Can't access rsh listen on lo0

AndygreenNet at netscape.net AndygreenNet at netscape.net
Mon Sep 27 02:27:32 PDT 2004 

Hi, everybody!

On 26.09.2004 Max Laier max at love2party.net wrote:

Max Laier> On Saturday 25 September 2004 06:08,
Max Laier> AndygreenNet at netscape.net wrote:
>> Hello freebsd-pf,
>>
>> Help me please.
>>
>> I have:
>> FreeBSD 5_2_1
>> pf-freebsd-2.03

Max Laier> First of all ... to *everybody*: If you want a
Max Laier> production use box with pf - 
Max Laier> please move to a 5.3-BETA installation and get
Max Laier> pf out of the box. If you are 
Max Laier> worried with stability set debug.mpsafenet=0
Max Laier> (PREEMPTION and ULE are off by 
Max Laier> default). You won't regret it!

>> I'm tried to access rsh listen on lo0.
>> Connection interrupts with messages:
>>   rsh: Connection timeout;
>>   or
>>   rsh: Connection reset by peer.

Max Laier> That is a fairly complicated ruleset you have
Max Laier> there, I have some troubles 
Max Laier> reading it. But you might want to try the following:

>> My pf.conf.
>>
>> # Macros: define common values, so they can be referenced and changed
>> easily. ext_if="{ vlan1, fxp2 }"        # replace with actual external
>> interface name i.e., dc0
>> int_if="fxp0"           # replace with actual internal interface name i.e.,
>> dc1 ext_bridge_if="{ vlan0, vlan2, vlan3 }"

Max Laier> unfiltered="{ lo0 }"

>> int_bridge_if="{ xl0, vlan4, vlan5 }"
>> internal_net_TTK="62.33.196.128/25"
>> internal_net_RT_COMM="213.59.235.120/29"
>> external_addr_TTK="62.33.196.254"
>> external_addr_RT_COMM="213.59.128.130"
>> restricted_ports="{ 135, 136, 137, 138, 139, 445 }"
>> allow_tcp_ports="{ ftp, ftp-data, ssh, smtp, domain, http, pop3, ntp, imap,
>> https, snpp, > 1023}"
>> allow_udp_ports="{ domain, > 1023}"
>> ARP_in="inet proto { tcp, udp } from any port uarps to any port > 1023"
>> ARP_out="inet proto { tcp, udp } from any port > 1023 to any port uarps"
>>
>> # Options: tune the behavior of pf, default values are given.
>> set timeout { interval 10, frag 30 }
>> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>> set timeout { icmp.first 20, icmp.error 10 }
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>> set timeout { adaptive.start 0, adaptive.end 0 }
>> set limit { states 10000, frags 5000 }
>> set loginterface none
>> set optimization normal
>> set block-policy drop
>> set require-order yes
>> set fingerprints "/usr/local/etc/pf.os"
>>
>> # Normalization: reassemble fragments and resolve or reduce traffic
>> ambiguities. scrub in all
>>
>> # spamd-setup puts addresses to be redirected into table <spamd>.
>> table <spamd> persist
>> no rdr on lo0 from any to any
>> rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>>

Max Laier> #Allow loopback and friends
Max Laier> pass quick on $unfiltered

>> # Filtering: external interfaces
>> block in log quick on $ext_if inet proto { tcp, udp } from any to any port
>> $restricted_ports
>> pass in on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
>> pass in quick on $ext_if inet proto tcp from any to any port
>> $allow_tcp_ports pass in quick on $ext_if inet proto udp from any port
>> $allow_udp_ports to any port $allow_udp_ports
>> pass out on $ext_if inet proto icmp from any to any icmp-type { 0, 8 }
>> pass out quick on $ext_if inet proto tcp from any port $allow_tcp_ports to
>> any pass out quick on $ext_if inet proto udp from any port $allow_udp_ports
>> to any port $allow_udp_ports
>>
>> # Filtering: external bridge interfaces
>> block in log quick on $ext_bridge_if inet proto { tcp, udp } from any to
>> any port $restricted_ports
>> pass in quick on $ext_bridge_if $ARP_in
>> pass in on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8
>> } pass in quick on $ext_bridge_if inet proto { tcp, udp } from any to any
>> pass out quick on $ext_bridge_if $ARP_out
>> pass out on $ext_bridge_if inet proto icmp from any to any icmp-type { 0, 8
>> } pass out quick on $ext_bridge_if inet proto { tcp, udp }  from any to any
>>
>> # Filtering internal interfaces with keep state, logging blocked packets.
>> block in log on $int_if all
>> pass in quick on $int_if $ARP_out keep state
>> pass in quick on $int_if inet proto icmp all icmp-type { 0, 8 } keep state
>> pass in quick on $int_if inet proto tcp from { $internal_net_TTK,
>> $internal_net_RT_COMM } port $allow_tcp_ports to any keep st
>> ate
>> pass in quick on $int_if inet proto udp from { $internal_net_TTK,
>> $internal_net_RT_COMM } port $allow_udp_ports to any port $a
>> llow_udp_ports keep state
>>
>> # Filtering internal bridge interfaces with keep state, logging blocked
>> packets. block in log on $int_bridge_if all
>> pass in quick on $int_bridge_if $ARP_out keep state
>> pass in quick on $int_bridge_if inet proto icmp all icmp-type { 0, 8 } keep
>> state pass in quick on $int_bridge_if inet proto { tcp, udp } from any to
>> any keep state
>>
>> Where I was mistaken.

Max Laier> Not sure ... $pfctl -vsr and pflog0 may tell you.

First of all, thanks!

I'm create cf.conf with two rules:
    pass in all
    pass out all

%sudo pftop
pfTop: Up Rule 1-2/2, View: label, Cache: 10000                                  
19:06:27

RULE LABEL                                                       PKTS    BYTES  
STATES   MAX ACTION   DIR LOG Q IF     PR   K
   0                                                              757   114280   
0       Pass     In
   1                                                              181   475711   
0       Pass     Out

And then:
%sudo rsh -l root show ip accounting
rcmd: localhost: Operation timed out

%sudo pftcpdump -i pflog0 'host localhost'
pftcpdump: WARNING: pflog0: no IPv4 address assigned
pftcpdump: listening on pflog0
19:00:17.129118 localhost.shell > localhost.950: . ack 1303722277 win 43008
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232252 localhost.shell > localhost.950: . ack 30 win 42979
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232435 localhost.shell > localhost.950: . ack 30 win 42980
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232518 localhost.shell > localhost.950: . ack 30 win 42981
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232589 localhost.shell > localhost.950: . ack 30 win 42982
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232661 localhost.shell > localhost.950: . ack 30 win 42983
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232736 localhost.shell > localhost.950: . ack 30 win 42984
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232810 localhost.shell > localhost.950: . ack 30 win 42985
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232880 localhost.shell > localhost.950: . ack 30 win 42986
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.232951 localhost.shell > localhost.950: . ack 30 win 42987
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233049 localhost.shell > localhost.950: . ack 30 win 42988
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233259 localhost.shell > localhost.950: . ack 30 win 42989
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233334 localhost.shell > localhost.950: . ack 30 win 42990
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233407 localhost.shell > localhost.950: . ack 30 win 42991
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233478 localhost.shell > localhost.950: . ack 30 win 42992
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233549 localhost.shell > localhost.950: . ack 30 win 42993
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233621 localhost.shell > localhost.950: . ack 30 win 42994
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233693 localhost.shell > localhost.950: . ack 30 win 42995
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233765 localhost.shell > localhost.950: . ack 30 win 42996
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233836 localhost.shell > localhost.950: . ack 30 win 42997
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233907 localhost.shell > localhost.950: . ack 30 win 42998
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.233979 localhost.shell > localhost.950: . ack 30 win 42999
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234075 localhost.shell > localhost.950: . ack 30 win 43000
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234260 localhost.shell > localhost.950: . ack 30 win 43001
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234337 localhost.shell > localhost.950: . ack 30 win 43002
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234408 localhost.shell > localhost.950: . ack 30 win 43003
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234479 localhost.shell > localhost.950: . ack 30 win 43004
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234551 localhost.shell > localhost.950: . ack 30 win 43005
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234622 localhost.shell > localhost.950: . ack 30 win 43006
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234694 localhost.shell > localhost.950: . ack 30 win 43007
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234767 localhost.shell > localhost.950: . ack 30 win 43008
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.234846 localhost.shell > localhost.950: P 0:1(1) ack 30 win 43008
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.293052 localhost.shell > localhost.950: P 0:4097(4097) ack 30 win 43008
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.332208 localhost.shell > localhost.950: P 0:4097(4097) ack 30 win 43008
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.350636 localhost.shell > localhost.950: P 0:8193(8193) ack 30 win 43008
<nop,nop,timestamp[|tcp]> (DF)
19:00:17.406621 localhost.shell > localhost.950: P 0:12289(12289) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.437219 localhost.shell > localhost.950: P 0:12289(12289) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.438332 localhost.shell > localhost.950: P 0:12289(12289) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.463725 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.521835 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.577827 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.634399 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.643171 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.650303 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.691123 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.747135 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.803602 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.855176 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:17.874296 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:18.079055 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:18.122157 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:18.327024 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:18.418158 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:18.622972 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:18.810154 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:19.014923 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:19.393998 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:19.598834 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:20.361905 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:20.566681 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:22.097648 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:22.302391 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:23.833353 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:24.038109 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:25.569065 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)
19:00:25.773815 localhost.shell > localhost.950: . 0:14336(14336) ack 30 win
43008 <nop,nop,timestamp[|tcp]> (DF)

What it is? Why?
_____________________________________
Best regards,
 Andrew Kochetkoff                    mailto:andrews at mtelecom.chita.ru

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

More information about the freebsd-pf mailing list