent-via: tim@weeble.org.uk Cc: freebsd-stable@freebsd.org Sent-via: freebsd-stable@freebsd.org In-reply-to: (message from Tim Joseph on Wed, 21 Mar 2001 21:16:45 +0000 (GMT)) Subject: Re: ipf and ppp on FBSD 4.3-beta (fwd) References: Message-Id: <20010322140245.79B9E1142A3@netcom1.netcom.com> Date: Thu, 22 Mar 2001 06:02:45 -0800 (PST) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG What changed is that the ipfilter rule set is loaded before the dynamic interfaces like ppp are added. An 'ipf -y' should be put in /etc/rc.network after ppp, etc are initialized but isn't there yet. You also need an 'ipf -y' in ppp.linkup so ipfilter can pick up the new address... Hopefully this can get committed for the release, I wasted some time chasing this down. It's a 2 or so line change. - Mike H. Date: Wed, 21 Mar 2001 21:16:45 +0000 (GMT) From: Tim Joseph X-X-Sender: Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG X-Loop: FreeBSD.ORG Precedence: bulk No replies on freebsd-questions, so... ---------- Forwarded message ---------- Date: Mon, 19 Mar 2001 21:50:55 +0000 (GMT) From: Tim Joseph To: freebsd-questions@freebsd.org Subject: ipf and ppp on FBSD 4.3-beta Hi, I originally installed FBSD 4.2-release, and setup ipf and ppp to run at boot. I recompiled the kernel with a default deny for ipfilter. The relevant bits of my kernel config, rc.conf and ppp.conf below: *kernel* ... options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK ... *rc.conf* ... ipfilter_enable="YES" ipfilter_program="/sbin/ipf -Fa -f" ipfilter_rules="/etc/ipf.rules" ... ppp_enable="YES" ppp_mode="ddial" ppp_nat="NO" ppp_profile="myisp" ... *ppp.conf* ... default: ident user-ppp VERSION (built COMPILATIONDATE) set device /dev/cuaa0 set log Phase Chat LCP IPCP CCP tun command set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 set timeout 120 add default HISADDR # enable dns ... myisp: set phone XXXXXXXXXXXX # set login set authname XXXXXXXXXXXX set authkey XXXXXXXXXXXX set ifaddr AAA.BBB.CCC.DDD 111.222.333.444 255.255.255.0 0.0.0.0 Where AAA.BBB.CCC.DDD is my fixed ip, and 111.222.333.444 is the ISP's ip. The ipf rules are a bit long to stick them all here, but suffice to say that the bits relevant to my dial-up connection look like this: ... block in log body on tun0 all head 100 block out log body on tun0 all head 150 ... pass out quick proto tcp from any to any port = 80 flags S/SA keep state keep frags group 150 ... That sort of thing. It's a rule set I've used without hitch on OpenBSD 2.8-stable and on FreeBSD 4.2-release. But on my current version of 4.3-beta (cvsup-ed sometime around 17 March) all packets headed out (and also in) to the tun0 interface ran through the ipf rules with out any matches and then hit the default deny in the kernel. Strange. I assumed I had done something, so I tinkered (cvsup-ing and recompiling and tweaking configs) but got nowhere. I happened to drop to single user mode and then back to multiuser, which of course brought up ipf and ppp - all worked fine! I thought it was solved, but on my next reboot, the same problem ocurred. I went back to single user and back to multi-user, and hey presto it worked! I repeated this 3 or 4 times. I then rebooted and tried "ipf -y" and bingo, packets were matching the rules and were being passed correctly! What has changed since 4.2-release that I need to flush the interface list like this to get things to work? I could put this in a startup script, but I'd like to know why this is now seems to be needed. Thanks. From, Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message