pf/ppp timing problem at startup
cpghost
cpghost at cordula.ws
Wed Feb 14 06:25:15 UTC 2007
On Wed, Feb 14, 2007 at 02:59:18AM +0000, RW wrote:
> On Wed, 14 Feb 2007 03:14:50 +0100
> cpghost <cpghost at cordula.ws> wrote:
>
> > I'm using ADSL to connect (using a static IP), and ppp(1)
> > needs some time (a few seconds) to initialize and configure
> > the tun(4) device. Parallel to this, pf(4) starts immediately,
> > and doesn't recognize ext_if (tun0), which is not yet ready.
> > As a result of this, pf shuts down again and there's no firewall.
> >
> >...
> > Perhaps there's also some pf setting that would dynamically adjust
> > to tun0 once it appears?
>
>
> I don't know the answer, but I suspect that you are asking the wrong
> question. Your setup is a very common one, so it seems a bit unlikely
> any special bodging is required (and that no-one is complaining about
> it). The ppp startup script is supposed to resync pf after starting
> ppp.
>
> I'm wondering if there is anything unusual in you ppp.conf or rc.conf
> entries.
There shouldn't be. Here there are. It's on a:
FreeBSD 6.2-STABLE FreeBSD 6.2-STABLE #0: Tue Jan 16 14:45:10 CET 2007
/etc/ppp/ppp.conf:
------------------
default:
set log Phase Chat LCP IPCP CCP tun command
ident user-ppp VERSION (built COMPILATIONDATE)
fw-9703:
set device PPPoE:sis0
set MTU 1460
set MRU 1460
set dial
set crtscts off
set speed sync
disable lqr
set echoperiod 30
enable echo
disable deflate
disable pred1
disable vjcomp
disable acfcomp
disable protocomp
set log Phase LCP IPCP CCP Warning Error Alert
set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0
set login
set authname XXXXXXXXXXXXXXXXXX
set authkey XXXXXXXXXXX
set timeout 0
add default HISADDR
set server /var/run/internet "" 0177
/etc/rc.conf:
-------------
hostname="XXXXXXXXXXXXXXXXX"
gateway_enable="YES"
ifconfig_sis0="inet 10.10.0.1 mtu 1460 netmask 255.255.255.0"
ifconfig_sis1="inet 192.168.254.1 mtu 1460 netmask 255.255.255.0"
gbde_swap_enable="YES"
ppp_enable="YES"
ppp_profile="fw-9703"
ppp_user="root"
ppp_mode="ddial"
ppp_nat="YES"
named_enable="YES"
# named_flags="-u bind -g bind -t /etc/namedb/s"
sshd_enable="YES"
sendmail_enable="NONE"
postfix_enable="YES"
syslogd_flags="-ss -l /var/db/thttpd/dev/log"
saslauthd_enable="YES"
cyrus_imapd_enable="YES"
pf_enable="YES"
pf_flags="-f /etc/pf.conf"
pflog_enable="YES"
postgrey_enable="YES"
lighttpd_enable="YES"
lighttpd2_enable="YES"
lighttpd2_conf="/usr/local/etc/lighttpd2.conf"
/etc/pf.conf:
-------------
ext_if="tun0"
internal_net="192.168.254.0/24"
tcp_services="{ 25, 80, XXXXXXXXXXXX }"
icmp_types="echoreq"
table <badhosts> persist { XXXXXXXXXXXXXXXX }
set block-policy drop
set loginterface $ext_if
scrub in all
# NAT stuff clipped
# rdr pass on $ext_if proto tcp from any to any port XXXX
# -> N.N.N.N port YYYY
block in log on $ext_if all
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services
flags S/SA keep state
# pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy
# flags S/SA keep state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state
# More rules clipped
Thanks,
-cpghost.
--
Cordula's Web. http://www.cordula.ws/
More information about the freebsd-questions
mailing list