Hi.
I am having a little problem with ipf.. It won't filter correctly when i use
pptp at startup to get internet access.
let me describe my system first;
$ dmesg | grep FreeBSD
FreeBSD 4.7-STABLE #11: Sat Dec 14 19:36:26 CET 2002
$ipf -V
ipf: IP Filter: v3.4.29 (336)
Kernel: IP Filter: v3.4.29
Running: yes
Log Flags: 0 = none set
Default: block all, Logging: available
Active list: 0
$ cat /usr/local/etc/rc.d/020.pptp.sh
#!/bin/sh
#
case "$1" in
start)
killall ppp 2> /dev/null
killall pptp 2> /dev/null
rm -rf /var/run/pptp
(/usr/local/sbin/pptp 10.0.0.138 --phone pc1 mxstream &)
echo -n ' mxstream'
;;
stop)
killall ppp 2> /dev/null
killall pptp 2> /dev/null
rm -rf /var/run/pptp
;;
*)
echo "Usage: /usr/local/etc/rc.d/pptp.sh { start | stop }" >&2
exit 1
esac
exit 0
Now; When i use no filtering, NAT works fine.
$ cat /etc/ipf.rules
pass in all
pass out all
$ shutdown -r now
[REBOOTS]
$ ping www.xs4all.nl
PING www.xs4all.nl (194.109.6.92): 56 data bytes
64 bytes from 194.109.6.92: icmp_seq=0 ttl=251 time=1146.448 ms
after this, I can load the "tight" ipf rulelist, and still have internet
access.
$ ipf -F a -f /etc/ipf.rules.safe
$ ping www.xs4all.nl
PING www.xs4all.nl (194.109.6.92): 56 data bytes
64 bytes from 194.109.6.92: icmp_seq=0 ttl=251 time=1368.318 ms
$ cat /etc/ipf.rules.safe
# Let loopback packets through
pass in quick on lo0 all
pass out quick on lo0 all
# Traffic from and to local LAN
pass in quick on xl0 proto tcp from 192.168.102.0/24 to any keep state
pass in quick on xl0 proto udp from 192.168.102.0/24 to any keep state
pass in quick on xl0 proto icmp from 192.168.102.0/24 to any keep state
pass out quick on xl0 proto tcp from any to 192.168.102.0/24 keep state
pass out quick on xl0 proto udp from any to 192.168.102.0/24 keep state
pass out quick on xl0 proto icmp from any to 192.168.102.0/24 keep state
# Disallow direct access to the Alcatel
block out log quick on de0 proto tcp from any to 10.0.0.138 port = 21
block out log quick on de0 proto tcp from any to 10.0.0.138 port = 23
block out log quick on de0 proto tcp from any to 10.0.0.138 port = 80
# Allow all other communication
pass out quick on de0 from 10.0.0.139/32 to 10.0.0.138
pass in quick on de0 from 10.0.0.138/32 to 10.0.0.139
# Anti-spoofing rules
block in log quick on tun0 from 0.0.0.0/8 to any
block in log quick on tun0 from 127.0.0.0/8 to any
block in log quick on tun0 from 10.0.0.0/8 to any
block in log quick on tun0 from 172.16.0.0/12 to any
block in log quick on tun0 from 192.168.0.0/16 to any
block in log quick on tun0 from 169.254.0.0/16 to any
block in log quick on tun0 from 224.0.0.0/3 to any
# Anti-spoof; own IP address
block in log quick on tun0 from 80.126.36.154 to any
# (additional rules go here that allow access to the gateway)
# outdated
#pass in log quick on tun0 from any to 194.109.196.149
#pass out log quick on tun0 from 194.109.196.149 to any
# Allow traffic to go out to the internet
pass out quick on tun0 proto tcp from Any to any keep state
pass out quick on tun0 proto udp from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state
# Allow SSH(2) in from the internet
pass in quick on tun0 proto tcp from any to any port = 22 keep state
# Allow Email in from the internet
pass in quick on tun0 proto tcp from any to any port = 25 keep state
# Allow DNS in from the internet
pass in quick on tun0 proto tcp from any to any port = 53 keep state
pass in quick on tun0 proto udp from any to any port = 53 keep state
# Allow HTTP in from the internet
#pass in quick on tun0 proto tcp from any to any port = 80 keep state
# Allow IMAP in from the internet
#pass in quick on tun0 proto tcp from any to any port = 143 keep state
# EOF.
however, when i use the above ruleset as the default, i get the following
behaviour;
$ cp /etc/ipf.rules.safe /etc/ipf.rules
$ shutdown -r now
[REBOOTS]
$ ping www.xs4all.nl
ping: cannot resolve www.xs4all.nl: Host name lookup failure
$ipf -F a -f /etc/ipf.rules
$ ping www.xs4all.nl
PING www.xs4all.nl (194.109.6.92): 56 data bytes
So, reloading the ruleset after booting fixes the problem.
One would think that it's easy enough to let an /usr/local/etc/rc.d/ script
do the reloading of the ruleset automagically, but unfortunately that seems
to _disconnect_ pptp entirely;
$ mv 040.ipf-fix.sh.n 040.ipf-fix.sh
$ cat /usr/local/etc/rc.d/040.ipf-fix.sh
#!/bin/sh
#
case "$1" in
start)
sleep 30
ipf -F a -F S -f /etc/ipf.rules
echo -n " ipffix"
;;
stop)
;;
*)
echo "Usage: /usr/local/etc/rc.d/ipf-fix.sh { start | stop }" >&2
exit 1
esac
exit 0
$ shutdown -r now
[REBOOTS]
$ ping www.xs4all.nl
ping: cannot resolve www.xs4all.nl: Host name lookup failure
$ grep Mar.*9\ 14.*pp /var/log/messages
Mar 9 14:11:52 messenger pptp[172]:
log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:548]: Client connection
established.
Mar 9 14:11:53 messenger pptp[172]:
log[pptp_dispatch_ctrl_packet:pptp_ctrl.c:655]: Outgoing call established
(call ID 0, peer's call ID 0).
Mar 9 14:11:58 messenger ppp[167]: tun0: Warning: ipv4_Input: IPCP not open
- packet dropped
Mar 9 14:12:26 messenger pptp[172]: log[callmgr_main:pptp_callmgr.c:240]:
Closing connection
Mar 9 14:12:26 messenger pptp[172]: log[pptp_conn_close:pptp_ctrl.c:285]:
Closing PPTP connection
Mar 9 14:12:27 messenger su: rene to root on /dev/ttyp1
Mar 9 14:12:28 messenger pptp[172]: log[call_callback:pptp_callmgr.c:88]:
Closing connection
and in this case the problem is fixed by;
$ /usr/local/etc/rc.d/020.pptp.sh start
mxstream { ([EMAIL PROTECTED]) (14:27-2003/03/09) (jobs:0) }-
$ ping www.xs4all.nl
PING www.xs4all.nl (194.109.6.92): 56 data bytes
64 bytes from 194.109.6.92: icmp_seq=0 ttl=251 time=46.379 ms
but then i don't have to reload the ruleset a second time.
I find this problem kinda strange, so i'd love to hear any tips to
resolve it.
