Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 20:43:18 +0100, Kevin Chadwick wrote: pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state Originally you posted pass in quick. Keep the quick in there, not for any reason other than I have a quick in my rules. Same with the NIC, I don't have any logical hopes for you. Switched the vge(4) with the em(4) NIC, but the situation is the same; PF's synproxy state won't work on a pppoe0 device. Kevin, may I ask you to describe me the network setup in which you've made synproxy with pppoe work? I'm curious about the NICs and how do they connect to the ISP and/or LAN/NAT etc. Thanks, Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
pf 'synproxy state' doesn't work with pppoe
Hi! I'm using 5.1-stable on two machines with pppoe connections. The pf synproxy state option doesn't work on pppoe interfaces, it just sends back a TCP reset when trying to connect to a port configured with synproxy state. Meanwhile it works on any other interface (eg. the internal LAN interface). This rule works: pass in quick on vge0 inet proto tcp from any to vge0 port synproxy state This rule doesn't work: pass in quick on pppoe0 inet proto tcp from any to pppoe0 port synproxy state I'm testing with simple `nc -l ` listens and `nc dst ` connections. When connecting to the pppoe interface this is happening: Aug 16 12:08:55.383308 client.5451 host.: S 1485898386:1485898386(0) win 16384 mss 1452,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1254725494 0 (DF) Aug 16 12:08:55.383384 host. client.5451: S 639112012:639112012(0) ack 1485898387 win 0 mss 1452 (DF) [tos 0x10] Aug 16 12:08:55.397346 client.5451 host.: . ack 1 win 16384 (DF) Aug 16 12:08:55.397368 host. client.5451: R 3655855284:3655855284(0) ack 752585916 win 0 (DF) [tos 0x10] When connecting to a real interface (in this case vge0) eg. on a LAN, synproxy state works. Now I don't know since when this isn't working because I'm only using pppoe since 5.1. Any help would be appreciated. Thanks, Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 12:19:06 +0200, LEVAI Daniel wrote: [...] Forgot the dmesg. If it matters. OpenBSD 5.1-stable (GENERIC) #0: Tue Aug 7 02:00:34 CEST 2012 root@.:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.42 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 1073213440 (1023MB) avail mem = 1045561344 (997MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/05/02, BIOS32 rev. 0 @ 0xfdb60, SMBIOS rev. 2.3 @ 0xf0630 (32 entries) bios0: vendor American Megatrends Inc. version V1.2 11 date 11/05/2002 bios0: MICRO-STAR INC. MS-6704 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC acpi0: wakeup devices USB1(S3) USB2(S3) USB3(S3) EHCI(S3) ICHB(S4) PS2M(S4) PS2K(S4) UAR1(S4) MC9_(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (ICHB) acpicpu0 at acpi0 acpipwrres0 at acpi0: URP1 acpipwrres1 at acpi0: URP2 acpipwrres2 at acpi0: FDDP acpipwrres3 at acpi0: LPTP acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xd000 0xcd000/0x4800 0xd1800/0x1000 0xe/0x1000 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82845G Host rev 0x02 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xe000, size 0x400 ppb0 at pci0 dev 1 function 0 Intel 82845G AGP rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon 9600 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: apic 2 int 16 drm0 at radeondrm0 ATI Radeon 9600 XT Sec rev 0x00 at pci1 dev 0 function 1 not configured uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x02: apic 2 int 16 uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x02: apic 2 int 19 uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x02: apic 2 int 18 ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x02: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x82 pci2 at ppb1 bus 2 pciide0 at pci2 dev 3 function 0 CMD Technology SiI3512 SATA rev 0x01: DMA pciide0: using apic 2 int 19 for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: ST3250310AS wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 5 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: SAMSUNG HD501LJ wd1: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 7 em0 at pci2 dev 4 function 0 Intel PRO/1000GT (82541GI) rev 0x05: apic 2 int 16, address xx:xx:xx:xx:xx:xx vge0 at pci2 dev 5 function 0 VIA VT612x rev 0x11: apic 2 int 17, address xx:xx:xx:xx:xx:xx ciphy0 at vge0 phy 1: CS8201 10/100/1000TX PHY, rev. 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801DB LPC rev 0x02 ichiic0 at pci0 dev 31 function 3 Intel 82801DB SMBus rev 0x02: apic 2 int 17 iic0 at ichiic0 iic0: addr 0x2f 00=00 02=0f 03=00 04=00 06=0f 07=00 08=00 0a=06 0b=00 0c=00 0d=07 0e=85 0f=00 10=c4 11=10 12=00 13=60 words 00=00ff 01= 02=0fff 03=00ff 04=00ff 05= 06=0fff 07=00ff spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x17 lm1 at wbsio0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec mtrr: Pentium Pro MTRR support vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (69dbc259cb64de66.a) swap on wd0b dump on wd0b WARNING: / was not properly unmounted pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received
Re: pf 'synproxy state' doesn't work with pppoe
Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. Okay, okay, I'm trying to get my head around this, but how do you explain that changing *only* the 'synproxy' word to 'keep' in the exact same rule makes it working again (not changing order, combination, nothing, but only changing synproxy state to the default keep state)? Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 14:26:05 +0200, LEVAI Daniel wrote: On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. Okay, okay, I'm trying to get my head around this, but how do you explain that changing *only* the 'synproxy' word to 'keep' in the exact same rule makes it working again (not changing order, combination, nothing, but only changing synproxy state to the default keep state)? There is definitely something wrong with pppoe + synproxy state: # pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: pf 'synproxy state' doesn't work with pppoe
# pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I remember being puzzled by that myself. I thought I had got it working but I'm struggling to be sure now whether I got it working or switched synproxy off on that machine, sorry. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Is it possible or have you tried the NIC that it works on in pppoe mode. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: pf 'synproxy state' doesn't work with pppoe
On Thu, 16 Aug 2012 14:37:50 +0200 LEVAI Daniel l...@ecentrum.hu wrote: On cs, aug 16, 2012 at 14:26:05 +0200, LEVAI Daniel wrote: On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. Okay, okay, I'm trying to get my head around this, but how do you explain that changing *only* the 'synproxy' word to 'keep' in the exact same rule makes it working again (not changing order, combination, nothing, but only changing synproxy state to the default keep state)? There is definitely something wrong with pppoe + synproxy state: # pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Do you filter on loopback? The handshake between proxy and server process is done via loopback. You need to pass this traffic, too. Christopher
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 17:18:08 +0200, Christopher Zimmermann wrote: On Thu, 16 Aug 2012 14:37:50 +0200 LEVAI Daniel l...@ecentrum.hu wrote: On cs, aug 16, 2012 at 14:26:05 +0200, LEVAI Daniel wrote: On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. Okay, okay, I'm trying to get my head around this, but how do you explain that changing *only* the 'synproxy' word to 'keep' in the exact same rule makes it working again (not changing order, combination, nothing, but only changing synproxy state to the default keep state)? There is definitely something wrong with pppoe + synproxy state: # pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Do you filter on loopback? The handshake between proxy and server process is done via loopback. You need to pass this traffic, too. With, or without 'set skip on lo0' the symptoms are the same. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 15:10:51 +0100, Kevin Chadwick wrote: # pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I remember being puzzled by that myself. I thought I had got it working but I'm struggling to be sure now whether I got it working or switched synproxy off on that machine, sorry. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Is it possible or have you tried the NIC that it works on in pppoe mode. I could try it, but the two machines have two different types of NICs (re and em) using pppoe. It would be a really weird bug in both re and em if these drivers were to act up with pppoe and not with eg. vge (which is the other card in one of the machines with which I'll try this variation tomorrow). Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: pf 'synproxy state' doesn't work with pppoe
pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state Originally you posted pass in quick. Keep the quick in there, not for any reason other than I have a quick in my rules. Same with the NIC, I don't have any logical hopes for you. This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I remember being puzzled by that myself. I thought I had got it working but I'm struggling to be sure now whether I got it working or switched synproxy off on that machine, sorry. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Is it possible or have you tried the NIC that it works on in pppoe mode. I could try it, but the two machines have two different types of NICs (re and em) using pppoe. It would be a really weird bug in both re and em if these drivers were to act up with pppoe and not with eg. vge (which is the other card in one of the machines with which I'll try this variation tomorrow). -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
