Re: impossible rc.d ordering problem with stf and pf ?
Hello, James Long wrote: Date: Mon, 29 Jan 2007 12:02:52 + From: Pete French [EMAIL PROTECTED] Subject: Re: impossible rc.d ordering problem with stf and pf ? To: freebsd-stable@freebsd.org, [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] 1) You use the interface name as address w/o dynamic lookup. i.e. ... from stf0 ... Yes, thats it - I hadn't come across this 'dynamic lookup' thing before though, so I didn't realise what it was. I still cant find it in the PF manual, aside from a reference that you need to do it for NAT. To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20 be defused by adding parentheses. i.e. ... from (stf0) pass out on (stf0) inet6 from any to any keep state Just for my edification, what is the point of keep state on an any-to-any rule? imagine that you have only 2 rules - block in on $if all pass out on $if from any to any keep state - with keep state you have internet, without it you do not have ;) Jim ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] -- Best Wishes, Stefan Lambrev ICQ# 24134177 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
Just for my edification, what is the point of keep state on an any-to-any rule? It's a 'pass out' rule - without the 'keep state' the returning packets wont get back in. -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
On Wed, Jan 31, 2007 at 09:30:56AM +0200, Stefan Lambrev wrote: Hello, pass out on (stf0) inet6 from any to any keep state Just for my edification, what is the point of keep state on an any-to-any rule? imagine that you have only 2 rules - block in on $if all pass out on $if from any to any keep state - with keep state you have internet, without it you do not have ;) Thank you. I must read more closely. I did not grok the out. Jim ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
Date: Mon, 29 Jan 2007 12:02:52 + From: Pete French [EMAIL PROTECTED] Subject: Re: impossible rc.d ordering problem with stf and pf ? To: freebsd-stable@freebsd.org, [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] 1) You use the interface name as address w/o dynamic lookup. i.e. ... from stf0 ... Yes, thats it - I hadn't come across this 'dynamic lookup' thing before though, so I didn't realise what it was. I still cant find it in the PF manual, aside from a reference that you need to do it for NAT. To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20 be defused by adding parentheses. i.e. ... from (stf0) pass out on (stf0) inet6 from any to any keep state Just for my edification, what is the point of keep state on an any-to-any rule? Jim ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
1) You use the interface name as address w/o dynamic lookup. i.e. ... from stf0 ... Yes, thats it - I hadn't come across this 'dynamic lookup' thing before though, so I didn't realise what it was. I still cant find it in the PF manual, aside from a reference that you need to do it for NAT. To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20 be defused by adding parentheses. i.e. ... from (stf0) pass out on (stf0) inet6 from any to any keep state Gives me a syntax error when I try and load it with pfctl. If I change it to: pass out on stf0 inet6 from any to any keep state Then it works loading it with pfctl, but now does not work at boot due to the lack of stf0 interface. :-( -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
Pete French wrote: 1) You use the interface name as address w/o dynamic lookup. i.e. ... from stf0 ... Yes, thats it - I hadn't come across this 'dynamic lookup' thing before though, so I didn't realise what it was. I still cant find it in the PF manual, aside from a reference that you need to do it for NAT. To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20 be defused by adding parentheses. i.e. ... from (stf0) pass out on (stf0) inet6 from any to any keep state Gives me a syntax error when I try and load it with pfctl. If I change it to: pass out on stf0 inet6 from any to any keep state Then it works loading it with pfctl, but now does not work at boot due to the lack of stf0 interface. :-( -pete. This confused me at first. But I believe you only use the dynamic syntax (stf0) in places where the interface name gets converted to an address or network, rather than just specifying an interface. So, for instance pass out on stf0 from (stf0) to any The way I found them all was to look at pfctl -s rules and look for the rules that had the ip address that was causing the problem. For me, this occurred in places where I used the interface name with to, from, and inside the antispoof rule. That fixed my problem with ppp and pf. Richard Coleman [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
On Monday 29 January 2007 13:02, Pete French wrote: 1) You use the interface name as address w/o dynamic lookup. i.e. ... from stf0 ... Yes, thats it - I hadn't come across this 'dynamic lookup' thing before though, so I didn't realise what it was. I still cant find it in the PF manual, aside from a reference that you need to do it for NAT. To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20 be defused by adding parentheses. i.e. ... from (stf0) pass out on (stf0) inet6 from any to any keep state No, that's a misunderstanding. The on ifnX part stays untouched. Gives me a syntax error when I try and load it with pfctl. If I change it to: pass out on stf0 inet6 from any to any keep state Then it works loading it with pfctl, but now does not work at boot due to the lack of stf0 interface. :-( That's strange. Works here without a problem: # ifconfig -l fxp0 bge0 bge1 lo0 pflog0 No stf0 interface. # echo pass out on stf0 inet6 from any to any keep state | pfctl -vf- pass out on stf0 inet6 all keep state Still, rule loaded without problems ... The (ifnX) syntax is only for places where you use the interface as an address. The on ifnX part stays unchanged in any case and it does not matter if the interface exists already or not. What version are you using again? My tests are with 6.2 -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgpi4J7JHSy3D.pgp Description: PGP signature
Re: impossible rc.d ordering problem with stf and pf ?
The (ifnX) syntax is only for places where you use the interface as an address. The on ifnX part stays unchanged in any case and it does not matter if the interface exists already or not. h, so whats going on with mine then ? *goes and has a closer look* gah! there was a 'loginterface' lurking in there! having removed that, and changing the address parts to (stf0) everything now works fine, thanks for the help! I have a few other odd IPv6 issues, unrelated to PF, and possibly not really stable related either - whats the best list to ask about them on ? -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
Pete French wrote: Am trying to solve a little problem with 'pf'. I have a ruleset which has some firewall rules for the IPv6 interface stf0. This works fine, except when I rreboot the machine, as the pf script is run before the network_ipv6 script - so stf0 does not exist. but I cannot work out how to arrange for stf0 to be created before the pf script is run - as network_ipv6 requires 'routing', but the pf script says it must be run before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines correctly. Just chiming in to confirm that this problem definitely exists. I don't have a solution, however, my IPv6 tunnels at home have all expired, so I may well get spare cycles to look at this the same time that I get spare cycles to revive the tunnels. BMS ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
On 12/23/-58 20:59, Pete French wrote: Am trying to solve a little problem with 'pf'. I have a ruleset which has some firewall rules for the IPv6 interface stf0. This works fine, except when I rreboot the machine, as the pf script is run before the network_ipv6 script - so stf0 does not exist. but I cannot work out how to arrange for stf0 to be created before the pf script is run - as network_ipv6 requires 'routing', but the pf script says it must be run before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines correctly. Pete, I've played with that problems a few times. It's not a perfect solution, but you may create your own pf loading script and place it in /usr/local/etc/rc.d/. To make sure it's running late in startup, use a proper # REQUIRE: line. That way (and that what makes me saying it's not perfect) pf load script /etc/rc.d/pf is being run but aborts loading pf rules in first place and later (when rc is working though /usr/local/etc/rc.d/) pf rules are loaded by your custom script. HTH, Volker ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
Bruce M. Simpson wrote: Pete French wrote: Am trying to solve a little problem with 'pf'. I have a ruleset which has some firewall rules for the IPv6 interface stf0. This works fine, except when I rreboot the machine, as the pf script is run before the network_ipv6 script - so stf0 does not exist. but I cannot work out how to arrange for stf0 to be created before the pf script is run - as network_ipv6 requires 'routing', but the pf script says it must be run before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines correctly. Just chiming in to confirm that this problem definitely exists. I don't have a solution, however, my IPv6 tunnels at home have all expired, so I may well get spare cycles to look at this the same time that I get spare cycles to revive the tunnels. BMS Essentially the same problem exists with pf and ppp. The tun device (on which most of my pf rules depend) does not yet exist when pf is started. Apparently, someone has looked at this before, since there are commands to resync pf and ipf inside the rc.d script for ppp (in ppp_postcmd). But this still doesn't work, since ppp is still negotiating the connection when this function is run, so pf fails a second time. My solution was to jam a sleep 15 inside ppp_postcmd() right before the point the commands to reload pf and ipf are run. It's major ugly, but it works. Hopefully someone will find a better solution to these problems. Richard Coleman [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
or just make a symlink from /etc/rc.d/pf to /usr/local/etc/rc.d/pf i solved this way problem with FQDN in pf rules 2007/1/28, Volker [EMAIL PROTECTED]: On 12/23/-58 20:59, Pete French wrote: Am trying to solve a little problem with 'pf'. I have a ruleset which has some firewall rules for the IPv6 interface stf0. This works fine, except when I rreboot the machine, as the pf script is run before the network_ipv6 script - so stf0 does not exist. but I cannot work out how to arrange for stf0 to be created before the pf script is run - as network_ipv6 requires 'routing', but the pf script says it must be run before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines correctly. Pete, I've played with that problems a few times. It's not a perfect solution, but you may create your own pf loading script and place it in /usr/local/etc/rc.d/. To make sure it's running late in startup, use a proper # REQUIRE: line. That way (and that what makes me saying it's not perfect) pf load script /etc/rc.d/pf is being run but aborts loading pf rules in first place and later (when rc is working though /usr/local/etc/rc.d/) pf rules are loaded by your custom script. HTH, Volker ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
On 01/28/07 16:40, Alexey Karagodov wrote: 2007/1/28, Volker [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: I've played with that problems a few times. It's not a perfect solution, but you may create your own pf loading script and place it in /usr/local/etc/rc.d/. To make sure it's running late in startup, use a proper # REQUIRE: line. That way (and that what makes me saying it's not perfect) pf load script /etc/rc.d/pf is being run but aborts loading pf rules in first place and later (when rc is working though /usr/local/etc/rc.d/) pf rules are loaded by your custom script. or just make a symlink from /etc/rc.d/pf to /usr/local/etc/rc.d/pf i solved this way problem with FQDN in pf rules Alexey, yes, I also did it using a simple symlink in the past but reading stable@ (or has it been [EMAIL PROTECTED]) it is planned (or already implemented?) to respect the rcorder for /etc/rc.d/ _and_ /usr/local/etc/rc.d/ in one go. That means the rcorder is being calculated for both directories in one step. I suspect when just symlinking an rc-script from /etc/rc.d/ this might lead into the script being executed two times in a row. I might be wrong on this but your suggestion is using a side effect which might not work with all versions. Greetings, Volker ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
On Sunday 28 January 2007 16:33, Richard Coleman wrote: Bruce M. Simpson wrote: Pete French wrote: Am trying to solve a little problem with 'pf'. I have a ruleset which has some firewall rules for the IPv6 interface stf0. This works fine, except when I rreboot the machine, as the pf script is run before the network_ipv6 script - so stf0 does not exist. but I cannot work out how to arrange for stf0 to be created before the pf script is run - as network_ipv6 requires 'routing', but the pf script says it must be run before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines correctly. Just chiming in to confirm that this problem definitely exists. I don't have a solution, however, my IPv6 tunnels at home have all expired, so I may well get spare cycles to look at this the same time that I get spare cycles to revive the tunnels. BMS Essentially the same problem exists with pf and ppp. The tun device (on which most of my pf rules depend) does not yet exist when pf is started. Apparently, someone has looked at this before, since there are commands to resync pf and ipf inside the rc.d script for ppp (in ppp_postcmd). But this still doesn't work, since ppp is still negotiating the connection when this function is run, so pf fails a second time. My solution was to jam a sleep 15 inside ppp_postcmd() right before the point the commands to reload pf and ipf are run. It's major ugly, but it works. Hopefully someone will find a better solution to these problems. In oder to solve these problems you have to understand why pf is failing. This can be for three reasons: 1) You use the interface name as address w/o dynamic lookup. i.e. ... from stf0 ... 2) You use set loginterface sft0 3) You use the interface with ALTQ altq on stf0 ... (now this doesn't work and wouldn't be a good idea either, but for tun0 it makes slightly more sense). To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily be defused by adding parentheses. i.e. ... from (stf0) If more control is required you have to write explicit addresses in your configuration anyway. 2 is obsolete by pfctl -vvsI -i stf0 which has all the counters for all the interfaces. ALTQ is the only remaining problem. I did do some initial patches to tear down altq on interface removal, which could be extended to work the other way 'round on interface arrival - if only I had more time :-\ -- /\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News pgppmlwFyq2eY.pgp Description: PGP signature
Re: impossible rc.d ordering problem with stf and pf ?
Max Laier wrote: On Sunday 28 January 2007 16:33, Richard Coleman wrote: Bruce M. Simpson wrote: Pete French wrote: Am trying to solve a little problem with 'pf'. I have a ruleset which has some firewall rules for the IPv6 interface stf0. This works fine, except when I rreboot the machine, as the pf script is run before the network_ipv6 script - so stf0 does not exist. but I cannot work out how to arrange for stf0 to be created before the pf script is run - as network_ipv6 requires 'routing', but the pf script says it must be run before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines correctly. Just chiming in to confirm that this problem definitely exists. I don't have a solution, however, my IPv6 tunnels at home have all expired, so I may well get spare cycles to look at this the same time that I get spare cycles to revive the tunnels. BMS Essentially the same problem exists with pf and ppp. The tun device (on which most of my pf rules depend) does not yet exist when pf is started. Apparently, someone has looked at this before, since there are commands to resync pf and ipf inside the rc.d script for ppp (in ppp_postcmd). But this still doesn't work, since ppp is still negotiating the connection when this function is run, so pf fails a second time. My solution was to jam a sleep 15 inside ppp_postcmd() right before the point the commands to reload pf and ipf are run. It's major ugly, but it works. Hopefully someone will find a better solution to these problems. In oder to solve these problems you have to understand why pf is failing. This can be for three reasons: 1) You use the interface name as address w/o dynamic lookup. i.e. ... from stf0 ... 2) You use set loginterface sft0 3) You use the interface with ALTQ altq on stf0 ... (now this doesn't work and wouldn't be a good idea either, but for tun0 it makes slightly more sense). To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily be defused by adding parentheses. i.e. ... from (stf0) If more control is required you have to write explicit addresses in your configuration anyway. 2 is obsolete by pfctl -vvsI -i stf0 which has all the counters for all the interfaces. ALTQ is the only remaining problem. I did do some initial patches to tear down altq on interface removal, which could be extended to work the other way 'round on interface arrival - if only I had more time :-\ I remember trying a dynamic interface for tun before, and it failed. But I now see that it was because I also use set logininterface. I didn't think to remove that. Thanks for the help. I'll give it a try. Richard Coleman [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
impossible rc.d ordering problem with stf and pf ?
Am trying to solve a little problem with 'pf'. I have a ruleset which has some firewall rules for the IPv6 interface stf0. This works fine, except when I rreboot the machine, as the pf script is run before the network_ipv6 script - so stf0 does not exist. but I cannot work out how to arrange for stf0 to be created before the pf script is run - as network_ipv6 requires 'routing', but the pf script says it must be run before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines correctly. Any solutions ? -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: impossible rc.d ordering problem with stf and pf ?
On Sat, Jan 27, 2007 at 06:23:27PM +, Pete French wrote: Am trying to solve a little problem with 'pf'. I have a ruleset which has some firewall rules for the IPv6 interface stf0. This works fine, except when I rreboot the machine, as the pf script is run before the network_ipv6 script - so stf0 does not exist. but I cannot work out how to arrange for stf0 to be created before the pf script is run - as network_ipv6 requires 'routing', but the pf script says it must be run before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines correctly. Any solutions ? Just a thought: Put the IPv6 specific rules in a separate file. Put a script in /usr/local/etc/rc.d that REQUIREs network_ipv6. In this script, use pfctl to load the IPv6 specific rules. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpYrBkRNUzjK.pgp Description: PGP signature