Date: Thu, 16 Sep 2004 03:40:18 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Cc: rasgal@palantir.no Subject: [pf4freebsd] Re: Version 1.52 Message-ID: <20030612052722.GA40573@kt-is.co.kr> In-Reply-To: <BasiliX-1.1.0-10552890333ee66ec9e9603@pals013> References: <BasiliX-1.1.0-10552890333ee66ec9e9603@pals013>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 11, 2003 at 01:50:33AM +0200, Rolf Sk?r wrote: > [snip] > > Ehh, ops, I began the mail before i started test, forgot to uncomment the hash on this rule "#nat on ! $Int from $Int/24 to any -> $Ext" in the mail. > > Sorry. > > The rule was parsed in the test.. (nat on ! $Int from $Int/24 to any -> $Ext) > > OK. hmm, i have found out that pf is updated only when i do it manually, but it fails when the update process is invoked trough ppp.linkup. It seems that there is a problem script invocation. > No matter what.. so i set up an 3 stage configuration. > > current ppp.linkup file: > > MYADDR: > ! sh -c "/home/rasgal/myscripts/`tunnel.sh dynamic`" <-- sets up ipv6 through gif0 > ! sh -c "/home/rasgal/myscripts/tun0ip.sh" <-- gets new ip. > > current tun0ip.sh file: > > #!/bin/sh > > ifconfig tun0 | grep inet | tr ' ' '\n' | tail -6 | head -1 > /home/rasgal/temp/NEW.IP > > current pf.sh file: > this file was rewritten with pf.sh.sample as base. > this file is crontab'ed to run with pppupdate variable at every 10 min. to compare current ip and stored ip at this interval. There is no need to run program via crontab. ppp.linkup file is just for this prupose. Due to currrent FreeBSD pf's lack of detection of address changes, it is somewhat tricky to use pf with xDSL. FreeBSD pf modules should be loaded before any other network setup such as ppp. After ppp connection established, pf rule should be activated. I use mpd to use kernel mode PPPoE and use rc.local to load FreeBSD pf kernel module and set up like this. # # rc.local # # kernel mode PPPoE setup # # First, load pf kernel module # if [ -f /boot/kernel/pf.ko]; then /sbin/kldload pflog /sbin/kldload pfsync /sbin/ifconfig pflog0 up /sbin/ifconfig pfsync0 up /sbin/pflogd /sbin/kldload pf echo 'pf module loaded.' fi # # Then, invoke mpd # if [ -x /usr/local/sbin/mpd -a -f /usr/local/etc/mpd/mpd.conf ]; then /sbin/kldload ng_ether echo -n " mpd"; /usr/local/sbin/mpd -b fi mpd also has a script to be run after PPPoE connection established. My script for this purpose is #!/bin/sh # # mpd startup scrip for pf /sbin/pfctl -Fa -e -f /etc/pf.conf The file's mode is 0555. Also note option -e is required because I have not enabled the pf after load. Whenever my IP address changes the script would be invoked by mpd and this time option -e is no harm. Though above example is for mpd, it is still valid for ppp(8) also. Did check /var/log/ppp.log file? ppp(8) will record almost all events. The log can reveal more hidden facts.(Your scrip might not executed due to unexpected reasons. The log will record this too.) > [snip] > > This message " pfctl: DIOCGETALTQS: Operation not supported by device" has not gone away. > I have recompiled my pf, and i'm 100% sure my kernel in not compiled with "options ALTQ" OK. I'll check FreeBSD pf source. > > Thank you, for helping me Pyun YongHyeon. > No problem! Hope this works for you. Thank you. > Regards > > Rolf Sk?r > -- Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030612052722.GA40573>