From owner-freebsd-net@FreeBSD.ORG Wed Jul 30 12:51:36 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A07037B401 for ; Wed, 30 Jul 2003 12:51:36 -0700 (PDT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DDFC43FBF for ; Wed, 30 Jul 2003 12:51:35 -0700 (PDT) (envelope-from julian@elischer.org) Received: from interjet.elischer.org ([12.233.125.100]) by attbi.com (rwcrmhc13) with ESMTP id <2003073019513401500o8cdpe>; Wed, 30 Jul 2003 19:51:35 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id MAA24276; Wed, 30 Jul 2003 12:51:33 -0700 (PDT) Date: Wed, 30 Jul 2003 12:51:32 -0700 (PDT) From: Julian Elischer To: Rocco Caputo In-Reply-To: <20030730191530.GD36116@eyrie.homenet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 19:51:36 -0000 You are complicating things by running both ipfw and ipf. can you not do just one of them? On Wed, 30 Jul 2003, Rocco Caputo wrote: > [Originally posted to freebsd-questions, but someone suggested > freebsd-net instead.] > > I've acquired DSL. My modem's PPPoE and NAT have a tendency to remap > ports, so I switched it to bridged Ethernet. Now I'm using ppp(8) for > PPPoE. I'm using ipfw2 for QOS things (pipes and queues). I'm using > ipf for firewalling and ftp proxying. > > Almost everything works well, except (so far) active FTP and pinging the > tun0 interface. > > tcpdump shows ICMP echo requests and responses, but ping does not see > them. Opening ipf (pass in all, pass out all) "fixes" ping. > > ipfnat's active ftp proxy sees the PORT request and punches a hole > through the firewall, but incoming packets don't arrive. Opening ipf > "fixes" this, too. > > Other incoming connections seem to work fine. DNS works fine. TCP > works fine. > > I've read the handbook, the howtos, searched the list archives, usenet, > and the web. Nothing solved it. > > So. What have I overlooked? Where have I gone wrong? Would you like > to see my cling-film collection? How about an extensive (but perhaps > not exhaustive) collection of excerpts from my system configuration > files? Ok, it is included. > > -- > Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/ > > === ppp.conf > > default: > ident user-ppp VERSION (built COMPILATIONDATE) > set log CBCP CCP Chat Connect Command IPCP tun Phase Warning > > papchap: > add default HISADDR > disable ipv6cp > disable vjcomp > enable iface-alias > enable lqr > enable tcpmssfixup > nat enable yes > nat log yes > nat same_ports yes > set authkey ***** > set authname ***** > set cd 5 > set crtscts off > set device PPPoE:dc0 > set dia > set ifaddr 68.213.211.142/0 192.168.36.176/0 > set login > set lqrperiod 1 > set mru 1492 > set mtu 1492 > set redial 1 0 > set server /var/run/tun0 "" 0177 > set speed sync > set timeout 0 > > === netstat -rn > > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default 192.168.36.176 UGSc 80 1377475 tun0 > 10 link#2 UC 4 0 rl0 > 10.0.0.7 link#2 UHLW 0 8 rl0 > 10.0.0.18 00:e0:18:0b:ac:22 UHLW 1 115334 rl0 303 > 10.0.0.25 00:e0:18:30:68:32 UHLW 0 292874 lo0 > 10.0.0.100 00:e0:18:30:65:f6 UHLW 1 111019 rl0 163 > 127.0.0.1 127.0.0.1 UH 6 196295 lo0 > 192.168.1 link#1 UC 2 0 dc0 > 192.168.1.25 00:04:5a:59:8e:92 UHLW 0 142112 lo0 > 192.168.1.254 00:60:0f:31:c7:86 UHLW 0 75153 dc0 865 > 192.168.36.176 68.213.211.142 UH 76 71059 tun0 > > === ipfstat -i > > block in quick on tun0 from 0.0.0.0/8 to any > block in quick on tun0 from 127.0.0.0/8 to any > block in quick on tun0 from 169.254.0.0/16 to any > block in quick on tun0 from 172.16.0.0/12 to any > block in quick on tun0 from 192.0.2.0/24 to any > block in quick on tun0 from 192.168.0.0/16 to any > block in quick on tun0 from 224.0.0.0/4 to any > block in quick on tun0 from 240.0.0.0/4 to any > pass in quick on lo0 from any to any > pass in quick on rl0 from any to any > pass in quick on dc0 from any to any > pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags > pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags > pass in quick on tun0 proto tcp from any to any port = 433 flags S/FSRPAU keep state keep frags > pass in quick on tun0 proto tcp from any to any port 6881 >< 6999 flags S/FSRPAU keep state keep frags > pass in quick on tun0 proto tcp from any to any port = 11512 flags S/FSRPAU keep state keep frags > pass in quick on tun0 proto tcp from any to any port 32000 >< 32100 flags S/FSRPAU keep state keep frags > block in quick from any to any > > === ipfstat -o > > block out quick on tun0 from 0.0.0.0/8 to any > block out quick on tun0 from 127.0.0.0/8 to any > block out quick on tun0 from 169.254.0.0/16 to any > block out quick on tun0 from 172.16.0.0/12 to any > block out quick on tun0 from 192.0.2.0/24 to any > block out quick on tun0 from 192.168.0.0/16 to any > block out quick on tun0 from 224.0.0.0/4 to any > block out quick on tun0 from 240.0.0.0/4 to any > pass out quick on lo0 from any to any > pass out quick on rl0 from any to any > pass out quick on dc0 from any to any > pass out quick on tun0 proto icmp from any to any keep state > pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags > pass out quick on tun0 proto udp from any to any keep state keep frags > block out quick from any to any > > === ipnat -l > > List of active MAP/Redirect filters: > map tun0 68.213.211.142/32 -> 68.213.211.142/32 proxy port ftp ftp/tcp > > List of active sessions: > (none) > > === various rc.conf bits > > ifconfig_dc0="inet 192.168.1.25 netmask 255.255.255.0" > network_interfaces="lo0 rl0 dc0 tun0" > > firewall_enable="YES" > firewall_logging="YES" > firewall_type="/etc/rc.firewall.custom" > firewall_flags="-p /usr/bin/cpp" > > ipfilter_enable="YES" > ipfilter_program="/sbin/ipf" > ipfilter_rules="/etc/ipf.rules" > > ipnat_enable="YES" > > ppp_enable="yes" > ppp_mode="ddial" > ppp_nat="yes" > ppp_profile="papchap" > > === ipfw show > > 01110 queue 18 icmp from any to any in via tun0 > 01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput > 01120 queue 18 tcp from any to any in via tun0 tcpflags ack > 01120 queue 18 tcp from any to any in via tun0 tcpflags ack > 01300 queue 14 ip from any to any in via tun0 iptos lowdelay > 01310 queue 14 tcp from any 6666-6669 to any in via tun0 > 01320 queue 14 tcp from any 80 to any in via tun0 > 01400 queue 11 tcp from any 119 to any in via tun0 > 01410 queue 11 tcp from any 5999 to any in via tun0 > 01420 queue 11 tcp from any to any in via tun0 iplen 1500 > 01430 queue 11 tcp from any 6881-6889 to any in via tun0 > 01440 queue 11 tcp from any to any dst-port 6881-6889 in via tun0 > 01900 queue 12 ip from any to any in via tun0 > 02100 queue 28 icmp from any to any out via tun0 > 02110 queue 28 ip from any to any out via tun0 iptos lowdelay,throughput > 02120 queue 28 tcp from any to any out via tun0 tcpflags ack > 02130 queue 28 tcp from any to any out via tun0 setup > 02300 queue 24 ip from any to any out via tun0 iptos lowdelay > 02310 queue 24 tcp from any to any dst-port 6666-6669 out via tun0 > 02400 queue 21 tcp from any 80 to any out via tun0 > 02410 queue 21 tcp from any 443 to any out via tun0 > 02420 queue 21 tcp from any 11512 to any out via tun0 > 02430 queue 21 tcp from any to any dst-port 119 out via tun0 > 02440 queue 21 tcp from any to any dst-port 5999 out via tun0 > 02450 queue 21 tcp from any to any out via tun0 iplen 1500 > 02460 queue 21 tcp from any 6881-6889 to any out via tun0 > 02470 queue 21 tcp from any to any dst-port 6881-6889 out via tun0 > 02900 queue 22 ip from any to any out via tun0 > 60000 allow ip from any to any via lo0 > 60010 allow ip from any to any via rl0 > 60020 allow ip from any to any via dc0 > 60030 allow ip from any to any via tun0 > 60040 allow ip from any to any > 65535 deny ip from any to any > > === ipfw queue show > > 00010: 368.000 Kbit/s 0 ms 36 KB 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00011: 736.000 Kbit/s 0 ms 73 KB 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00012: 1.472 Mbit/s 0 ms 147 KB 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00020: 64.000 Kbit/s 0 ms 6144 B 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00021: 128.000 Kbit/s 0 ms 12 KB 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00022: 256.000 Kbit/s 0 ms 25 KB 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > === end > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >