> On 8/20/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > > > > On 8/19/06, openbsd misc <[EMAIL PROTECTED]> wrote:
> > > > >> Hello,
> > > > >>
> > > > >> nobody has an answer for that? :/ Or was my explanation not
> > english
> > > > enough? =) Please let me know if something is ambiguous.
> > > > >>
> > > > >> Regards
> > > > >> Hagen Volpers
> > > > >>
> > > > >
> > > > > Hi,
> > > > Hello,
> > > >
> > > > > I do not know about pf, but maybe I can help anyway. Did you
> > > > > investigate why these two states look different?
> > > > > all icmp 192.168.122.128:512 -> 193.99.144.85 0:0
> > > > > all icmp 192.168.122.16:512 -> 84.60.163.18:34545 ->
193.99.144.85
> > 0:0
> > > >
> > > > That's exacly my question. ;-) These states should not be
different,
> > > > but they are...
> > > >
> > > > > Also, have you tried looking at the state table _after_
restarting
> > the
> > > > > pings? Does it look the same or different?
> > > >
> > > > Yes. It looks different (like the other line) if you wait for 10
> > seconds
> > > > (udp timeout) before starting the ping again.
> > >
> > > Okay, so clearly the answer is here.
> > >
> > > The one that works is being set up to redirect through
84.60.163.18 (I
> > > assume this is your router?). The one that doesn't is sending
directly
> > > to the outside world.
> > >
> > >
> > Hello,
> >
> > as you can see both should be kept by the same rules:
>
> This is the router machine?
Yes, it is.
> > # cat /etc/pf.conf
> > ext_if="pppoe0"
> > int_if="sis1"
> > set block-policy return
> > set skip on lo
> > scrub in
> > nat on $ext_if from !($ext_if) -> ($ext_if:0)
> > block in
> > pass out keep state
> > antispoof quick for { lo $int_if }
> > pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
> > flags S/SA keep state
> > pass in inet proto icmp all icmp-type echoreq keep state
> > pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
> > 192.168.122.2 port { 53 }
> > pass quick on $int_if
> >
> > The public ip address you mentioned is the one on pppoe interface.
There
> > are no other entries that could make any changes (I wrote the rc
script
> > on my own =)).
>
> misc@ might yell at you for this. I think it's neat, and I like how
> OpenBSD is so simple and clean that I understand I could do that
> completely. However, rc does a lot of stuff, and it's best not to
> tamper with. It also invokes side scripts like netstart. Use rc.local
> and rc.local.conf instead.
I thought that I had a problem in my rc script, too. The installation
bases on flashdist. That's why I'm not able to put back the old rc
script (to many commands are missing). The point is, that two
machines are treated different. I don't think that is problem can
be found in my rc script. I copied the stuff from netstart and the
pf start is identical to rc script.
I think there can be only two reasons for this:
- a bug
- a missconfiguration in my pf.conf
> Try putting the old rc back and see if it fixes things. If it does,
> great. If you still have some time maybe go through and diff it to
> your version and figure out what changed.
>
>
>
> The key point I found in the source was this:
>
> > > if (PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af) ||
> > > (s->lan.port != s->gwy.port)) {
> > > print_host(&s->lan, s->af, opts);
> > > if (s->direction == PF_OUT)
> > > printf(" -> ");
> > > else
> > > printf(" <- ");
> > > }
>
> Because it is that which causes the intermediate host to be printed
> for the state which works.
>
> > > It would seem that, for some reason, on the one that doesn't work,
> > > PF_ANEQ(&s->lan.addr, &s->gwy.addr, s->af fails (and presumably
the
> > > other test in that if fails because ICMP lacks ports). Yeah. Um,
still
> > > confused. Too bad PF_ANEQ is a macro, so not in the manpages.
Perhaps
> > > grep the tree for it?
> >
> > Unfortunately I'm not a developer... :(
> >
>
> Neither am I. I found this by going to http://www.openbsd.org,
> clicking "Getting Source"->"Web" and finding the code for pfctl. I
> don't have a working OpenBSD system right now to check out the source
> on, and I was hoping you could. See
> <http://www.openbsd.org/anoncvs.html>
>
> Or do you mean "I don't know C"?
Yes, I do... =)
> -Nick
Regards
Hagen Volpers
