pf BUG?

KES kes-kes at yandex.ru
Thu Mar 29 21:33:16 UTC 2007 

You wrote 29 марта 2007 г., 16:15:40:

V> On 12/23/-58 20:59, KES wrote:
>> Hello
>> 
>> I start to use ADSL
>> My net work has next sturcture:
>> CPU -iIP----  rl0 -SERVER -tun0---  >>>>> INET
>> 
>> I have next pf rules
>> 
>> 1) drop all
>> 2) pass in quick on tun0 all
>> 3) pass out quick on tun0 all
>> 4) pass in on rl0 from $iIp to any
>> 5) pass out on rl0 from any to $iIp
>> 
>> Next thing is wrong:
>> If I ping inet from CPU
>> 
>> 2) pass in log-all on tun0 all
>> 3) pass out quick on tun0 all
>> 
>> tpcdump pflog0 shows nothing
>> But
>> 2) pass in on tun0 all
>> 3) pass out log-all quick on tun0 all
>> 
>> tpcdump pflog0 shows in and out traffic on tun0 interface!!!
>> 
>> System was builded from 2007-03-27 sources
>> architecture is sparc64

V> This is not a pf bug.

V> I'm wondering why you're using a firewall at all? Your firewall is
V> nothing but just wide open (tm) and effectively useless.

V> Anyway, I really don't understand your problem. Do you really want
V> to have a firewall which does nothing but logging like crazy? BTW,
V> the log-all option does not make sense when not being used in
V> conjunction with stateful inspection.

V> HTH,

V> Volker

1) Post full firewall rules to postlist is useless. I post only that
part I have the problem with
2) the problem is that that rule
#2 pass in quick on tun0 all
has no effect. All traffic that goes through tun0 goes through rule
#3 pass out quick on tun0 all
Else more I can delete rule #2 and get internet WORKING!!! Despite on
no rules to allow in traffic through tun0
3) You can change log-all to log if you want. Log is used only to
sniff traffic which goes through rule: #2 in case one and #3 in case
two



In the reality I have problem with this:
pass out log quick route-to ($adslIf $adslGate) from ($adslIf) to any

all incoming traffic routes again to internet. I saw it when trace
route to myself from internet
.......
15 provider
16 sparc
17 provider
18 sparc

The same firewall in the same environment but FreeBSD 6.0 Intel platform works well
What is wrong: the new sparc64 kenel configuration or there are
mistake in new kernel sources?

Thanks
-- 
 KES                          mailto:kes-kes at yandex.ru

More information about the freebsd-pf mailing list