From owner-freebsd-pf@FreeBSD.ORG Thu Mar 29 21:33:16 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0748D16A400 for ; Thu, 29 Mar 2007 21:33:16 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from smtp1.yandex.ru (smtp1.yandex.ru [213.180.223.87]) by mx1.freebsd.org (Postfix) with ESMTP id 417BA13C4C3 for ; Thu, 29 Mar 2007 21:33:14 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from 187-107-124-91.pool.ukrtel.net ([91.124.107.187]:15876 "EHLO [127.0.0.1]" smtp-auth: "kes-kes" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S2077124AbXC2VdL (ORCPT ); Fri, 30 Mar 2007 01:33:11 +0400 X-Comment: RFC 2476 MSA function at smtp1.yandex.ru logged sender identity as: kes-kes Date: Fri, 30 Mar 2007 00:33:07 +0300 From: KES X-Mailer: The Bat! (v3.62.12) Professional Organization: SaftTen X-Priority: 3 (Normal) Message-ID: <1245620767.20070330003307@yandex.ru> To: freebsd-pf@freebsd.org In-Reply-To: <460BBBFC.3080501@vwsoft.com> References: <868144293.20070329001333@yandex.ru> <460BBBFC.3080501@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Subject: Re[2]: pf BUG? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: KES List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2007 21:33:16 -0000 You wrote 29 марта 2007 г., 16:15:40: V> On 12/23/-58 20:59, KES wrote: >> Hello >> >> I start to use ADSL >> My net work has next sturcture: >> CPU -iIP---- rl0 -SERVER -tun0--- >>>>> INET >> >> I have next pf rules >> >> 1) drop all >> 2) pass in quick on tun0 all >> 3) pass out quick on tun0 all >> 4) pass in on rl0 from $iIp to any >> 5) pass out on rl0 from any to $iIp >> >> Next thing is wrong: >> If I ping inet from CPU >> >> 2) pass in log-all on tun0 all >> 3) pass out quick on tun0 all >> >> tpcdump pflog0 shows nothing >> But >> 2) pass in on tun0 all >> 3) pass out log-all quick on tun0 all >> >> tpcdump pflog0 shows in and out traffic on tun0 interface!!! >> >> System was builded from 2007-03-27 sources >> architecture is sparc64 V> This is not a pf bug. V> I'm wondering why you're using a firewall at all? Your firewall is V> nothing but just wide open (tm) and effectively useless. V> Anyway, I really don't understand your problem. Do you really want V> to have a firewall which does nothing but logging like crazy? BTW, V> the log-all option does not make sense when not being used in V> conjunction with stateful inspection. V> HTH, V> Volker 1) Post full firewall rules to postlist is useless. I post only that part I have the problem with 2) the problem is that that rule #2 pass in quick on tun0 all has no effect. All traffic that goes through tun0 goes through rule #3 pass out quick on tun0 all Else more I can delete rule #2 and get internet WORKING!!! Despite on no rules to allow in traffic through tun0 3) You can change log-all to log if you want. Log is used only to sniff traffic which goes through rule: #2 in case one and #3 in case two In the reality I have problem with this: pass out log quick route-to ($adslIf $adslGate) from ($adslIf) to any all incoming traffic routes again to internet. I saw it when trace route to myself from internet ....... 15 provider 16 sparc 17 provider 18 sparc The same firewall in the same environment but FreeBSD 6.0 Intel platform works well What is wrong: the new sparc64 kenel configuration or there are mistake in new kernel sources? Thanks -- KES mailto:kes-kes@yandex.ru