From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:39:58 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 6C0BA16A4CF; Thu, 16 Sep 2004 03:39:58 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 40821 invoked by uid 1005); 9 Jun 2003 15:11:35 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 40818 invoked from network); 9 Jun 2003 15:11:33 -0000 Received: from moutng.kundenserver.de (212.227.126.171) by pd9e39874.dip.t-dialin.net with SMTP; 9 Jun 2003 15:11:33 -0000 Received: from [212.227.126.150] (helo=mxng07.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19PPFO-0001Jq-00 for max@vampire.homelinux.org; Mon, 09 Jun 2003 18:11:50 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng07.kundenserver.de with esmtp (Exim 3.35 #1) id 19PPFN-000666-00 for max@love2party.net; Mon, 09 Jun 2003 18:11:49 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id CD755390AF7; Mon, 9 Jun 2003 11:07:06 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Mon, 09 Jun 2003 11:07:04 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from pals013.palantir.no (pals013.palantir.no [213.236.208.10]) SMTP id 5FBD0390C73 for ; Mon, 9 Jun 2003 10:55:18 -0500 (EST) Received: (qmail 25239 invoked by uid 67); 9 Jun 2003 15:59:57 -0000 Message-ID: X-Mailer: BasiliX 1.1.0 -- http://basilix.org X-SenderIP: 80.212.167.90 From: Rolf Skaar To: pf4freebsd@freelists.org X-archive-position: 25 X-Approved-By: max@love2party.net X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: rasgal@palantir.no Precedence: normal X-list: pf4freebsd Content-Type: X-UID: 101 X-Length: 23538 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000 Subject: [pf4freebsd] Re: Version 1.52 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:39:58 -0000 X-Original-Date: Mon, 09 Jun 2003 17:59:57 CEST X-List-Received-Date: Thu, 16 Sep 2004 03:39:58 -0000 On 09 Jun 2003 06:14 CEST you wrote: > On Sun, Jun 08, 2003 at 10:50:38PM 0200, Rolf wrote: > > > > Hi, keep up the good work guys! > > > > I've just upgraded my gateway to fbsd 5.1 RELEASE #0. > > Then I installed your pf_freebsd_1.52 package, guess what! It works!! BUT! > > I am an xDSL user, and got some problems with NAT through pf when using ppp protocol to connect PPPoE ,and have not (yet) had time and effort to lookup this error. > > > > My NAT rule in pf.conf is exatly as posted here: nat on ! ?Int from $Int/24 to any -> $Ext > > where Int=xl1 and Ext=tun0. > > > Thanks for your feedback. > There are two methods on FreeBSD to use xDSL, also known as user mode and > kernel mode. It seems that you use userland PPPoE client becuase your > external interface is tun0. Right? > You should first check your xDSL connection without pf. > (To narrow down the problem.) > There may be some differences between OpenBSD ppp and FreeBSD ppp > configuration. > > Currently, FreeBSD pf can't detect address changes accomplished by ppp > client software(ppp or mpd). OpenBSD pf knows about that and takes care > about it. > This is one of differences between FreeBSD pf and OpenBSD one. > You should reload your pf rule whenever your external address(tun0) > chanages. This can be done via /etc/ppp/ppp.linkup file. See ppp(8) for > more detailes.(This problem can be fixed if we can have a write access > FreeBSD kernel sources.) > > If you can't NAT with this, please let me know. Please include the > following information. > 1. FreeBSD/pf version used > 2. your kernel configuration if you have customized one > 3. your complete pf rule set > 4. your network configuration > 5. your ppp start up script in /etc/ppp/ppp.linkup > > You would get more stable version if users like you report more problems. > Thank you and good luck. > > > This worked great on my former OBSD box, and should have worked on my FBSD to. > > > > I would love to use pf's NAT(RDR works great). > > OH, IPv6 works great for me, that's it so far.. > > > > I have not been able or have found the time and effort to test any other functions... > > > > Rolf > > > > -- > Pyun YongHyeon > No problem, I am glad if i can help. Here is my network layout; INET <--> GATEWAY <--> WORKSTATION [ISP_gateway <--> my_tun0_IP ] <--> [xl1:10.10.0.1 <--> xl0:10.10.0.250] External Internal I have configured my box to configure everything at boot time to maximise uptime on my box as im not around all the time, pf version is pf_freebsd_1.52.tar.gz. I begin with my kernel configuration witch is mostly generic: machine i386 cpu I586_CPU cpu I686_CPU ident ashaman options SC_DISABLE_REBOOT options VESA options SC_PIXEL_MODE options PFIL_HOOKS options RANDOM_IP_ID #options ALTQ options SCHED_4BSD #4BSD scheduler options INET #InterNETworking options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options SOFTUPDATES #Enable FFS soft updates support options UFS_ACL #Support for access control lists options UFS_DIRHASH #Improve performance on big directories options MD_ROOT #MD is a potential root device options NFSCLIENT #Network Filesystem Client options NFSSERVER #Network Filesystem Server options NFS_ROOT #NFS usable as root device, requires NFSCLIENT options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options PROCFS #Process filesystem (requires PSEUDOFS) options PSEUDOFS #Pseudo-filesystem framework options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 #Compatible with FreeBSD4 options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING #Posix P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options AHC_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~128k to driver. options AHD_REG_PRETTY_PRINT # Print register bitfields in debug # output. Adds ~215k to driver. device isa device eisa device pci # Floppy drives device fdc # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapifd # ATAPI floppy drives device atapist # ATAPI tape drives options ATA_STATIC_ID #Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc device agp # support several AGP chipsets # Floating point support - do not disable. device npx # Add suspend/resume support for the i8254. device pmtimer # PCI Ethernet NICs. device de # DEC/Intel DC21x4x (``Tulip'') device em # Intel PRO/1000 adapter Gigabit Ethernet Card device txp # 3Com 3cR990 (``Typhoon'') device vx # 3Com 3c590, 3c595 (``Vortex'') # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device dc # DEC/Intel 21143 and various workalikes device fxp # Intel EtherExpress PRO/100B (82557, 82558) device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') device cs # Crystal Semiconductor CS89x0 NIC # 'device ed' requires 'device miibus' device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards device ep # Etherlink III based cards # Pseudo devices - the number indicates how many units to allocate. device random # Entropy device device loop # Network loopback device ether # Ethernet support device sl # Kernel SLIP device ppp # Kernel PPP device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 relaying (translation) # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! device bpf # Berkeley packet filter device ppbus device plip device ppc As you probably see i have only added 5 options, and have not cared to remove any unnessesary devices yet. rc.conf is like this: gateway_enable="YES" ipv6_enable="YES" hostname="ashaman.inquisitors.org" ifconfig_xl0="up" ifconfig_xl1="inet 10.10.0.1 netmask 255.255.255.0" ipv6_ifconfig_xl1="2001:470:1f00:509::1111 prefixlen 64" ppp_enable="YES" ppp_nat="NO" ppp_mode="ddial" ppp_profile="TelenorADSL" #pppoed_enable="YES" # Run the PPP over Ethernet daemon. #pppoed_provider="pppoe" # Provider and ppp(8) config file entry. #pppoed_flags="-P /var/run/pppoed.pid" # Flags to pppoed (if enabled). #pppoed_interface="xl0" # The interface that pppoed runs on. #pf_enable="YES" #pf_logd="YES" #pf_conf="/home/rasgal/myconfig/pf.conf" #pfctl_flags="" inetd_enable="YES" kern_securelevel_enable="NO" keymap="norwegian.iso" keyrate="fast" keybell="off" nfs_client_enable="YES" nfs_server_enable="YES" router_enable="NO" rpcbind_enable="YES" sendmail_enable="NONE" sshd_enable="YES" font8x8="swiss-8x8" font8x14="NO" font8x16="swiss-8x16" allscreens_flags="VESA_132x60 yellow blue" I have changed ppp_nat= from "YES" to "NO" to use pf's nat. ppp.conf is like this: default: set log Phase Chat LCP IPCP CCP tun command set redial 15 0 set reconnect 15 10000 TelenorADSL: set device PPPoE:xl0 disable acfcomp protocomp deny acfcomp set mtu max 1492 set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname ************** set authkey ******** add! default HISADDR enable dns enable mssfixup and here is my ppp.linkup: MYADDR: ! sh -c "/sbin/ifconfig pflog0 up" ! sh -c "/sbin/ifconfig pfsync0 up" !bg sh -c "/home/rasgal/myscripts/tunnel.sh" ! sh -c "/usr/local/sbin/pflogd" ! sh -c "/usr/local/sbin/`pfctl -e -q -Fa -f /home/rasgal/myconfig/pf.conf`" this loads all the rules and every thing should be up and running now... what tunnel.sh does is setting up my ipv6 connection. ok, my rule set is somewhat simple (pass all in/out), and blocks only services that i want it to: Ext = "tun0" Int = "xl1" tunnel = "gif0" Loop = "lo0" portblock = "{ 21, 111, 1023 }" portpass = "{ 53 }" scrub in all fragment reassemble # IPv4 NAT configuration # #nat on ! $Int from $Int/24 to any -> $Ext #nat on $Ext from $Int/24 to any -> $Ext # Redirect # rdr on $Ext proto tcp from any to any port 60000:60010 -> 10.10.0.250 port 60000:* rdr on $Ext proto tcp from any to any port 62003 -> 10.10.0.250 port 62003 # IPv4 packet filter rules # block in quick on $Ext proto {tcp} from any to any port $portblock # basic passes # pass in quick on $Loop all pass out quick on $Loop all pass in quick on $Ext all pass out quick on $Ext all # IPv6 packet filter rules # # Basic ipv6 rules # pass in quick on gif0 proto ipv6 from any to any pass out quick on gif0 proto ipv6 from any to any and here is my outout from "pfctl -sa": [ _- ~ -_ 4:30:02pm Mon Jun 09 ] %pfctl -sa scrub in all fragment reassemble block drop in quick on tun0 proto tcp from any to any port = ftp block drop in quick on tun0 proto tcp from any to any port = sunrpc block drop in quick on tun0 proto tcp from any to any port = 1023 pass in quick on lo0 all pass out quick on lo0 all pass in quick on tun0 all pass out quick on tun0 all pass in quick on gif0 proto ipv6 all pass out quick on gif0 proto ipv6 all nat on ! xl1 inet from 10.10.0.0/24 to any -> 80.212.169.91 rdr on tun0 inet proto tcp from any to any port 60000:60010 -> 10.10.0.250 port 60000:60010 rdr on tun0 inet proto tcp from any to any port = 62003 -> 10.10.0.250 port 62003 pfctl: DIOCGETALTQS: Operation not supported by device Status: Enabled for 0 days 00:35:08 Debug: None State Table Total Rate current entries 0 searches 0 0.0/s inserts 0 0.0/s removals 0 0.0/s Counters match 0 0.0/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 0 states adaptive.end 0 states states hard limit 10000 frags hard limit 5000 when my boot is done "ifconfig -a" end very similar to this one: [ _- ~ -_ 3:52:09pm Mon Jun 09 ] %ifconfig -a xl0: flags=8843 mtu 1500 inet6 fe80::260:97ff:fe9f:c2a7%xl0 prefixlen 64 scopeid 0x1 ether 00:60:97:9f:c2:a7 media: Ethernet 10baseT/UTP (10baseT/UTP ) xl1: flags=8843 mtu 1500 options=3 inet 10.10.0.1 netmask 0xffffff00 broadcast 10.10.0.255 inet6 fe80::210:5aff:fecb:72cf%xl1 prefixlen 64 scopeid 0x2 inet6 2001:470:1f00:509::1111 prefixlen 64 ether 00:10:5a:cb:72:cf media: Ethernet autoselect (100baseTX ) status: active pflog0: flags=141 mtu 33208 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 pfsync0: flags=41 mtu 2032 tun0: flags=8051 mtu 1492 inet 80.212.169.91 --> 80.212.160.0 netmask 0xffffffff Opened by PID 202 gif0: flags=8051 mtu 1280 tunnel inet 80.212.169.91 --> 64.71.128.82 inet6 2001:470:1f00:ffff::333 --> 2001:470:1f00:ffff::332 prefixlen 128 inet6 fe80::260:97ff:fe9f:c2a7%gif0 prefixlen 64 scopeid 0x7 and "ps aux" show this: USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 11 98.1 0.0 0 12 ?? RL 4:38PM 1:48.02 (idle) root 10 0.0 0.0 0 12 ?? DL 4:38PM 0:00.00 (ktrace) root 1 0.0 0.2 740 392 ?? ILs 4:38PM 0:00.03 /sbin/init -- root 12 0.0 0.0 0 12 ?? WL 4:38PM 0:00.02 (swi1: net) root 13 0.0 0.0 0 12 ?? WL 4:38PM 0:00.41 (swi7: clock) root 2 0.0 0.0 0 12 ?? DL 4:38PM 0:00.05 (g_event) root 3 0.0 0.0 0 12 ?? DL 4:38PM 0:00.08 (g_up) root 4 0.0 0.0 0 12 ?? DL 4:38PM 0:00.14 (g_down) root 15 0.0 0.0 0 12 ?? DL 4:38PM 0:00.05 (random) root 19 0.0 0.0 0 12 ?? WL 4:38PM 0:00.08 (irq14: ata0) root 20 0.0 0.0 0 12 ?? WL 4:38PM 0:00.00 (irq15: ata1) root 21 0.0 0.0 0 12 ?? WL 4:38PM 0:00.01 (irq9: xl0) root 22 0.0 0.0 0 12 ?? WL 4:38PM 0:00.01 (irq11: xl1) root 23 0.0 0.0 0 12 ?? WL 4:38PM 0:00.00 (irq1: atkbd0) root 24 0.0 0.0 0 12 ?? WL 4:38PM 0:00.00 (irq6: fdc0) root 5 0.0 0.0 0 12 ?? DL 4:38PM 0:00.00 (pagedaemon) root 6 0.0 0.0 0 12 ?? DL 4:38PM 0:00.00 (vmdaemon) root 7 0.0 0.0 0 12 ?? DL 4:38PM 0:02.56 (pagezero) root 8 0.0 0.0 0 12 ?? DL 4:38PM 0:00.00 (bufdaemon) root 9 0.0 0.0 0 12 ?? DL 4:38PM 0:00.00 (vnlru) root 27 0.0 0.0 0 12 ?? DL 4:38PM 0:00.02 (syncer) root 28 0.0 0.0 0 12 ?? IL 4:38PM 0:00.00 (nfsiod 0) root 29 0.0 0.0 0 12 ?? IL 4:38PM 0:00.00 (nfsiod 1) root 30 0.0 0.0 0 12 ?? IL 4:38PM 0:00.00 (nfsiod 2) root 31 0.0 0.0 0 12 ?? IL 4:38PM 0:00.00 (nfsiod 3) root 132 0.0 0.0 228 120 ?? Is 4:38PM 0:00.00 adjkerntz -i root 202 0.0 0.7 3112 1800 ?? Ss 4:38PM 0:01.14 /usr/sbin/ppp -quiet -ddial TelenorADSL root 245 0.0 0.3 1308 816 ?? Ss 4:38PM 0:00.03 /usr/local/sbin/pflogd root 305 0.0 0.3 1272 852 ?? Ss 4:39PM 0:00.14 /usr/sbin/syslogd -s root 319 0.0 0.4 1404 1008 ?? Ss 4:39PM 0:00.06 /usr/sbin/rpcbind root 404 0.0 0.4 1280 916 ?? Is 4:39PM 0:00.02 /usr/sbin/mountd -r root 406 0.0 0.4 1236 932 ?? Is 4:39PM 0:00.48 nfsd: master (nfsd) root 407 0.0 0.3 1180 784 ?? I 4:39PM 0:00.00 nfsd: server (nfsd) root 408 0.0 0.3 1180 784 ?? I 4:39PM 0:00.00 nfsd: server (nfsd) root 409 0.0 0.3 1180 784 ?? I 4:39PM 0:00.00 nfsd: server (nfsd) root 410 0.0 0.3 1180 784 ?? I 4:39PM 0:00.00 nfsd: server (nfsd) root 437 0.0 0.8 2532 1984 ?? Is 4:39PM 0:00.10 /usr/sbin/named root 439 0.0 0.4 1292 924 ?? Is 4:39PM 0:00.00 /usr/local/sbin/oidentd root 493 0.0 0.9 3432 2408 ?? Is 4:39PM 0:00.01 /usr/sbin/sshd root 511 0.0 0.4 1296 984 ?? Is 4:39PM 0:00.03 /usr/sbin/cron root 540 0.0 0.4 1376 1008 ?? Is 4:39PM 0:00.02 /usr/sbin/inetd -wW root 546 0.0 1.1 6172 2792 ?? Is 4:39PM 0:00.20 sshd: rasgal [priv] (sshd) root 554 0.0 0.4 1236 908 v0 Is 4:39PM 0:00.02 /usr/libexec/getty Pc ttyv0 root 555 0.0 0.4 1236 908 v1 Is 4:39PM 0:00.02 /usr/libexec/getty Pc ttyv1 root 556 0.0 0.4 1236 908 v2 Is 4:39PM 0:00.02 /usr/libexec/getty Pc ttyv2 root 557 0.0 0.4 1236 908 v3 Is 4:39PM 0:00.02 /usr/libexec/getty Pc ttyv3 root 558 0.0 0.4 1236 908 v4 Is 4:39PM 0:00.02 /usr/libexec/getty Pc ttyv4 root 559 0.0 0.4 1236 908 v5 Is 4:39PM 0:00.02 /usr/libexec/getty Pc ttyv5 root 560 0.0 0.4 1236 908 v6 Is 4:39PM 0:00.02 /usr/libexec/getty Pc ttyv6 root 561 0.0 0.4 1236 908 v7 Is 4:39PM 0:00.02 /usr/libexec/getty Pc ttyv7 rasgal 562 0.0 1.1 6164 2908 ?? S 4:39PM 0:00.17 sshd: rasgal@ttyp0 (sshd) rasgal 563 0.0 0.5 1708 1332 p0 Is 4:39PM 0:00.40 -tcsh (tcsh) root 566 0.0 0.5 1580 1240 p0 I 4:39PM 0:00.08 su -l root 567 0.0 0.5 1636 1264 p0 S 4:39PM 0:00.27 -su (tcsh) root 0 0.0 0.0 0 4 ?? DLs 4:38PM 0:00.00 (swapper) root 577 0.0 0.2 692 524 p0 R 4:40PM 0:00.00 ps aux as you see named and oidentd have been started, i did this trough rc.local. and everything should be ok, nat won't work.. i did an tcpdump and paste it: [ _- ~ -_ 4:43:23pm Mon Jun 09 ] %pftcpdump -e -n -ttt -i tun0 pftcpdump: listening on tun0 000000 AF 2 60: 10.10.0.250 > 193.69.165.20: icmp: echo request 5. 103137 AF 2 60: 10.10.0.250 > 193.69.165.20: icmp: echo request 5. 007455 AF 2 60: 10.10.0.250 > 193.69.165.20: icmp: echo request 5. 007450 AF 2 60: 10.10.0.250 > 193.69.165.20: icmp: echo request 5. 180525 AF 2 78: 80.212.169.190.1027 > 80.212.169.91.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST 000179 AF 2 56: 80.212.169.91 > 80.212.169.190: icmp: 80.212.169.91 udp port 137 unreachable ^C 6 packets received by filter 0 packets dropped by kernel [ _- ~ -_ 4:44:50pm Mon Jun 09 ] %pftcpdump -e -n -ttt -i xl1 pftcpdump: listening on xl1 000000 0:60:8:9:ad:c1 0:10:5a:cb:72:cf 0800 74: 10.10.0.250 > 193.69.165.20: icmp: echo request 5. 435292 0:60:8:9:ad:c1 0:10:5a:cb:72:cf 0800 74: 10.10.0.250 > 193.69.165.20: icmp: echo request 5. 007458 0:60:8:9:ad:c1 0:10:5a:cb:72:cf 0800 74: 10.10.0.250 > 193.69.165.20: icmp: echo request 5. 007464 0:60:8:9:ad:c1 ff:ff:ff:ff:ff:ff 0806 60: arp who-has 10.10.0.1 tell 10.10.0.250 000114 0:10:5a:cb:72:cf 0:60:8:9:ad:c1 0806 60: arp reply 10.10.0.1 is-at 0:10:5a:cb:72:cf 000163 0:60:8:9:ad:c1 0:10:5a:cb:72:cf 0800 74: 10.10.0.250 > 193.69.165.20: icmp: echo request both dumps shows my workstation don't get any answer on my pings to www.vg.no(193.69.165.20) when usin pf's nat. I hope this helps, and tell me if i'm doing something wrong or you need anything else. :) Regards Rolf Skår --