Harald Schmalzbauer
2005-Jan-08 06:46 UTC
machine locks with PF (without using user dependent rules)
Dear all,
my machine hard locks with the attached ruleset.
If I set debug.mpsafenet to 0 everything is fine. This was a wild guess from
me, I could nowhere find the info that PF needs this tweaking and I think
it's not intended, otherwise it would be done in rc.conf e.g.
I read about user depending rules in IPFW and that one has to disable
mpsafenet, but I'm not using user based rules in my PF config!
Unfortunately this machine is a CF-Card based Router wher I cannot debug
anything, perhaps I can bring a witness-kernel on it, please tell me if this
problem is new to you and if I should do that.
Best regards,
-Harry
pf.conf: (note that the interface names are changed, so fxp0 is SDSL e.g.)
lan_net="172.23.0.0/16"
by_net="192.168.0.0/24"
sdsl_net="a.b.c.d/29"
sdsl_addr="a.b.c.d"
lan_addr="172.23.0.1"
#pppoe_addr="10.0.0.1"
by_addr="192.168.0.1"
proxy="a.a.a.a"
mta="b.b.b.b"
dns="c.c.c.c"
web="d.d.d.d"
dns2="10.0.0.2"
set block-policy return
scrub in all
nat on SDSL from $lan_net to !$sdsl_net -> $sdsl_addr
rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 -> 172.23.2.1
port 3389
block in all
block out all
pass in on lo0 all
pass out on lo0 all
pass in on LAN from $lan_net to any keep state
pass in on SDSL from 62.245.232.135 to any keep state
pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep state
pass in on SDSL proto tcp from any to $mta port 25 keep state
pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state
pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state
pass out on SDSL from $sdsl_net keep state
pass out on LAN from $lan_addr to $lan_net keep state
P.S.: Why do I need the second line with the following rule? Shouldn't the
'keep state' open the internal interface for outgoing packets from the
given
IP?
pass in on SDSL from 62.245.232.135 to any keep state
pass out on LAN from 62.245.232.135 to 172.23.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050108/b35d41f6/attachment.bin
Robert Watson
2005-Jan-08 08:56 UTC
machine locks with PF (without using user dependent rules)
On Sat, 8 Jan 2005, Harald Schmalzbauer wrote:> my machine hard locks with the attached ruleset. If I set > debug.mpsafenet to 0 everything is fine. This was a wild guess from me, > I could nowhere find the info that PF needs this tweaking and I think > it's not intended, otherwise it would be done in rc.conf e.g. > > I read about user depending rules in IPFW and that one has to disable > mpsafenet, but I'm not using user based rules in my PF config! > Unfortunately this machine is a CF-Card based Router wher I cannot debug > anything, perhaps I can bring a witness-kernel on it, please tell me if > this problem is new to you and if I should do that.I've CC'd Max Laier due to his extensive work with pf on FreeBSD. I think a WITNESS+INVARIANTS kenrel would be quite helpful, if you could. Thanks, Robert N M Watson> > Best regards, > > -Harry > > pf.conf: (note that the interface names are changed, so fxp0 is SDSL e.g.) > > lan_net="172.23.0.0/16" > by_net="192.168.0.0/24" > sdsl_net="a.b.c.d/29" > > sdsl_addr="a.b.c.d" > lan_addr="172.23.0.1" > #pppoe_addr="10.0.0.1" > by_addr="192.168.0.1" > > proxy="a.a.a.a" > mta="b.b.b.b" > dns="c.c.c.c" > web="d.d.d.d" > dns2="10.0.0.2" > > set block-policy return > scrub in all > > nat on SDSL from $lan_net to !$sdsl_net -> $sdsl_addr > rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 -> 172.23.2.1 > port 3389 > block in all > block out all > pass in on lo0 all > pass out on lo0 all > pass in on LAN from $lan_net to any keep state > pass in on SDSL from 62.245.232.135 to any keep state > pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep state > pass in on SDSL proto tcp from any to $mta port 25 keep state > pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state > pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state > > pass out on SDSL from $sdsl_net keep state > pass out on LAN from $lan_addr to $lan_net keep state > > P.S.: Why do I need the second line with the following rule? Shouldn't the > 'keep state' open the internal interface for outgoing packets from the given > IP? > pass in on SDSL from 62.245.232.135 to any keep state > pass out on LAN from 62.245.232.135 to 172.23.2.1 >