FreeBSD 6.1-RELEASE + PF

Kian Mohageri kian.mohageri at gmail.com
Mon Jun 12 19:39:19 UTC 2006


Perhaps your application needs specific IP options.  PF blocks packets with
IP options set by default.

Append 'allow-opts' to the relevant rules.

-Kian

On 6/12/06, Ludovit Koren <lk at tempest.sk> wrote:
>
>
>
> Hi,
>
> I have problem to set up PIM and IGMP communication with pf on FreeBSD
> 6.1-RELEASE.
>
> # pfctl -s state
> self igmp 195.28.109.40 -> 224.0.0.2       SINGLE:NO_TRAFFIC
> self igmp 195.28.109.40 -> 224.0.0.13       SINGLE:NO_TRAFFIC
> self igmp 224.0.0.1 <- 195.28.109.25       NO_TRAFFIC:SINGLE
> self igmp 224.0.0.2 <- 195.28.109.40       NO_TRAFFIC:SINGLE
> self igmp 224.0.0.13 <- 195.28.109.40       NO_TRAFFIC:SINGLE
> self tcp 195.28.109.40:22 -> 195.28.109.37:58349
> ESTABLISHED:ESTABLISHED
> self udp 255.255.255.255:8225 <- 195.28.109.29:1025
> NO_TRAFFIC:SINGLE
> self pim 195.28.109.40 -> 224.0.0.13       SINGLE:NO_TRAFFIC
> self pim 224.0.0.13 <- 195.28.109.25       NO_TRAFFIC:SINGLE
> self pim 224.0.0.13 <- 195.28.109.40       NO_TRAFFIC:SINGLE
> self pfsync 195.28.109.40 -> 0.0.0.0       SINGLE:NO_TRAFFIC
>
>
> xorp immediately starts to give the following message:
> [ 2006/06/09 17:13:24 WARNING xorp_fea XrlMfeaTarget ] Handling method for
> mfea/0.1/send_protocol_message4 failed: XrlCmdError 102 Command failed
> Cannot send PIMSM_4 protocol message from 195.28.109.40 to 224.0.0.13 on
> vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to 224.0.0.13 on vif
> em0) failed: Operation not permitted
> [ 2006/06/09 17:13:24  ERROR xorp_pimsm4:18051 PIM +2623 xrl_pim_node.cc
> mfea_client_send_protocol_message_cb ] Cannot send a protocol message: 102
> Command failed Cannot send PIMSM_4 protocol message from 195.28.109.40 to
> 224.0.0.13 on vif em0: sendmsg(proto 103 size 34 from 195.28.109.40 to
> 224.0.0.13 on vif em0) failed: Operation not permitted
>
> # pfctl -s rules
> scrub in all fragment reassemble
> block drop in log all
> pass in on xl0 inet from <quadia> to 195.28.126.13 keep state
> pass out on xl0 inet from 195.28.126.13 to <quadia> keep state queue dflt
> pass out on xl0 inet from 195.28.126.13 to any keep state queue dflt
> pass out on em0 inet all keep state queue dfltem
> pass out on em1 inet all keep state queue dfltem1
> pass in proto tcp from any to any port = ssh keep state
> pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port =
> 5060 keep state
> pass in on em0 inet proto udp from 195.28.109.0/24 port = 8000 to
> 195.28.109.40 keep state
> pass in on em0 inet proto udp from 195.28.109.0/24 port = 8001 to
> 195.28.109.40 keep state
> pass in on em0 inet proto tcp from 195.28.109.36 to 195.28.109.40 port =
> nut keep state
> pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port =
> http keep state
> pass in on em0 inet proto tcp from 195.28.109.37 to 195.28.109.40 port =
> 4445 keep state
> pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port =
> http keep state
> pass in on em0 inet proto tcp from 195.28.109.88 to 195.28.109.40 port =
> 4445 keep state
> pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port
> 9999:20001 keep state
> pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port =
> domain keep state
> pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port =
> 4520 keep state
> pass in on em0 inet proto udp from 195.28.109.0/24 to 195.28.109.40 port =
> 4569 keep state
> pass in on em0 all keep state
> pass in on em1 all keep state
>
> when I disable the firewall xorp runs as expected. It does not matter
> if I add specific rule for PIM and IGMP or general, i.e. let all
> traffic go through.
>
> Is it a bug in the pf or am I doing something wrong? Any help appreciated.
>
> Regards,
>
> lk
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>


More information about the freebsd-pf mailing list