Date: Sat, 22 Nov 2008 11:46:19 +1030 (CST) From: "Daniel J. O'Connor" <darius@dons.net.au> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/129060: pf doesn't forget the old tun IP Message-ID: <200811220116.mAM1GJRI075028@midget.dons.net.au> Resent-Message-ID: <200811220140.mAM1e18A002165@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129060
>Category: kern
>Synopsis: pf doesn't forget the old tun IP
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Nov 22 01:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Daniel J. O'Connor
>Release: FreeBSD 7.1-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD midget.dons.net.au 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #2: Sun Oct 12 18:17:04 CST 2008 darius@midget.dons.net.au:/data/obj/data/src/sys/GENERIC i386
>Description:
If I use ppp to run my PPPoE connection (over my ADSL modem running in bridged
mode) and the connection drops out pf does not seem to forget the old IP. When
I make new connections every second one doesn't work. The existing SIP
connection my ATA uses remains broken as it gets mapped to the old address.
If I switch to using mpd then this problem doesn't happen, however I find that
applications get "device not configured" errors when trying to send traffic!
This only happens infrequently but it seems to "stick" on and restarting mpd
doesn't always fix it..
eg
Nov 18 19:19:53 midget named[338]: /data/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1179: unexpected error:
Nov 18 19:19:53 midget kernel: Nov 18 19:19:53 midget named[338]: /data/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1179: unexpected error:
Nov 18 19:19:53 midget named[338]: internal_send: 192.231.203.132#53: Device not configured
My pf.conf is below..
### macros
int_if = "em0"
ext_if = "tun0"
# Incoming TCP services we provide
tcp_services = "{ www, https, 6881:6899 }"
tcp_services_limited = "{ ssh, imap, imaps, smtp, smtps, pop3, pop3s, \
ftp, ftp-data }"
steam_ports = "{27030, 27031}"
steam_ips = "{202.136.100.227, 202.72.191.174, 203.24.101.93, 203.34.186.14, 203.46.104.7, 203.46.104.8, 150.101.135.1}"
# Game ports
game_ports = "{27015}"
# ICMP we want to allow
icmp_types = "{ echoreq, trace }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
### Tables
table <abusive> persist
### Options
set block-policy return
#set loginterface $ext_if
set timeout src.track 10
# Scrub
#scrub in all
# NAT
nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
rdr pass on $ext_if inet proto tcp to port 8000 -> 10.0.2.73 port 80
#rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
# filter rules
# Exempt loopback
pass quick on lo0
# Default to blocking
block log all
# Deny from any known abusive host
block in quick from <abusive>
# Block all STEAM...
#block out quick on $ext_if proto {tcp, udp} from any to any port $steam_ports
#block in quick on $ext_if proto {tcp, udp} from any to any port $steam_ports
# Except 'node
#pass out quick on $ext_if proto {tcp, udp} from any to $steam_ips port $steam_ports keep state
#pass in quick on $ext_if proto {tcp, udp} from $steam_ips port $steam_ports to any keep state
# Deny from any host in the PG list
#block return in quick proto { tcp, udp } from <peerguardian> to any port 6800:6900
# Drop any internal nets appearing from the outside
#antispoof for { $ext_if, $int_if, lo0 }
# Or this?
#block drop in quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets
# uPnPd
anchor "miniupnpd"
# Allow our services in
#pass in on $ext_if inet proto tcp from any to ($ext_if) \
# port $tcp_services flags S/SA keep state
#pass in proto ipv6 from any to any keep state
#pass out proto ipv6 from any to any keep state
#pass in proto ipv6-icmp from any to any keep state
#pass out proto ipv6-icmp from any to any keep state
# Multicast for miniupnpd
pass out on $int_if from any to 239.0.0.0/8 keep state
pass in on $int_if from any to 239.0.0.0/8 keep state
# Telnet for Alex
pass in on $ext_if proto tcp from 203.5.217.4 to ($ext_if) \
port 23 flags S/SA keep state
# Rate limited TCP services
pass in on $ext_if proto tcp from any to ($ext_if) \
port $tcp_services_limited flags S/SA keep state \
(max-src-conn-rate 5/4, overload <abusive> flush global)
# Unlimited TCP services
pass in on $ext_if proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
#pass in on $ext_if proto udp from any to ($ext_if) port 12345 keep state
#pass in on $ext_if proto udp from any to ($ext_if) port 15345 keep state
# Allow ICMP echo
pass in inet proto icmp all icmp-type $icmp_types keep state
# Allow packets on internal network
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# Track outgoing TCP connection state
pass out on $ext_if proto tcp all flags S/SA keep state
# Normal TCP traffic and ACKs/no payload
pass out on $ext_if proto tcp from any keep state
# DNS queries
pass out on $ext_if proto udp from any to any port 53 keep state
# Track outgoing UDP state
pass out on $ext_if proto udp all keep state
# Game traffic
pass out on $ext_if proto udp from any to any port $game_ports keep state
# Track outgoing ICMP state
pass out on $ext_if proto icmp all keep state
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200811220116.mAM1GJRI075028>