pf & clonable devices

Max Laier max at love2party.net
Mon Jan 17 14:27:18 PST 2005 

On Monday 17 January 2005 18:19, Eric Masson wrote:
> Hi,
>
> uname -a :
> FreeBSD srvbsdnanssv.interne.kisoft-services.com 5.3-STABLE FreeBSD
> 5.3-STABLE #0: Tue Jan 11 11:44:56 CET 2005    
> emss at srvbsdnanssv.interne.kisoft-services.com:/vol0/build/usr/src/sys/K6II 
> i386
>
> kldstat :
> Id Refs Address    Size     Name
>  1   19 0xc0400000 2f6a20   kernel
>  2    1 0xc06f7000 14f08    if_ppp.ko
>  3    1 0xc070c000 9a88     if_xl.ko
>  4    2 0xc0716000 18a44    miibus.ko
>  5    1 0xc072f000 39ac     ulpt.ko
>  6    9 0xc0733000 1357c    agp.ko
>  7    1 0xc13fa000 1e000    nfsserver.ko
>  8    1 0xc1429000 28000    pf.ko
>
> I'm back at the moment to an isdn line for internet connection, and I'm
> using pppd (kernel ppp) and an isdn TA.
>
> I'm using Alain Thivillon's SSLTunnel for connection to the main office
> (kernel ppp tunnel encapsulated in a SSL session)
>
> pppX interfaces are created on demand as pppd is started.
>
> So I end with a setup like this one :
> ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1524
>         inet 213.36.152.19 --> 212.129.4.14 netmask 0xffffff00
> ppp1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
>         inet 192.168.0.70 --> 192.168.0.15 netmask 0xffffff00
>
> kernel ppp doesn't seem to reuse existing pppX devices, it creates new
> ones as needed. PF rules are defined for fixed network devices, so I
> destroy pppX interfaces on ppp shutdown and let pppd recreate them as
> needed.
>
> In this case, I need to refresh PF by issuing :
> pfctl -F all -f /etc/pf.conf
> to get traffic passing thru newly recreated ppp0/1 interfaces.
>
> Is this a feature or a bug ?

Just guessing, but I assume you forgot to use round brackets around your NAT 
and from/to addresses.  It should look like the following:

nat on ppp0 from $lan -> (ppp0)
nat on ppp1 from $lan -> (ppp1)
pass out on ppp0 from (ppp0) to any ...
pass out on ppp1 from (ppp1) to any ...
pass in  on ppp0 from any to (ppp0) ...

If you have it this way, you should send more details about your ruleset, 
maybe to the freebsd-pf mailinglist.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20050117/ff6abd66/attachment.bin

More information about the freebsd-net mailing list