machine locks with PF (without using user dependent rules)

Max Laier max at love2party.net
Sat Jan 8 09:24:59 PST 2005 

On Saturday 08 January 2005 17:52, Robert Watson wrote:
> On Sat, 8 Jan 2005, Harald Schmalzbauer wrote:
> > my machine hard locks with the attached ruleset.  If I set
> > debug.mpsafenet to 0 everything is fine. This was a wild guess from me,
> > I could nowhere find the info that PF needs this tweaking and I think
> > it's not intended, otherwise it would be done in rc.conf e.g.

Yes, it is not intended.  Please keep in mind that debug.mpsafenet cannot be 
alterted at runtime, hence rc.conf would be too late anyway.  Just making 
that clear.

> > I read about user depending rules in IPFW and that one has to disable
> > mpsafenet, but I'm not using user based rules in my PF config!
> > Unfortunately this machine is a CF-Card based Router wher I cannot debug
> > anything, perhaps I can bring a witness-kernel on it, please tell me if
> > this problem is new to you and if I should do that.
>
> I've CC'd Max Laier due to his extensive work with pf on FreeBSD.  I think
> a WITNESS+INVARIANTS kenrel would be quite helpful, if you could.

Yes, WITNESS would be interesting, though I don't expect to see any LORs, as 
this is not an overly complicated ruleset.  Actually, I am very surprised 
that it does lock up - what hardware is this?

What version of FreeBSD are you running?  RELENG_5_3?  Could you try to move 
`src/sys/contrib/pf' to RELENG_5 instead.  There are some bugfixes in there, 
that might help you.  Specificly there was an endless loop in the state 
matching code.  Please tell me if that helped.

> > Best regards,
> >
> > -Harry
> >
> > pf.conf: (note that the interface names are changed, so fxp0 is SDSL
> > e.g.)
> >
> > lan_net="172.23.0.0/16"
> > by_net="192.168.0.0/24"
> > sdsl_net="a.b.c.d/29"
> >
> > sdsl_addr="a.b.c.d"
> > lan_addr="172.23.0.1"
> > #pppoe_addr="10.0.0.1"
> > by_addr="192.168.0.1"
> >
> > proxy="a.a.a.a"
> > mta="b.b.b.b"
> > dns="c.c.c.c"
> > web="d.d.d.d"
> > dns2="10.0.0.2"
> >
> > set block-policy return
> > scrub in all
> >
> > nat on SDSL from $lan_net to !$sdsl_net  -> $sdsl_addr
> > rdr inet proto tcp from 62.245.232.135 to $sdsl_addr port 3389 ->
> > 172.23.2.1 port 3389
> > block in all
> > block out all
> > pass in on lo0 all
> > pass out on lo0 all
> > pass in on LAN from $lan_net to any keep state
> > pass in on SDSL from 62.245.232.135 to any keep state
> > pass in on SDSL proto tcp from any to $proxy port { 22, 80, 443 } keep
> > state pass in on SDSL proto tcp from any to $mta port 25 keep state
> > pass in on SDSL proto { udp, tcp } from any to $dns port 53 keep state
> > pass in on SDSL proto tcp from any to $web port { 80, 443 } keep state
> >
> > pass out on SDSL from $sdsl_net keep state
> > pass out on LAN from $lan_addr to $lan_net keep state
> >
> > P.S.: Why do I need the second line with the following rule? Shouldn't
> > the 'keep state' open the internal interface for outgoing packets from
> > the given IP?
> > pass in on SDSL from 62.245.232.135 to any keep state
> > pass out on LAN from 62.245.232.135 to 172.23.2.1

For the normal forwarding path that's true, but not for the RDR case.  You can 
use "rdr pass" to circumvent this.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050108/318e6257/attachment.bin

More information about the freebsd-stable mailing list