FreeBSD 5.3BETA2 / Netra T1 & PF problem
nanard
nanard at tou.nu
Tue Sep 7 03:24:47 PDT 2004
Hi,
I'm running FreeBSD 5.3beta2 on a Sun Netra T1 box:
vroum# uname -a
FreeBSD vroum.fr.colt.net 5.3-BETA3 FreeBSD 5.3-BETA3 #1: Mon Sep 6 12:39:27 CEST 2004 root at vroum.fr.colt.net:/usr/src/sys/sparc64/compile/VROUM sparc64
I recompiled the kernel with PF/ALTQ support:
options PFIL_HOOKS # pfil(9) framework
device pf #PF OpenBSD packet-filter firewall
device pflog #logging support interface for PF
options ALTQ
In /etc/rc.conf, i added this:
pf_enable="YES"
pflog_enable="YES"
To test, I modified /etc/pf.conf with only this line:
vroum# cat /etc/pf.conf
pass log all
vroum#
I'm connected remotely and localy (port com) from a windows XP to the fbsd box.
(winXP:10.33.253.81) ----> (Fbsd:10.33.253.145)
When PF is disable, i can connect by SSH.
When PF is enable, i can't connect by SSH. (and i lost active ssh connexion)
vroum# pfctl -e -f /etc/pf.conf
pf enabled
I tried to TCPDUMP:
vroum# tcpdump -nei pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
12:13:41.144040 rule 0/0(match): pass in on hme0: IP 10.33.253.148.68 > 10.33.253.255.67: BOOTP/DHCP, Request [|bootp]
12:13:47.099150 rule 0/0(match): pass in on hme0: IP 10.33.253.148.68 > 10.33.253.255.67: BOOTP/DHCP, Request [|bootp]
[...]
vroum# tcpdump -nei hme0 port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hme0, link-type EN10MB (Ethernet), capture size 96 bytes
Sep 7 12:14:16 vroum kernel: hme0: promiscuous mode enabled
12:14:16.668607 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1565 > 10.33.253.145.22:
S 878281676:878281676(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
12:14:19.034636 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22:
S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
12:14:21.975921 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22:
S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
12:14:27.984184 00:0e:7f:a9:3b:1b > 08:00:20:d9:b2:e2, ethertype IPv4 (0x0800), length 66: IP 10.33.253.81.1567 > 10.33.253.145.22:
S 2012258532:2012258532(0) win 65535 <mss 1260,nop,wscale 2,nop,nop,sackOK>
==> Nothing about SSH (i was trying to connect !!!) on PFLOG0 but only on HME0 i can see the paquet arriving. (without answear).
I tried to ping the box from the win and I ve echo request:
12:23:16.615092 rule 0/0(match): pass out on hme0: IP (tos 0x0, ttl 64, id 9003, offset 0, flags [none], length: 60) 10.33.253.145 > 10.33.253.81: icmp 40: echo reply seq 35346
12:23:17.634131 rule 0/0(match): pass in on hme0: IP (tos 0x0, ttl 128, id 6037, offset 0, flags [none], length: 60) 10.33.253.81 > 10.33.253.145: icmp 40: echo request seq 35602
12:23:17.634152 rule 0/0(match): pass out on hme0: IP (tos 0x0, ttl 64, id 9004, offset 0, flags [none], length: 60) 10.33.253.145 > 10.33.253.81: icmp 40: echo reply seq 35602
Here my ifconfig:
roum# ifconfig
hme0: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet 10.33.253.145 netmask 0xffffff00 broadcast 10.33.253.255
ether 08:00:20:d9:b2:e2
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
hme1: flags=108802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
ether 08:00:20:d9:b2:e2
media: Ethernet autoselect
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
It's the first time i m setting up a Firewall with PF. It's only for test for this moment and i don't understand why it doesn"t work.
Thanks in advance.
Nicolas Liénard
PS: here the pfctl -sa results:
roum# pfctl -sa
FILTER RULES:
pass log all
INFO:
Status: Enabled for 0 days 00:05:33 Debug: Urgent
Hostid: 0xd1edc106
Interface Stats for hme0 IPv4 IPv6
Bytes In 6457405 0
Bytes Out 15577 0
Packets In
Passed 12824 0
Blocked 11315 0
Packets Out
Passed 271 0
Blocked 0 0
State Table Total Rate
current entries 0
searches 24081 72.3/s
inserts 5 0.0/s
removals 5 0.0/s
Counters
match 24076 72.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
TIMEOUTS:
tcp.first 30s
tcp.opening 5s
tcp.established 18000s
tcp.closing 60s
tcp.finwait 30s
tcp.closed 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 15s
interval 5s
adaptive.start 0 states
adaptive.end 0 states
src.track 0s
LIMITS:
states hard limit 5000
src-nodes hard limit 0
frags hard limit 2500
OS FINGERPRINTS:
293 fingerprints loaded
More information about the freebsd-sparc64
mailing list