6.1-PRERELEASE: pf blocks fetch after restart
Erik Norgaard
norgaard at locolomo.org
Thu Mar 30 10:52:14 UTC 2006
Hi:
I wrote about this some weeks ago, now I have investigated further, system
upgrated to latest (yesterday) snap of RELENG_6
Summary:
1) boot
2a) fetch http://host/file: operation not permitted
2b) fetch ftp://host/file: operation not permitted
3) pfctl -Fr && pfctl -Rf pf.conf
4a) fetch http://host/file: successful
4b) fetch ftp://host/file: successful
5) pfctl -Fa && pfctl -f pf.conf
6) tcping host_on_lan 22: port open
7a) fetch http://host/file: operation not permitted
7b) fetch ftp://host/file: operation not permitted
There is one more thing that is weird, the interface, em0, after
successful configuration with dhcp, it reports status "no carrier". This
happens on boot as well as if I run
# /etc/rc.d/netif restart
however running the above does not change whether fetch succeeds or not.
The problem with netif is not solved if the interface is configured with a
static ip, nor is the problem with fetch.
I can repeat this, it has occurred on a number of snapshots of the
PRERELEASE. Any ideas on how to solve this?
Thanks, Erik
Complete transcript of session:
Script started on Thu Mar 30 12:39:48 2006
You have mail.
mordac# uname -a
FreeBSD mordac 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0:
Thu Mar 30 11:08:17 CEST 2006
root at mordac:/usr/obj/usr/src/sys/SERVER6-SMP i386
mordac# /etc/rc.d/netif restart
Stopping network: lo0 em0.
em0: no link .... got link
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPDISCOVER on em0 to 255.255.255.255 port 67 interval 6
DHCPOFFER from 172.24.0.24
DHCPREQUEST on em0 to 255.255.255.255 port 67
DHCPACK from 172.24.0.24
bound to 172.24.8.48 -- renewal in 1296000 seconds.
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1
inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255
ether 00:13:72:3d:e2:f4
media: Ethernet autoselect
status: no carrier
mordac# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1
inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255
ether 00:13:72:3d:e2:f4
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
mordac# /etc/rc.d/pf restart
No ALTQ support in kernel
ALTQ related functions disabled
Disabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled
Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
mordac# tcping 172.24.8.84 22
172.24.8.84 port 22 open.
mordac# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz
fetch:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz:
Operation not permitted
mordac# fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz
fetch: http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz: Operation not
permitted
mordac# pfctl -Fr && pfctl -Rf /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
No ALTQ support in kernel
ALTQ related functions disabled
mordac# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz
tcping-1.3.4.tar.gz 0% of 11 kB 0 Bps
tcping-1.3.4.tar.gz 100% of 11 kB 32 MBps
mordac# fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz
tcping-1.3.4.tar.gz 0% of 11 kB 0 Bps
tcping-1.3.4.tar.gz 100% of 11 kB 36 MBps
mordac# tcping 172.24.8.84 22
172.24.8.84 port 22 open.
mordac# pfctl -Fa && pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
0 tables deleted.
7 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
No ALTQ support in kernel
ALTQ related functions disabled
mordac# tcping 172.24.8.84 22
172.24.8.84 port 22 open.
mordac# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz
fetch:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/tcping-1.3.4.tar.gz:
Operation not permitted
mordac# fetch http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz
fetch: http://www.linuxco.de/tcping/tcping-1.3.4.tar.gz: Operation not
permitted
mordac# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet6 fe80::213:72ff:fe3d:e2f4%em0 prefixlen 64 scopeid 0x1
inet 172.24.8.48 netmask 0xfffff000 broadcast 172.24.15.255
ether 00:13:72:3d:e2:f4
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
mordac# exit
Script done on Thu Mar 30 12:44:20 2006
pf.conf:
# Interfaces, not loopback
ext_if = em0
ext_net = "(em0:network)"
ext_ip = "(em0)"
# Networks: LAN is non-internet address spaces, ie. local networks
lan_net = "{ 172.16.0.0/12 192.168.0.0/16 }"
# These networks are listed in RFC3330 and not used:
table <nullnet> const { 0/8, 10/8, 127/8, 169.254/16, 172.16/12, \
!172.24/20, 192.0.2/24, 192.168/16, \
!192.168.212/24, 198.18/15, \
224/4, 240/4 }
# Services: Services listed by name must be in /etc/services, else
# use number
ext_tcp = "{ ssh }"
lan_tcp = "{ ssh ftp svn postgresql 49152:49216 }"
lan_icmp = "{ echoreq }"
#
# Define filtering rules
#
# default policy: block and log, log is used to catch unknown traffic
# logs by this rule means something has not been taken care of
block log all
# Allow all traffic on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
# Block (default) incoming trafic, this rule marks the start of a group,
# needed for optimal skip step.
block in log on $ext_if all
# Anti spoofing
block in quick on $ext_if inet from <nullnet>
block in quick on $ext_if inet from any to !$ext_ip
# Local/LAN access only
pass in quick on $ext_if inet proto tcp from $lan_net to $ext_ip \
port $lan_tcp flags S/SA keep state
#pass in quick on $ext_if inet proto udp from $lan_net to $ext_ip \
# port $lan_udp keep state
pass in quick on $ext_if inet proto icmp from $lan_net to $ext_ip \
icmp-type $lan_icmp keep state
# External access
pass in quick on $ext_if inet proto tcp from any to $ext_ip \
port $ext_tcp flags S/SA keep state
# Catch rule for remaining packets
block in log quick on $ext_if all
# Outgoing traffic:
block out log on $ext_if all
# Anti spoofing
block out quick on $ext_if inet from <nullnet> to any
block out quick on $ext_if inet from $ext_ip to <nullnet>
# OK, just allow all out, this should be more restrictive:
pass out quick on $ext_if inet proto tcp from $ext_ip to any \
flags S/SA keep state
pass out quick on $ext_if inet proto udp from $ext_ip to any \
keep state
pass out quick on $ext_if inet proto icmp from $ext_ip to any \
keep state
# Catch rule for remaining packets
block out log quick on $ext_if
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
More information about the freebsd-questions
mailing list