On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > > On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > >> Hello,
> > >>
> > >> nobody has an answer for that? :/ Or was my explanation not
english
> > enough? =) Please let me know if something is ambiguous.
> > >>
> > >> Regards
> > >> Hagen Volpers
> > >>
> > >
> > > Hi,
> > Hello,
> >
> > > I do not know about pf, but maybe I can help anyway. Did you
> > > investigate why these two states look different?
> > > all icmp 192.168.122.128:512 -> 193.99.144.85 0:0
> > > all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
> >
> > That's exacly my question. ;-) These states should not be different,
> > but they are...
> >
> > > Also, have you tried looking at the state table _after_ restarting
the
> > > pings? Does it look the same or different?
> >
> > Yes. It looks different (like the other line) if you wait for 10
seconds
> > (udp timeout) before starting the ping again.
>
> Okay, so clearly the answer is here.
>
> The one that works is being set up to redirect through 84.60.163.18 (I
> assume this is your router?). The one that doesn't is sending directly
> to the outside world.
>
>
Hello,
as you can see both should be kept by the same rules:
# cat /etc/pf.conf
ext_if="pppoe0"
int_if="sis1"
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if
The public ip address you mentioned is the one on pppoe interface. There
are no other entries that could make any changes (I wrote the rc script
on my own =)).
>
> I don't know what that printout means! It's not documented in the
> manpage. Probably have to check the source to see what it is... Here
> that source is, from /sbin/pfctl/pf_print_state.c:
> void
> print_state(struct pf_state *s, int opts)
> {
> struct pf_state_peer *src, *dst;
> struct protoent *p;
> int min, sec;
>
> if (s->direction == PF_OUT) {
> src = &s->src;
> dst = &s->dst;
> } else {
> src = &s->dst;
> dst = &s->src;
> }
> printf("%s ", s->u.ifname);
> if ((p = getprotobynumber(s->proto)) != NULL)
> printf("%s ", p->p_name);
> else
> printf("%u ", s->proto);
> if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
> (s->lan.port != s->gwy.port)) {
> print_host(&s->lan, s->af, opts);
> if (s->direction == PF_OUT)
> printf(" -> ");
> else
> printf(" <- ");
> }
> print_host(&s->gwy, s->af, opts);
> if (s->direction == PF_OUT)
> printf(" -> ");
> else
> printf(" <- ");
> print_host(&s->ext, s->af, opts);
>
> printf(" ");
> if (s->proto != IPPROTO_ICMP && src->state < PFOTHERS_NSTATES &&
> dst->state < PFOTHERS_NSTATES) {
> /* XXX ICMP doesn't really have state levels */
> const char *states[] = PFOTHERS_NAMES;
>
> printf(" %s:%s\n", states[src->state],
states[dst->state]);
> }
>
>
> It would seem that, for some reason, on the one that doesn't work,
> PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af fails (and presumably the
> other test in that if fails because ICMP lacks ports). Yeah. Um, still
> confused. Too bad PF_ANEQ is a macro, so not in the manpages. Perhaps
> grep the tree for it?
Unfortunately I'm not a developer... :(
> -Nick
Regards
Hagen Volpers
