Date: Thu, 30 Mar 2006 12:52:06 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: questions@freebsd.org Subject: 6.1-PRERELEASE: pf blocks fetch after restart Message-ID: <442BB856.90709@locolomo.org>
next in thread | raw e-mail | index | archive | help
Hi: I wrote about this some weeks ago, now I have investigated further, system upgrated to latest (yesterday) snap of RELENG_6 Summary: 1) boot 2a) fetch http://host/file: operation not permitted 2b) fetch ftp://host/file: operation not permitted 3) pfctl -Fr && pfctl -Rf pf.conf 4a) fetch http://host/file: successful 4b) fetch ftp://host/file: successful 5) pfctl -Fa && pfctl -f pf.conf 6) tcping host_on_lan 22: port open 7a) fetch http://host/file: operation not permitted 7b) fetch ftp://host/file: operation not permitted There is one more thing that is weird, the interface, em0, after successful configuration with dhcp, it reports status "no carrier". This happens on boot as well as if I run # /etc/rc.d/netif restart however running the above does not change whether fetch succeeds or not. The problem with netif is not solved if the interface is configured with a static ip, nor is the problem with fetch. I can repeat this, it has occurred on a number of snapshots of the PRERELEASE. Any ideas on how to solve this? Thanks, Erik Complete transcript of session: Script started on Thu Mar 30 12:39:48 2006 You have mail. mordac# uname -a FreeBSD mordac 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Thu Mar 30 11:08:17 CEST 2006 root@mordac:/usr/obj/usr/src/sys/SERVER6-SMP i386 mordac# /etc/rc.d/netif restart Stopping network: lo0 em0. em0: no link .... got link DHCPREQUEST on em0 to 255.255.255.255 port 67 DHCPREQUEST on em0 to 255.255.255.255 port 67 DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 6 DHCPOFFER from 172.24.0.24 DHCPREQUEST on em0 to 255.255.255.255 port 67 DHCPACK from 172.24.0.24 bound to 172.24.8.48 -- renewal in 1296000 seconds. lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=b<RXCSUM,TXCSUM,VLAN_MTU> inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1 inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255 ether 00:13:72:3d:e2:f4 media: Ethernet autoselect status: no carrier mordac# ifconfig em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=b<RXCSUM,TXCSUM,VLAN_MTU> inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1 inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255 ether 00:13:72:3d:e2:f4 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208 mordac# /etc/rc.d/pf restart No ALTQ support in kernel ALTQ related functions disabled Disabling pf. No ALTQ support in kernel ALTQ related functions disabled pf disabled Enabling pf. No ALTQ support in kernel ALTQ related functions disabled No ALTQ support in kernel ALTQ related functions disabled No ALTQ support in kernel ALTQ related functions disabled pf enabled mordac# tcping 172.24.8.84 22 172.24.8.84 port 22 open. mordac# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz: Operation not permitted mordac# fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz fetch: http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz: Operation not permitted mordac# pfctl -Fr && pfctl -Rf /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled rules cleared No ALTQ support in kernel ALTQ related functions disabled mordac# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz tcping-1.3.4.tar.gz 0% of 11 kB 0 Bps tcping-1.3.4.tar.gz 100% of 11 kB 32 MBps mordac# fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz tcping-1.3.4.tar.gz 0% of 11 kB 0 Bps tcping-1.3.4.tar.gz 100% of 11 kB 36 MBps mordac# tcping 172.24.8.84 22 172.24.8.84 port 22 open. mordac# pfctl -Fa && pfctl -f /etc/pf.conf No ALTQ support in kernel ALTQ related functions disabled rules cleared nat cleared 0 tables deleted. 7 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset No ALTQ support in kernel ALTQ related functions disabled mordac# tcping 172.24.8.84 22 172.24.8.84 port 22 open. mordac# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz: Operation not permitted mordac# fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz fetch: http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz: Operation not permitted mordac# ifconfig em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=b<RXCSUM,TXCSUM,VLAN_MTU> inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1 inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255 ether 00:13:72:3d:e2:f4 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208 mordac# exit Script done on Thu Mar 30 12:44:20 2006 pf.conf: # Interfaces, not loopback ext_if = em0 ext_net = "(em0:network)" ext_ip = "(em0)" # Networks: LAN is non-internet address spaces, ie. local networks lan_net = "{ 172.16.0.0/12 192.168.0.0/16 }" # These networks are listed in RFC3330 and not used: table <nullnet> const { 0/8, 10/8, 127/8, 169.254/16, 172.16/12, \ !172.24/20, 192.0.2/24, 192.168/16, \ !192.168.212/24, 198.18/15, \ 224/4, 240/4 } # Services: Services listed by name must be in /etc/services, else # use number ext_tcp = "{ ssh }" lan_tcp = "{ ssh ftp svn postgresql 49152:49216 }" lan_icmp = "{ echoreq }" # # Define filtering rules # # default policy: block and log, log is used to catch unknown traffic # logs by this rule means something has not been taken care of block log all # Allow all traffic on loopback interface pass in quick on lo0 all pass out quick on lo0 all # Block (default) incoming trafic, this rule marks the start of a group, # needed for optimal skip step. block in log on $ext_if all # Anti spoofing block in quick on $ext_if inet from <nullnet> block in quick on $ext_if inet from any to !$ext_ip # Local/LAN access only pass in quick on $ext_if inet proto tcp from $lan_net to $ext_ip \ port $lan_tcp flags S/SA keep state #pass in quick on $ext_if inet proto udp from $lan_net to $ext_ip \ # port $lan_udp keep state pass in quick on $ext_if inet proto icmp from $lan_net to $ext_ip \ icmp-type $lan_icmp keep state # External access pass in quick on $ext_if inet proto tcp from any to $ext_ip \ port $ext_tcp flags S/SA keep state # Catch rule for remaining packets block in log quick on $ext_if all # Outgoing traffic: block out log on $ext_if all # Anti spoofing block out quick on $ext_if inet from <nullnet> to any block out quick on $ext_if inet from $ext_ip to <nullnet> # OK, just allow all out, this should be more restrictive: pass out quick on $ext_if inet proto tcp from $ext_ip to any \ flags S/SA keep state pass out quick on $ext_if inet proto udp from $ext_ip to any \ keep state pass out quick on $ext_if inet proto icmp from $ext_ip to any \ keep state # Catch rule for remaining packets block out log quick on $ext_if -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?442BB856.90709>