On Thu, Jan 14, 2016 at 1:08 PM, sven falempin <[email protected]> wrote:
> Dear Tech Reader, > Maybe this would be misc but i am trying to avoid some useless answer. > This is openbsd 5.8 patched ( -r OPENBSD_5_8 ) > > All my block rule log. > Nothing appear in tcpdump -teni pflog0 > > But pf drop packet (set skip or pfctl -d) solve problem. > > [0]-[blue]-[/cloudgate] > # ping -c2 -w2 172.16.0.1 > PING 172.16.0.1 (172.16.0.1): 56 data bytes > 64 bytes from 172.16.0.1: icmp_seq=0 ttl=255 time=0.894 ms > 64 bytes from 172.16.0.1: icmp_seq=1 ttl=255 time=0.966 ms > --- 172.16.0.1 ping statistics --- > 2 packets transmitted, 2 packets received, 0.0% packet loss > round-trip min/avg/max/std-dev = 0.894/0.930/0.966/0.036 ms > [0]-[blue]-[/cloudgate] > # tcpdump -tteni pflog0 & > [1] 31913 > [0]-[blue]-[/cloudgate] > # tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > pfctl -e > pf enabled > [0]-[blue]-[/cloudgate] > # ping -c2 -w2 172.16.0.1 > PING 172.16.0.1 (172.16.0.1): 56 data bytes > ping: sendto: No route to host > ping: wrote 172.16.0.1 64 chars, ret=-1 > ping: sendto: No route to host > ping: wrote 172.16.0.1 64 chars, ret=-1 > --- 172.16.0.1 ping statistics --- > 2 packets transmitted, 0 packets received, 100.0% packet loss > [1]-[blue-viking]-[/cloudgate] > # ifconfig gre > gre0: flags=9011<UP,POINTOPOINT,LINK0,MULTICAST> mtu 1476 > description: citywan > priority: 0 > keepalive: timeout 10 count 6 > groups: gre > status: keepalive down > tunnel: inet 10.19.71.31 -> 10.54.213.241 > inet 172.16.0.2 --> 172.16.0.1 netmask 0xffffffff > > > But i would like to match out on gre0 from (x:network) to !(self) nat-to > (gre0:0) > > Not possible ? > > > Following up on the gre interface, the routing is odd, once gre is up i got data form a side , yet no forwarding is done. [0]-[villemarie]-[/root] # tcpdump -tteni gre0 icmp tcpdump: listening on gre0, link-type LOOP 1452800353.714927 172.16.0.2 > 8.8.8.8: icmp: echo request 1452800353.715047 172.16.0.1 > 172.16.0.2: icmp: host 8.8.8.8 unreachable 1452800354.725152 172.16.0.2 > 8.8.8.8: icmp: echo request 1452800354.725240 172.16.0.1 > 172.16.0.2: icmp: host 8.8.8.8 unreachable 1452800355.735124 172.16.0.2 > 8.8.8.8: icmp: echo request 1452800355.735213 172.16.0.1 > 172.16.0.2: icmp: host 8.8.8.8 unreachable ^C 8 packets received by filter 0 packets dropped by kernel [0]-[villemarie]-[/root] # netstat -rnv -f inet | grep default default 192.168.10.1 UGS 6 1510585 - 8 re0 DHCLIENT MANUAL [0]-[villemarie]-[/root] # tcpdump -tteni re0 icmp tcpdump: listening on re0, link-type EN10MB ^C 46 packets received by filter 0 packets dropped by kernel [0]-[villemarie]-[/root] # sysctl -a | grep forwarding net.inet.ip.forwarding=1 nothing is blocked in pf once againt aso the timing ot the reply is very short. I was expecting the data to be routed . -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
