Re: pfctl / nat / dhcp
On Thu, Feb 7, 2013 at 5:17 PM, sven falempin sven.falem...@gmail.comwrote: On Thu, Feb 7, 2013 at 10:09 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013/02/07 10:01, sven falempin wrote: On Thu, Feb 7, 2013 at 9:44 AM, Stuart Henderson s...@spacehopper.org wrote: On 2013/02/07 09:26, sven falempin wrote: egress, vr0 ext are all the same, arent they ? Probably, but you didn't give enough information to be sure. For example if you have IPv6 via a tunnel interface (or perhaps more importantly, if you later add it), then that will also be in the egress group but might not have an IPv4 address and I haven't tested to see how that works. Or if you have a lower priority default route via another interface that you didn't mention, then that could also be in 'egress'. Perhaps unlikely but without the information I don't want to make assumptions. (Personally I do like using interface groups where I'm referring to the interface, but try and tie things down a bit further for IP addresses especially for NAT). My problem is the time between an address ip change on an interface and the nat rules actually use the new address. For my rules i am happy with my ext, but i will test vr0 see if it is faster. Or maybe dive into the source if i am bored. from the manpage section I quoted earlier: WHEN THE INTERFACE NAME IS SURROUNDED BY PARENTHESES, THE RULE IS AUTOMATICALLY UPDATED WHENEVER THE INTERFACE CHANGES ITS ADDRESS. THE RULESET DOES NOT NEED TO BE RELOADED. THIS IS ESPECIALLY USEFUL WITH NAT. # cat -n /etc/pf.conf | grep nat 26 match out on vr0 from 192.168.42.0/24 to !(self) nat-to ext 28 match out on ext from 192.168.142.0/24 to !(self) nat-to ext # pfctl -nf /etc/pf.conf /etc/pf.conf:26: syntax error /etc/pf.conf:28: syntax error :-( i meant: # cat -n /etc/pf.conf | grep nat 26 match out on (vr0) from 192.168.42.0/24 to !(self) nat-to ext 28 match out on (ext) from 192.168.142.0/24 to !(self) nat-to ext # pfctl -nf /etc/pf.conf /etc/pf.conf:26: syntax error /etc/pf.conf:28: syntax error -- - () ascii ribbon campaign - against html e-mail /\ -- - () ascii ribbon campaign - against html e-mail /\
Re: pfctl / nat / dhcp
On 2013/02/08 08:56, sven falempin wrote: # cat -n /etc/pf.conf | grep nat 26 match out on (vr0) from 192.168.42.0/24 to !(self) nat-to ext 28 match out on (ext) from 192.168.142.0/24 to !(self) nat-to ext # pfctl -nf /etc/pf.conf /etc/pf.conf:26: syntax error /etc/pf.conf:28: syntax error It is the IP address which changes not the interface name. nat-to (interface)
Re: pfctl / nat / dhcp
On Fri, Feb 8, 2013 at 9:07 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013/02/08 08:56, sven falempin wrote: # cat -n /etc/pf.conf | grep nat 26 match out on (vr0) from 192.168.42.0/24 to !(self) nat-to ext 28 match out on (ext) from 192.168.142.0/24 to !(self) nat-to ext # pfctl -nf /etc/pf.conf /etc/pf.conf:26: syntax error /etc/pf.conf:28: syntax error It is the IP address which changes not the interface name. nat-to (interface) THANK YOU :-) -- - () ascii ribbon campaign - against html e-mail /\
Re: pfctl / nat / dhcp
On 2013/02/07 08:29, sven falempin wrote: Hello, I run OpenBSD 5.2 GENERIC#278 i386 for a while at home (wifi/router), and since the release no reboot nor problem. The Box is connected to a cable modem router that gives a public ip address over dhcp or a local one if the line is cut. So sometimes my egress is 192.168.100.1 sometimes it is a public IP. I use the pf rules: match out on ext from 192.168.4.0/24 to !(self) nat-to ext and # cat /etc/hostname.vr0 dhcp group ext This morning i had to reload the rules *manually* because after a lease change the 'ext' was style the 'wait for connection' IP address, not the new one :'( . 1360148793.967298 00:1d:b8:24:c0:40 64:10:f2:3f:eb:dd 0800 74: 192.168.100.1 68.180.206.184: icmp: echo request like, they re gonna be a reply ! Afaik the dhcp client script is or will be disabled, can i do something to speed up the process of re-associating ext to the good IP address when the box get a new lease ? From pf.conf(5): Surrounding the interface name (and optional modifiers) in parentheses changes this behaviour. When the interface name is surrounded by parentheses, the rule is automatically updated whenever the interface changes its address. The ruleset does not need to be reloaded. This is especially useful with nat. You may need to use (vr0) rather than (ext), not sure.
Re: pfctl / nat / dhcp
On 2013 Feb 07 (Thu) at 13:44:22 + (+), Stuart Henderson wrote: :On 2013/02/07 08:29, sven falempin wrote: : Hello, : : I run OpenBSD 5.2 GENERIC#278 i386 for a while at home (wifi/router), and : since the release no reboot nor problem. : The Box is connected to a cable modem router that gives a public ip address : over dhcp or a local one if the line is cut. : : So sometimes my egress is 192.168.100.1 sometimes it is a public IP. : : I use the pf rules: : match out on ext from 192.168.4.0/24 to !(self) nat-to ext : and : # cat /etc/hostname.vr0 : dhcp group ext : : This morning i had to reload the rules *manually* because after a lease : change the 'ext' was style the 'wait for connection' IP address, not the : new one :'( . : : 1360148793.967298 00:1d:b8:24:c0:40 64:10:f2:3f:eb:dd 0800 74: : 192.168.100.1 68.180.206.184: icmp: echo request : like, they re gonna be a reply ! : : Afaik the dhcp client script is or will be disabled, : : can i do something to speed up the process of re-associating ext to the : good IP address when the box get a new lease ? : :From pf.conf(5): :X-Spam-Status: No, hits=0.00 required=0.90 : : Surrounding the interface name (and optional modifiers) in : parentheses changes this behaviour. When the interface name is : surrounded by parentheses, the rule is automatically updated : whenever the interface changes its address. The ruleset does not : need to be reloaded. This is especially useful with nat. : :You may need to use (vr0) rather than (ext), not sure. : (egress) does the right thing, btw. -- If money can't buy happiness, I guess you'll just have to rent it.
Re: pfctl / nat / dhcp
On Thu, Feb 7, 2013 at 8:47 AM, Peter Hessler phess...@theapt.org wrote: On 2013 Feb 07 (Thu) at 13:44:22 + (+), Stuart Henderson wrote: :On 2013/02/07 08:29, sven falempin wrote: : Hello, : : I run OpenBSD 5.2 GENERIC#278 i386 for a while at home (wifi/router), and : since the release no reboot nor problem. : The Box is connected to a cable modem router that gives a public ip address : over dhcp or a local one if the line is cut. : : So sometimes my egress is 192.168.100.1 sometimes it is a public IP. : : I use the pf rules: : match out on ext from 192.168.4.0/24 to !(self) nat-to ext : and : # cat /etc/hostname.vr0 : dhcp group ext : : This morning i had to reload the rules *manually* because after a lease : change the 'ext' was style the 'wait for connection' IP address, not the : new one :'( . : : 1360148793.967298 00:1d:b8:24:c0:40 64:10:f2:3f:eb:dd 0800 74: : 192.168.100.1 68.180.206.184: icmp: echo request : like, they re gonna be a reply ! : : Afaik the dhcp client script is or will be disabled, : : can i do something to speed up the process of re-associating ext to the : good IP address when the box get a new lease ? : :From pf.conf(5): :X-Spam-Status: No, hits=0.00 required=0.90 : : Surrounding the interface name (and optional modifiers) in : parentheses changes this behaviour. When the interface name is : surrounded by parentheses, the rule is automatically updated : whenever the interface changes its address. The ruleset does not : need to be reloaded. This is especially useful with nat. : :You may need to use (vr0) rather than (ext), not sure. : (egress) does the right thing, btw. -- If money can't buy happiness, I guess you'll just have to rent it. Thank you for answers :-) egress, vr0 ext are all the same, arent they ? i'll try to put egress, and see if the update time change (unless it is obvious in the code ?) Cheers -- - () ascii ribbon campaign - against html e-mail /\
Re: pfctl / nat / dhcp
On 2013 Feb 07 (Thu) at 09:26:03 -0500 (-0500), sven falempin wrote: :On Thu, Feb 7, 2013 at 8:47 AM, Peter Hessler phess...@theapt.org wrote: : : On 2013 Feb 07 (Thu) at 13:44:22 + (+), Stuart Henderson wrote: : :On 2013/02/07 08:29, sven falempin wrote: : : Hello, : : : : I run OpenBSD 5.2 GENERIC#278 i386 for a while at home (wifi/router), : and : : since the release no reboot nor problem. : : The Box is connected to a cable modem router that gives a public ip : address : : over dhcp or a local one if the line is cut. : : : : So sometimes my egress is 192.168.100.1 sometimes it is a public IP. : : : : I use the pf rules: : : match out on ext from 192.168.4.0/24 to !(self) nat-to ext : : and : : # cat /etc/hostname.vr0 : : dhcp group ext : : : : This morning i had to reload the rules *manually* because after a lease : : change the 'ext' was style the 'wait for connection' IP address, not the : : new one :'( . : : : : 1360148793.967298 00:1d:b8:24:c0:40 64:10:f2:3f:eb:dd 0800 74: : : 192.168.100.1 68.180.206.184: icmp: echo request : : like, they re gonna be a reply ! : : : : Afaik the dhcp client script is or will be disabled, : : : : can i do something to speed up the process of re-associating ext to the : : good IP address when the box get a new lease ? : : : :From pf.conf(5): : :X-Spam-Status: No, hits=0.00 required=0.90 : : : : Surrounding the interface name (and optional modifiers) in : : parentheses changes this behaviour. When the interface name : is : : surrounded by parentheses, the rule is automatically updated : : whenever the interface changes its address. The ruleset : does not : : need to be reloaded. This is especially useful with nat. : : : :You may need to use (vr0) rather than (ext), not sure. : : : : (egress) does the right thing, btw. : : -- : If money can't buy happiness, I guess you'll just have to rent it. : : :Thank you for answers :-) : :egress, vr0 ext are all the same, arent they ? : :i'll try to put egress, and see if the update time change (unless it is :obvious in the code ?) : The egress group is added to whichever interface has a default route. I prefer using this, so I don't need to worry which interface I am using. -- Put no trust in cryptic comments.
Re: pfctl / nat / dhcp
On Thu, Feb 07, 2013 at 09:26:03AM -0500, sven falempin wrote: egress, vr0 ext are all the same, arent they ? in your case, it sounds like there would be a full overlap. In general 'egress' is the interface group that contains the interfaces with default routes. As long as egress has only one member, you should be OK. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: pfctl / nat / dhcp
On 2013/02/07 09:26, sven falempin wrote: egress, vr0 ext are all the same, arent they ? Probably, but you didn't give enough information to be sure. For example if you have IPv6 via a tunnel interface (or perhaps more importantly, if you later add it), then that will also be in the egress group but might not have an IPv4 address and I haven't tested to see how that works. Or if you have a lower priority default route via another interface that you didn't mention, then that could also be in 'egress'. Perhaps unlikely but without the information I don't want to make assumptions. (Personally I do like using interface groups where I'm referring to the interface, but try and tie things down a bit further for IP addresses especially for NAT).
Re: pfctl / nat / dhcp
On Thu, Feb 7, 2013 at 9:44 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013/02/07 09:26, sven falempin wrote: egress, vr0 ext are all the same, arent they ? Probably, but you didn't give enough information to be sure. For example if you have IPv6 via a tunnel interface (or perhaps more importantly, if you later add it), then that will also be in the egress group but might not have an IPv4 address and I haven't tested to see how that works. Or if you have a lower priority default route via another interface that you didn't mention, then that could also be in 'egress'. Perhaps unlikely but without the information I don't want to make assumptions. (Personally I do like using interface groups where I'm referring to the interface, but try and tie things down a bit further for IP addresses especially for NAT). My problem is the time between an address ip change on an interface and the nat rules actually use the new address. For my rules i am happy with my ext, but i will test vr0 see if it is faster. Or maybe dive into the source if i am bored. -- - () ascii ribbon campaign - against html e-mail /\
Re: pfctl / nat / dhcp
On 2013/02/07 10:01, sven falempin wrote: On Thu, Feb 7, 2013 at 9:44 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013/02/07 09:26, sven falempin wrote: egress, vr0 ext are all the same, arent they ? Probably, but you didn't give enough information to be sure. For example if you have IPv6 via a tunnel interface (or perhaps more importantly, if you later add it), then that will also be in the egress group but might not have an IPv4 address and I haven't tested to see how that works. Or if you have a lower priority default route via another interface that you didn't mention, then that could also be in 'egress'. Perhaps unlikely but without the information I don't want to make assumptions. (Personally I do like using interface groups where I'm referring to the interface, but try and tie things down a bit further for IP addresses especially for NAT). My problem is the time between an address ip change on an interface and the nat rules actually use the new address. For my rules i am happy with my ext, but i will test vr0 see if it is faster. Or maybe dive into the source if i am bored. from the manpage section I quoted earlier: WHEN THE INTERFACE NAME IS SURROUNDED BY PARENTHESES, THE RULE IS AUTOMATICALLY UPDATED WHENEVER THE INTERFACE CHANGES ITS ADDRESS. THE RULESET DOES NOT NEED TO BE RELOADED. THIS IS ESPECIALLY USEFUL WITH NAT.
Re: pfctl / nat / dhcp
On Thu, Feb 7, 2013 at 10:09 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2013/02/07 10:01, sven falempin wrote: On Thu, Feb 7, 2013 at 9:44 AM, Stuart Henderson s...@spacehopper.org wrote: On 2013/02/07 09:26, sven falempin wrote: egress, vr0 ext are all the same, arent they ? Probably, but you didn't give enough information to be sure. For example if you have IPv6 via a tunnel interface (or perhaps more importantly, if you later add it), then that will also be in the egress group but might not have an IPv4 address and I haven't tested to see how that works. Or if you have a lower priority default route via another interface that you didn't mention, then that could also be in 'egress'. Perhaps unlikely but without the information I don't want to make assumptions. (Personally I do like using interface groups where I'm referring to the interface, but try and tie things down a bit further for IP addresses especially for NAT). My problem is the time between an address ip change on an interface and the nat rules actually use the new address. For my rules i am happy with my ext, but i will test vr0 see if it is faster. Or maybe dive into the source if i am bored. from the manpage section I quoted earlier: WHEN THE INTERFACE NAME IS SURROUNDED BY PARENTHESES, THE RULE IS AUTOMATICALLY UPDATED WHENEVER THE INTERFACE CHANGES ITS ADDRESS. THE RULESET DOES NOT NEED TO BE RELOADED. THIS IS ESPECIALLY USEFUL WITH NAT. # cat -n /etc/pf.conf | grep nat 26 match out on vr0 from 192.168.42.0/24 to !(self) nat-to ext 28 match out on ext from 192.168.142.0/24 to !(self) nat-to ext # pfctl -nf /etc/pf.conf /etc/pf.conf:26: syntax error /etc/pf.conf:28: syntax error :-( -- - () ascii ribbon campaign - against html e-mail /\
