Date: Thu, 16 Sep 2004 03:40:03 -0000 From: Pyun YongHyeon <yongari@kt-is.co.kr> To: pf4freebsd@freelists.org Cc: rasgal@palantir.no Subject: [pf4freebsd] Re: Version 1.52 Message-ID: <20030610070936.GA1767@kt-is.co.kr> In-Reply-To: <BasiliX-1.1.0-10551743973ee4aefda1ad3@pals013> References: <BasiliX-1.1.0-10551743973ee4aefda1ad3@pals013>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 09, 2003 at 05:59:57PM +0200, Rolf Skaar wrote:
>
>
[snip]
>
> No problem, I am glad if i can help.
>
> Here is my network layout; INET <--> GATEWAY <--> WORKSTATION
> [ISP_gateway <--> my_tun0_IP ] <--> [xl1:10.10.0.1 <--> xl0:10.10.0.250]
> External Internal
>
> I have configured my box to configure everything at boot time to maximise uptime on my box as im not around all the time,
> pf version is pf_freebsd_1.52.tar.gz.
>
[snip]
>
> and here is my ppp.linkup:
>
> MYADDR:
> ! sh -c "/sbin/ifconfig pflog0 up"
> ! sh -c "/sbin/ifconfig pfsync0 up"
> !bg sh -c "/home/rasgal/myscripts/tunnel.sh"
> ! sh -c "/usr/local/sbin/pflogd"
> ! sh -c "/usr/local/sbin/`pfctl -e -q -Fa -f /home/rasgal/myconfig/pf.conf`"
>
> this loads all the rules and every thing should be up and running now...
> what tunnel.sh does is setting up my ipv6 connection.
>
You should not do like this. Because the file ppp.linkup is executed
whenever tun0's address changes it should contain only a command to set
up a new pf rule set or route commands.(i.e. You should have a pf rule
update command only.) All the other commands(pflog0 up, pflogd, etc)
should be called before pf update command.
Also note if your tunnel.sh configures a interface address that pf
references it should be run before pf rule set updates. Because you
have used background execution to run tunnel.sh, there is no guarantee
the script would be completed before you invoke pfctl.
> ok, my rule set is somewhat simple (pass all in/out), and blocks only services that i want it to:
>
> Ext = "tun0"
> Int = "xl1"
> tunnel = "gif0"
> Loop = "lo0"
> portblock = "{ 21, 111, 1023 }"
> portpass = "{ 53 }"
>
> scrub in all fragment reassemble
>
> # IPv4 NAT configuration #
> #nat on ! $Int from $Int/24 to any -> $Ext
> #nat on $Ext from $Int/24 to any -> $Ext
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You don't have any valid NAT entry. Above rule should be read as follows:
nat on $Ext from 10.10.0.0/24 to any -> $Ext
>
> # Redirect #
> rdr on $Ext proto tcp from any to any port 60000:60010 -> 10.10.0.250 port 60000:*
> rdr on $Ext proto tcp from any to any port 62003 -> 10.10.0.250 port 62003
>
[snip]
>
> and here is my outout from "pfctl -sa":
>
> [ <root> _- ~ -_ 4:30:02pm Mon Jun 09 ]
> %pfctl -sa
>
> scrub in all fragment reassemble
> block drop in quick on tun0 proto tcp from any to any port = ftp
> block drop in quick on tun0 proto tcp from any to any port = sunrpc
> block drop in quick on tun0 proto tcp from any to any port = 1023
> pass in quick on lo0 all
> pass out quick on lo0 all
> pass in quick on tun0 all
> pass out quick on tun0 all
> pass in quick on gif0 proto ipv6 all
> pass out quick on gif0 proto ipv6 all
> nat on ! xl1 inet from 10.10.0.0/24 to any -> 80.212.169.91
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It's strange to me. You don't have any valid NAT in your rule file but
pfctl says you have a one. Did you use really a rule really presented
here?
> rdr on tun0 inet proto tcp from any to any port 60000:60010 -> 10.10.0.250 port 60000:60010
> rdr on tun0 inet proto tcp from any to any port = 62003 -> 10.10.0.250 port 62003
> pfctl: DIOCGETALTQS: Operation not supported by device
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This message should not show up. Do you use ALTQ enabled kernel?
According to your kernel configuation you don't use ALTQ at all.
Have you rebuild pf kernel module after kernel changes?
(i.e. pf kernel module tries to use ALTQ but your kernel do not
support ALTQ.)
>
[snip]
Please rebuild your FreeBSD pf first.(Assumes you do not use ALTQ.)
#killall pflogd
#kldunload pf
#kldunload pfaltq(if you have loaded)
#kldunload pfsync
#kldunload pflog
#cd /path/to/pf_source_location
#make clean
#make && make install
Load pf module only after your ppp connection completed.
Start from the following simple rule and add more rules when needed.
nat on tun0 from 10.10.0.0/24 to any -> tun0
Yes it's a single rule.
Thank you.
--
Pyun YongHyeon <http://www.kr.freebsd.org/~yongari>;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030610070936.GA1767>