Date: Fri, 26 Nov 2004 20:31:49 +0100 From: Max Laier <max@love2party.net> To: Jonathan Weiss <tomonage2@gmx.de> Cc: freebsd-pf@freebsd.org Subject: Re: Strange behaviour with PF on FreeBSD 5.3-STABLE Message-ID: <200411262032.04809.max@love2party.net> In-Reply-To: <BDCD2EFC.118B3%tomonage2@gmx.de> References: <BDCD2EFC.118B3%tomonage2@gmx.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1121198.aamq6dRQhY Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Friday 26 November 2004 19:05, Jonathan Weiss wrote: > Hi Max, > > > You are supposed to have a NAT rule somewhere. Please let us know the > > complete ruleset (including translation rules) and include match counte= rs > > so that people can figure if a certain rule is matched at all (pfctl -vv > > -sn -sr). > > This was my complete ruleset, as I switched from my default ruleset in > order to debug the problem. > > ext_if=3D"ed0" > int_if=3D"vr0" > tun_if=3D"tun0" > internal_net=3D"192.168.0.0/24" > > set loginterface $tun_if > > #nat on $tun_if from $internal_net to any -> ($tun_if) > > #default block > block return log-all > > pass on $tun_if > pass on $ext_if > pass on $int_if > > -------------------------------------- > pfctl -vv -sn -sr > @0 block return log-all all > [ Evaluations: 2171 Packets: 1130 Bytes: 69021 States: 0 > @1 pass on tun0 all > [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 Hmmm ... tun0 is never matched against. Can I have a look at $ifconfig and= =20 $pfctl -vvsI ? Also try to watch pflog ($ifconfig pflog0 up && tcpdump=20 =2Dvvvnei pflog0) What does it say? > @2 pass on ed0 all > [ Evaluations: 2171 Packets: 0 Bytes: 0 States: 0 > @3 pass on vr0 all > [ Evaluations: 2171 Packets: 1041 Bytes: 65738 States: 0 > > > Make sure that the NAT rule has dynamic address tracking (as I think you > > get a dynamic IP from you ISP). The rule should look something like: > > nat on tun0 from $internalnet to any -> (tun0) > > I use the NAT from ppp, but I think that this is not related, as the > problem occur at (or better: also at) the firewall (i386 FreeBSD 5.3-STAB= LE > of yesterday). The firewall itself (and everything behind it) cannot > connect over ppp to external servers when the default block rule is > activated. Hmmm - strange. Might be realted to the pf_if.c changes. What version are y= ou=20 running? RELENG_5? RELENG_5_3? HEAD? Did you (src-)update your kernel befor= e=20 the symptoms occurred? pf_if.c: 1.5.2.2 (RELENG_5) or 1.7 (HEAD)? > When I deactivate the rule, everything runs smoothly. > > > Also note, that we have a pf related mailinglist on FreeBSD, called > > freebsd-pf@freebsd.org. You might want to subscribe and take the > > discussion there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > Thanks, I will suscribe. Should we change with this discussion the > freebsd-centrinc mailinglist? I just did. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1121198.aamq6dRQhY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBp4S0XyyEoT62BG0RAnVvAJ4tns+dbfbhbB2+RgzNu/X1A2yG/QCfWDie zYMPvwBWcU7Z3x13lH+d2+o= =vqEG -----END PGP SIGNATURE----- --nextPart1121198.aamq6dRQhY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411262032.04809.max>