Re: ipfilter on 6.1
On 2006-08-26 20:31, "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > At 07:59 PM 8/26/2006, you wrote: > >I'd go for the simpler syntax of: > > > >MYADDR: > > ! /sbin/ipf -y > > well that didnt work either. what a pain. :( > > tun0: Warning: /etc/ppp/ppp.linkup: ! /sbin/ipf -y: Invalid command > > perhaps its time to write a script and simply reference the script > from ppp.linkup This is indeed, a good idea :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
At 07:59 PM 8/26/2006, you wrote: I'd go for the simpler syntax of: MYADDR: ! /sbin/ipf -y well that didnt work either. what a pain. :( tun0: Warning: /etc/ppp/ppp.linkup: ! /sbin/ipf -y: Invalid command perhaps its time to write a script and simply reference the script from ppp.linkup -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
On 2006-08-26 19:46, "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > Ok guys...now that I have ipfilter working...I need to run a few > commands in /etc/ppp/ppp;linkup and cant figure out the syntax... > > % cat /etc/ppp/ppp.linkup > > # It is no longer necessary to re-add the default route here as our > MYADDR: > > ! sh -c "/sbin/ipnat -CF -f /etc/ipnat.conf" > ! sh -c "/sbin/ipf -F -f /etc/ipf.conf" > ! sh -c "/sbin/ipf -Fa -f /etc/ipf.conf" > ! sh -c "/sbin/ipf -y" Watch out for that empty line, if it is *REALLY* part of your `ppp.linkup' script. Empty lines are section delimiters in ppp(8) config files. Thereis also no reason to run ipf _twice_! Please also note that I don't use "sh -c" to signal ntpd to start/stop from my ppp.linkup script and it all works fine: [EMAIL PROTECTED]:/root# cat -n /etc/ppp/ppp.linkup 1 MYADDR: 2 ! /etc/rc.d/ntpd start [EMAIL PROTECTED]:/root# Maybe the whole sh -c and quoting stuff you are using is not really passed down to sh(1) but is parsed by ppp(8) when `ppp.linkup' is read? I am also not sure if it is a good idea to run ``ipnat -CF'' of ``ipf -Fa''. What about states of existing connections? If you momentarily lose the PPP connection, but it then comes up pretty fast, you are effectively dropping all previous connection information here, even though it may still be valid and useful. I'd go for the simpler syntax of: MYADDR: ! /sbin/ipf -y ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
Ok guys...now that I have ipfilter working...I need to run a few commands in /etc/ppp/ppp;linkup and cant figure out the syntax... % cat /etc/ppp/ppp.linkup # It is no longer necessary to re-add the default route here as our MYADDR: ! sh -c "/sbin/ipnat -CF -f /etc/ipnat.conf" ! sh -c "/sbin/ipf -F -f /etc/ipf.conf" ! sh -c "/sbin/ipf -Fa -f /etc/ipf.conf" ! sh -c "/sbin/ipf -y" ...I also tried with !bg and that failed to. whats the best way to get these commands to run once my ppp link is up? thanks- -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
On 2006-08-26 18:52, "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > At 06:37 PM 8/26/2006, Giorgos Keramidas wrote: > >Cool! If this is indeed the fix, let us know :) > > > >If you also feel like it and you are not limited by contract or > >other things, I'd be interested to see how you modified IP Filter > >to make it use a "block by default" policy. > > > >Regards, > >Giorgos > > This fixed it. WHEW! Great :) > Simply adding this to my own kernel: > > options IPFILTER > options IPFILTER_LOG > options IPFILTER_DEFAULT_BLOCK Ok this was what I wanted to make sure :) > then: > > # ipf -V > > ipf: IP Filter: v4.1.8 (416) > Kernel: IP Filter: v4.1.8 > Running: yes > Log Flags: 0 = none set > Default: block all, Logging: available > Active list: 0 > Feature mask: 0xa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
At 06:37 PM 8/26/2006, Giorgos Keramidas wrote: Cool! If this is indeed the fix, let us know :) If you also feel like it and you are not limited by contract or other things, I'd be interested to see how you modified IP Filter to make it use a "block by default" policy. Regards, Giorgos This fixed it. WHEW! Simply adding this to my own kernel: options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK then: # ipf -V ipf: IP Filter: v4.1.8 (416) Kernel: IP Filter: v4.1.8 Running: yes Log Flags: 0 = none set Default: block all, Logging: available Active list: 0 Feature mask: 0xa ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
On 2006-08-26 17:48, "J.D. Bronson" <[EMAIL PROTECTED]> wrote: >At 05:19 PM 8/26/2006, Giorgos Keramidas wrote: >> You are implicitly blocking all traffic on the lo0 interface (by the >> modified default policy to "block" all traffic, and missing an >> explicit rule to allow lo0 traffic). >> >> When a system tries to connect to itself, it uses lo0/127.0.0.1 and >> this is not possible with your setup. >> >> I hope this helps a bit, > > Oh geezI cant believe I forgot lo0. HOW STUPID. > I will edit this and take another look at it. Cool! If this is indeed the fix, let us know :) If you also feel like it and you are not limited by contract or other things, I'd be interested to see how you modified IP Filter to make it use a "block by default" policy. Regards, Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
On Saturday, August 26, 2006 at 8:02:10 PM, J.D. confabulated: > I got a full load of 6.1p4 installed and all built. I have pppoe and > ipfilter running almost perfect. > Clients can use the machine (as a router) and get out perfectly! > No issues with network performance at all. I am very pleased...until... > I found out that the router itself cant get out 100%. > My ipconfig is basically this: > bge0 - 10.43.82.174 > alias 10.43.82.171 - for bind9 views > alias 10.43.82.51 - for bind9 views > bge1 - connected to dsl modem > well I cant even telnet from the machine to itself! > 'destination unreachable' > DNS requests from the server itself (to itself - it runs bind) are > unanswered yet it is able to fully answer requests from internal or > external clients...just not itself! > If I use a public DNS server -or- use the IP of the machine I want to > connect up to, the router is able to get out and uses the correct IP. > I used the same configs from solaris on here (ipf.conf and ipnat.conf) > and only needed to change sppp0 to tun0. > this should take care of anything the machine itself needs: > ipf.conf== > # Pass LAN traffic to/from bge0 > pass in quick on bge0 all keep state keep frags > pass out quick on bge0 all keep state keep frags > # Pass traffic to WAN and keep state > pass out quick on tun0 proto tcp all flags S keep state keep frags > pass out quick on tun0 proto udp all keep state keep frags > pass out quick on tun0 proto icmp all keep state keep frags > == > I am totally baffled. Its like I am being blocked somehow but even > with ipfilter WIDE open - traffic still wont pass. > I am wondering if this is some quirk with the interface > aliases...although running the basic same setup on solaris - it works > perfectly. Did you build the kernel with the 'IPFILTER_DEFAULT_BLOCK'? If so, you would have to have two allowances at the end for anything else that didn't match the other rules: pass in all pass out all Being you are using 'quick', the processing stops when a match is found. If no match is found and you have IPFILTER_DEFAULT_BLOCK enabled, everything else would be blocked. I made this mistake when I set IPFilter up the first time and it was in a colo facility over 800 miles away. -- "This message was sent using 100% recycled electrons." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
At 05:19 PM 8/26/2006, Giorgos Keramidas wrote: You are implicitly blocking all traffic on the lo0 interface (by the modified default policy to "block" all traffic, and missing an explicit rule to allow lo0 traffic). When a system tries to connect to itself, it uses lo0/127.0.0.1 and this is not possible with your setup. I hope this helps a bit, -- Giorgos Oh geezI cant believe I forgot lo0. HOW STUPID. I will edit this and take another look at it. once I have this working..I still want to figure out why pf was not happy. Thanks for pointing this out guys...I feel foolish, but glad someone told me. -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
On 2006-08-26 17:10, "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > At 05:07 PM 8/26/2006, Giorgos Keramidas wrote: > >Weird. This doesn't seem ot include *ANY* block rules at all. > > > >Is this a standard 6.1 installation, or do you have local IP Filter > >modifications (like, for instance, a modified 'default' rule which > >blocks everything, instead of allowing everything)? > > Yes and no. > > I did build a kernel with BLOCK as a default... > but my IPF rules are pass it all with no specific blocking... Well, there's your problem then. If you are using a modified kernel with "block" as the default action for IP Filter, hten you have to *EXPLICITLY* allow traffic to travese the loopback interface, which you haven't done. Your current "ipf.conf" includes: # Pass LAN traffic to/from bge0 pass in quick on bge0 all keep state keep frags pass out quick on bge0 all keep state keep frags # Pass traffic to WAN and keep state pass out quick on tun0 proto tcp all flags S keep state keep frags pass out quick on tun0 proto udp all keep state keep frags pass out quick on tun0 proto icmp all keep state keep frags Try reverting the local IP Filter changes that modify the default policy to "block" and use something like this instead: + # Block everything by default. + block in log from any to any + block out log from any to any + + # Allow everything on lo0. + pass in quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32 + pass out quick on lo0 from 127.0.0.1/32 to 127.0.0.1/32 # Pass LAN traffic on bge0 interface. pass in quick on bge0 all keep state keep frags pass out quick on bge0 all keep state keep frags # Pass outgoing traffic to WAN and keep state pass out quick on tun0 proto tcp all flags S keep state keep frags pass out quick on tun0 proto udp all keep state keep frags pass out quick on tun0 proto icmp all keep state keep frags Please pay particular attention to the rules marked with '+' above. This may explain why in a previous post you wrote: On 2006-08-26 15:02, "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > Clients can use the machine (as a router) and get out perfectly! > No issues with network performance at all. I am very pleased...until... > > I found out that the router itself cant get out 100%. > > My ipconfig is basically this: > > bge0 - 10.43.82.174 > alias 10.43.82.171 - for bind9 views > alias 10.43.82.51 - for bind9 views > > bge1 - connected to dsl modem > > well I cant even telnet from the machine to itself! > 'destination unreachable' > > DNS requests from the server itself (to itself - it runs bind) are > unanswered yet it is able to fully answer requests from internal or > external clients...just not itself! > > If I use a public DNS server -or- use the IP of the machine I want to > connect up to, the router is able to get out and uses the correct IP. You are implicitly blocking all traffic on the lo0 interface (by the modified default policy to "block" all traffic, and missing an explicit rule to allow lo0 traffic). When a system tries to connect to itself, it uses lo0/127.0.0.1 and this is not possible with your setup. I hope this helps a bit, -- Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
At 05:07 PM 8/26/2006, Giorgos Keramidas wrote: Weird. This doesn't seem ot include *ANY* block rules at all. Is this a standard 6.1 installation, or do you have local IP Filter modifications (like, for instance, a modified 'default' rule which blocks everything, instead of allowing everything)? Yes and no. I did build a kernel with BLOCK as a default... but my IPF rules are pass it all with no specific blocking... My next step was to try a kernel without the block, but I cant see how that should matter...since I 'am' allowing it out...? -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
On 2006-08-26 16:05, "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > At 03:40 PM 8/26/2006, Giorgos Keramidas wrote: > > >Don't show us the ipf.conf file you are using, but the output of: > > > >% ipfstat -hni > >% ipfstat -hno > > > >Then we can really know what rules you have loaded in IP Filter. > > > # ipfstat -hni > 2 @1 pass in quick on bge0 all keep state keep frags > > # ipfstat -hno > 1 @1 pass out quick on bge0 all keep state keep frags > 1 @2 pass out quick on tun0 proto tcp from any to any flags S/FSRPAU > keep state keep frags > 1 @3 pass out quick on tun0 proto udp from any to any keep state keep frags > 0 @4 pass out quick on sppp0 proto icmp from any to any keep state keep > frags > > ...they seem to match exactly. Weird. This doesn't seem ot include *ANY* block rules at all. Is this a standard 6.1 installation, or do you have local IP Filter modifications (like, for instance, a modified 'default' rule which blocks everything, instead of allowing everything)? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
At 04:05 PM 8/26/2006, J.D. Bronson wrote: # ipfstat -hni 2 @1 pass in quick on bge0 all keep state keep frags # ipfstat -hno 1 @1 pass out quick on bge0 all keep state keep frags 1 @2 pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags 1 @3 pass out quick on tun0 proto udp from any to any keep state keep frags 0 @4 pass out quick on sppp0 proto icmp from any to any keep state keep frags ...they seem to match exactly. ahh..so I saw a typo aboveso I changed that from 'sppp0' to 'tun0' but it make no differenceI thought I was onto something. -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
At 03:40 PM 8/26/2006, Giorgos Keramidas wrote: Don't show us the ipf.conf file you are using, but the output of: % ipfstat -hni % ipfstat -hno Then we can really know what rules you have loaded in IP Filter. # ipfstat -hni 2 @1 pass in quick on bge0 all keep state keep frags # ipfstat -hno 1 @1 pass out quick on bge0 all keep state keep frags 1 @2 pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags 1 @3 pass out quick on tun0 proto udp from any to any keep state keep frags 0 @4 pass out quick on sppp0 proto icmp from any to any keep state keep frags ...they seem to match exactly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfilter on 6.1
On 2006-08-26 15:02, "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > I got a full load of 6.1p4 installed and all built. I have > pppoe and ipfilter running almost perfect. > > Clients can use the machine (as a router) and get out > perfectly! No issues with network performance at all. I am > very pleased...until... > > I found out that the router itself cant get out 100%. > > My ipconfig is basically this: > > bge0 - 10.43.82.174 alias 10.43.82.171 - for bind9 views alias > 10.43.82.51 - for bind9 views > > bge1 - connected to dsl modem > > well I cant even telnet from the machine to itself! > 'destination unreachable' > > DNS requests from the server itself (to itself - it runs bind) > are unanswered yet it is able to fully answer requests from > internal or external clients...just not itself! > > If I use a public DNS server -or- use the IP of the machine I > want to connect up to, the router is able to get out and uses > the correct IP. > > I used the same configs from solaris on here (ipf.conf and > ipnat.conf) and only needed to change sppp0 to tun0. > > this should take care of anything the machine itself needs: > > ipf.conf== > # Pass LAN traffic to/from bge0 > pass in quick on bge0 all keep state keep frags > pass out quick on bge0 all keep state keep frags > > # Pass traffic to WAN and keep state > pass out quick on tun0 proto tcp all flags S keep state keep frags > pass out quick on tun0 proto udp all keep state keep frags > pass out quick on tun0 proto icmp all keep state keep frags > == > > I am totally baffled. Its like I am being blocked somehow but > even with ipfilter WIDE open - traffic still wont pass. > > I am wondering if this is some quirk with the interface > aliases...although running the basic same setup on solaris > - it works perfectly. Don't show us the ipf.conf file you are using, but the output of: % ipfstat -hni % ipfstat -hno Then we can really know what rules you have loaded in IP Filter. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfilter on 6.1
I got a full load of 6.1p4 installed and all built. I have pppoe and ipfilter running almost perfect. Clients can use the machine (as a router) and get out perfectly! No issues with network performance at all. I am very pleased...until... I found out that the router itself cant get out 100%. My ipconfig is basically this: bge0 - 10.43.82.174 alias 10.43.82.171 - for bind9 views alias 10.43.82.51 - for bind9 views bge1 - connected to dsl modem well I cant even telnet from the machine to itself! 'destination unreachable' DNS requests from the server itself (to itself - it runs bind) are unanswered yet it is able to fully answer requests from internal or external clients...just not itself! If I use a public DNS server -or- use the IP of the machine I want to connect up to, the router is able to get out and uses the correct IP. I used the same configs from solaris on here (ipf.conf and ipnat.conf) and only needed to change sppp0 to tun0. this should take care of anything the machine itself needs: ipf.conf== # Pass LAN traffic to/from bge0 pass in quick on bge0 all keep state keep frags pass out quick on bge0 all keep state keep frags # Pass traffic to WAN and keep state pass out quick on tun0 proto tcp all flags S keep state keep frags pass out quick on tun0 proto udp all keep state keep frags pass out quick on tun0 proto icmp all keep state keep frags == I am totally baffled. Its like I am being blocked somehow but even with ipfilter WIDE open - traffic still wont pass. I am wondering if this is some quirk with the interface aliases...although running the basic same setup on solaris - it works perfectly. -JD ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
