[pf4freebsd] problem with 'user'

jb jb at riseup.net
Wed Sep 15 21:00:00 PDT 2004 

Hi,

I'm playing with pf on a FreeBSD 5.2 fresh install on i386 and I'm 
experimenting some problems with the following simplified pf.conf on 
my FreeBSD box, it works as I expect on an OpenBSD 3.4 box - plan is to 
allow local user 'jibe' to do dns queries.  

My DNS is 10.0.0.2, i my box is 10.0.0.8, my nic is sis0 (more config at
the bottom of this message).

   block in log all
   block out log all
   pass in on lo0 all
   pass out on lo0 all

   pass out log proto udp from any to any port domain user jibe keep state

from the command line, "dig openbsd.org" (say), results in the following
in pflog0 (output of pftcpdump -n -e -ttt -i pflog0 )

000000 rule 1/0(match): block out on sis0: 10.0.0.8.49240 > 10.0.0.2.53:  13228+[|domain]
000402 rule 1/0(match): block out on sis0: 10.0.0.8.49242 > 10.0.0.2.53:  13228+[|domain]

now, changing 'jibe' for 'unknown' in the configuration file:

   block in log all
   block out log all
   pass in on lo0 all
   pass out on lo0 all

   pass out log proto udp from any to any port domain user unknown keep state

dig works and pftcpdump output is:

100. 942731 rule 4/0(match): pass out on sis0: 10.0.0.8.49244 > 10.0.0.2.53:  53585+[|domain]

The difference between the OpenBSD and FreeBSD pf results make me thing this
is a misbehavior, but it's not like I'm clued about networking and firewalls.
Can others reproduce this or it is the result of my own confusion ?

thanks for your work, it is really nice to be able to use pf on FreeBSD.
thsnks in advance for your help.
jb


-- More configuration stuff follows.

bash-2.05b$ ifconfig
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::20a:e6ff:feab:7422%sis0 prefixlen 64 scopeid 0x1
        inet 10.0.0.8 netmask 0xff000000 broadcast 255.255.255.255
        ether 00:0a:e6:ab:74:22
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
pfsync0: flags=41<UP,RUNNING> mtu 1896

bash-2.05b$ cat /etc/resolv.conf
nameserver 10.0.0.2

bash-2.05b$ dmesg
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD 5.2-RELEASE #0: Wed Jan 28 23:46:05 CET 2004
    root at fried.sakeos.net:/usr/src/sys/i386/compile/FRIED
Preloaded elf kernel "/boot/kernel/kernel" at 0xc09e3000.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: AMD Athlon(tm) Processor (1244.71-MHz 686-class CPU)
  Origin = "AuthenticAMD"  Id = 0x680  Stepping = 0
  Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE>
  AMD Features=0xc0400000<AMIE,DSP,3DNow!>
real memory  = 268369920 (255 MB)
avail memory = 251056128 (239 MB)
Pentium Pro MTRR support enabled
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcibios: BIOS version 2.10
Using $PIR table, 9 entries at 0xc00f78c0
pcib0: <Host to PCI bridge> at pcibus 0 on motherboard
pci0: <PCI bus> on pcib0
pci_cfgintr: 0:2 INTD BIOS irq 10
pci_cfgintr: 0:2 INTA BIOS irq 5
pci_cfgintr: 0:2 INTC BIOS irq 10
pci_cfgintr: 0:3 INTA BIOS irq 10
pci_cfgintr: 0:19 INTA BIOS irq 11
pci_cfgintr: 0:19 INTB BIOS irq 11
pci_cfgintr: 0:19 INTC BIOS irq 10
agp0: <SIS Generic host to PCI bridge> mem 0xd0000000-0xd3ffffff at device 0.0 on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci_cfgintr: 0:1 INTA routed to irq 11
pcib1: slot 0 INTA is routed to irq 11
pci1: <display, VGA> at device 0.0 (no driver attached)
isab0: <PCI-ISA bridge> at device 2.0 on pci0
isa0: <ISA bus> on isab0
ohci0: <SiS 5571 USB controller> mem 0xcfffe000-0xcfffefff irq 10 at device 2.2 on pci0
usb0: OHCI version 1.0, legacy support
usb0: <SiS 5571 USB controller> on ohci0
usb0: USB revision 1.0
uhub0: SiS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ohci1: <SiS 5571 USB controller> mem 0xcffff000-0xcfffffff irq 5 at device 2.3 on pci0
usb1: OHCI version 1.0, legacy support
usb1: <SiS 5571 USB controller> on ohci1
usb1: USB revision 1.0
uhub1: SiS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
atapci0: <SiS 735 UDMA100 controller> port 0xff00-0xff0f at device 2.5 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata0: [MPSAFE]
ata1: at 0x170 irq 15 on atapci0
ata1: [MPSAFE]
pci0: <multimedia, audio> at device 2.7 (no driver attached)
sis0: <SiS 900 10/100BaseTX> port 0xd400-0xd4ff mem 0xcffdd000-0xcffddfff irq 10 at device 3.0 on pci0
sis0: Ethernet address: 00:0a:e6:ab:74:22
miibus0: <MII bus> on sis0
rlphy0: <RTL8201L 10/100 media interface> on miibus0
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
uhci0: <VIA 83C572 USB controller> port 0xcc00-0xcc1f irq 11 at device 19.0 on pci0
usb2: <VIA 83C572 USB controller> on uhci0
usb2: USB revision 1.0
uhub2: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhub2: port error, restarting port 1
uhub2: port error, giving up port 1
uhub2: port error, restarting port 2
uhub2: port error, giving up port 2
uhci1: <VIA 83C572 USB controller> port 0xd000-0xd01f irq 11 at device 19.1 on pci0
usb3: <VIA 83C572 USB controller> on uhci1
usb3: USB revision 1.0
uhub3: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
pci0: <serial bus, USB> at device 19.2 (no driver attached)
orm0: <Option ROM> at iomem 0xcc000-0xd3fff on isa0
pmtimer0 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: model IntelliMouse Explorer, device ID 4
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> at port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
ppbus0: <Parallel port bus> on ppc0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
unknown: <PNP0303> can't assign resources (port)
unknown: <PNP0501> can't assign resources (port)
unknown: <PNP0501> can't assign resources (port)
unknown: <PNP0400> can't assign resources (port)
unknown: <PNP0700> can't assign resources (port)
unknown: <PNP0f13> can't assign resources (irq)
Timecounter "TSC" frequency 1244712708 Hz quality 800
Timecounters tick every 10.000 msec
GEOM: create disk ad2 dp=0xc2d9ba60
ad2: 38166MB <ST340014A> [77545/16/63] at ata1-master UDMA100
acd0: CDROM <HL-DT-ST CD-ROM GCR-8520B> at ata1-slave PIO4
Mounting root from ufs:/dev/ad2s2a
pcm0: <SiS 7012> port 0xd800-0xd83f,0xdc00-0xdcff irq 10 at device 2.7 on pci0
pcm0: <C-Media Electronics CMI9738 AC97 Codec>
pflog: $Name: VERSION_2_02 $
pfsync: $Name: VERSION_2_02 $
in6_ifattach: pflog0 is not multicast capable, IPv6 not enabled
in6_ifattach: pfsync0 is not multicast capable, IPv6 not enabled
pflog0: promiscuous mode enabled
pf: $Name: VERSION_2_02 $

More information about the freebsd-pf mailing list