machine locks with PF (without using user dependent rules)
Harald Schmalzbauer
harry at schmalzbauer.de
Sat Jan 8 06:46:28 PST 2005
Dear all,
my machine hard locks with the attached ruleset.
If I set debug.mpsafenet to 0 everything is fine. This was a wild guess from
me, I could nowhere find the info that PF needs this tweaking and I think
it's not intended, otherwise it would be done in rc.conf e.g.
I read about user depending rules in IPFW and that one has to disable
mpsafenet, but I'm not using user based rules in my PF config!
Unfortunately this machine is a CF-Card based Router wher I cannot debug
anything, perhaps I can bring a witness-kernel on it, please tell me if this
problem is new to you and if I should do that.
Best regards,
-Harry
pf.conf: (note that the interface names are changed, so fxp0 is SDSL e.g.)
lan_net="172.23.0.0/16"
by_net="192.168.0.0/24"
sdsl_net="a.b.c.d/29"
sdsl_addr="a.b.c.d"
lan_addr="172.23.0.1"
#pppoe_addr="10.0.0.1"
by_addr="192.168.0.1"
proxy="a.a.a.a"
mta="b.b.b.b"
dns="c.c.c.c"
web="d.d.d.d"
dns2="10.0.0.2"
set block-policy return
scrub in all
nat on SDSL from $lan_net to !$sdsl_net -> $sdsl_addr
rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 -> 172.23.2.1
port 3389
block in all
block out all
pass in on lo0 all
pass out on lo0 all
pass in on LAN from $lan_net to any keep state
pass in on SDSL from 62.245.232.135 to any keep state
pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep state
pass in on SDSL proto tcp from any to $mta port 25 keep state
pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state
pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state
pass out on SDSL from $sdsl_net keep state
pass out on LAN from $lan_addr to $lan_net keep state
P.S.: Why do I need the second line with the following rule? Shouldn't the
'keep state' open the internal interface for outgoing packets from the given
IP?
pass in on SDSL from 62.245.232.135 to any keep state
pass out on LAN from 62.245.232.135 to 172.23.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050108/b35d41f6/attachment.bin
More information about the freebsd-stable
mailing list