Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work"

From: Rocco Caputo (rcaputo_at_pobox.com)
Date: 07/31/03

  • Next message: Bryce Edwards: "Multiple Interfaces" 
    Date: Thu, 31 Jul 2003 10:33:31 -0400
To: freebsd-net@freebsd.org

    On Thu, Jul 31, 2003 at 10:21:03AM +0200, jeremie le-hen wrote:
    > Rocco Caputo wrote:
    > > The combination served me well when I was using ppp(8) to drive a serial
    > > modem. Now that I've switched to ADSL and PPPoE, things seem subtly
    > > broken. I blame the user (myself), but I haven't found a solution after
    > > beating on the problem for several days.
    >
    > Could you show us your ipf(8), ipnat(8) and ipfw(8) configuration files ?
    > Foolish note: You can see echo requets leaving your box, and even echo replies
    > comine back; for me, it smells you forgot to use the "keep state" statement
    > in the rule which allows outgoing echo requests. But maybe I am missing
    > something.

    I think you're right about "keep state" being a problem. ipfstat -t
    shows several open states for tun0 -> tun0. The 10sec interval is how
    often I ping it.

    68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:50
    68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:30
    68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:00
    68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:10
    68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:40
    68.213.211.142 68.213.211.142 0/0 icmp 4 116 0:20

    It looks like state is being kept, but the echo replies aren't matching.
    I've verified that the packets cross tun0:

    3) eyrie:/home/troc/firewall# tcpdump -i tun0 \
    > 'src 68.213.211.142 and dst 68.213.211.142 and icmp'
    tcpdump: listening on tun0
    10:23:44.035184 68.213.211.142 > 68.213.211.142: icmp: echo request
    10:23:44.037761 68.213.211.142 > 68.213.211.142: icmp: echo request
    10:23:44.037843 68.213.211.142 > 68.213.211.142: icmp: echo reply
    10:23:44.038069 68.213.211.142 > 68.213.211.142: icmp: echo reply

    That's odd, though. I'm only pinging the address once every ten
    seconds, but tcpdump shows two requests and replies.

    The firewall configurations were included at the start of this thread,
    but I'm including them again. The other files are omitted.

    === ipfstat -i

    block in quick on tun0 from 0.0.0.0/8 to any
    block in quick on tun0 from 127.0.0.0/8 to any
    block in quick on tun0 from 169.254.0.0/16 to any
    block in quick on tun0 from 172.16.0.0/12 to any
    block in quick on tun0 from 192.0.2.0/24 to any
    block in quick on tun0 from 192.168.0.0/16 to any
    block in quick on tun0 from 224.0.0.0/4 to any
    block in quick on tun0 from 240.0.0.0/4 to any
    pass in quick on lo0 from any to any
    pass in quick on rl0 from any to any
    pass in quick on dc0 from any to any
    pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags
    pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags
    pass in quick on tun0 proto tcp from any to any port = 433 flags S/FSRPAU keep state keep frags
    pass in quick on tun0 proto tcp from any to any port 6881 >< 6999 flags S/FSRPAU keep state keep frags
    pass in quick on tun0 proto tcp from any to any port = 11512 flags S/FSRPAU keep state keep frags
    pass in quick on tun0 proto tcp from any to any port 32000 >< 32100 flags S/FSRPAU keep state keep frags
    block in quick from any to any

    === ipfstat -o

    block out quick on tun0 from 0.0.0.0/8 to any
    block out quick on tun0 from 127.0.0.0/8 to any
    block out quick on tun0 from 169.254.0.0/16 to any
    block out quick on tun0 from 172.16.0.0/12 to any
    block out quick on tun0 from 192.0.2.0/24 to any
    block out quick on tun0 from 192.168.0.0/16 to any
    block out quick on tun0 from 224.0.0.0/4 to any
    block out quick on tun0 from 240.0.0.0/4 to any
    pass out quick on lo0 from any to any
    pass out quick on rl0 from any to any
    pass out quick on dc0 from any to any
    pass out quick on tun0 proto icmp from any to any keep state
    pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags
    pass out quick on tun0 proto udp from any to any keep state keep frags
    block out quick from any to any

    === ipnat -l

    List of active MAP/Redirect filters:
    map tun0 68.213.211.142/32 -> 68.213.211.142/32 proxy port ftp ftp/tcp

    List of active sessions:
    (none)

    === ipfw show

    01110 queue 18 icmp from any to any in via tun0
    01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput
    01120 queue 18 tcp from any to any in via tun0 tcpflags ack
    01120 queue 18 tcp from any to any in via tun0 tcpflags ack
    01300 queue 14 ip from any to any in via tun0 iptos lowdelay
    01310 queue 14 tcp from any 6666-6669 to any in via tun0
    01320 queue 14 tcp from any 80 to any in via tun0
    01400 queue 11 tcp from any 119 to any in via tun0
    01410 queue 11 tcp from any 5999 to any in via tun0
    01420 queue 11 tcp from any to any in via tun0 iplen 1500
    01430 queue 11 tcp from any 6881-6889 to any in via tun0
    01440 queue 11 tcp from any to any dst-port 6881-6889 in via tun0
    01900 queue 12 ip from any to any in via tun0
    02100 queue 28 icmp from any to any out via tun0
    02110 queue 28 ip from any to any out via tun0 iptos lowdelay,throughput
    02120 queue 28 tcp from any to any out via tun0 tcpflags ack
    02130 queue 28 tcp from any to any out via tun0 setup
    02300 queue 24 ip from any to any out via tun0 iptos lowdelay
    02310 queue 24 tcp from any to any dst-port 6666-6669 out via tun0
    02400 queue 21 tcp from any 80 to any out via tun0
    02410 queue 21 tcp from any 443 to any out via tun0
    02420 queue 21 tcp from any 11512 to any out via tun0
    02430 queue 21 tcp from any to any dst-port 119 out via tun0
    02440 queue 21 tcp from any to any dst-port 5999 out via tun0
    02450 queue 21 tcp from any to any out via tun0 iplen 1500
    02460 queue 21 tcp from any 6881-6889 to any out via tun0
    02470 queue 21 tcp from any to any dst-port 6881-6889 out via tun0
    02900 queue 22 ip from any to any out via tun0
    60000 allow ip from any to any via lo0
    60010 allow ip from any to any via rl0
    60020 allow ip from any to any via dc0
    60030 allow ip from any to any via tun0
    60040 allow ip from any to any
    65535 deny ip from any to any

    === ipfw queue show

    00010: 368.000 Kbit/s 0 ms 36 KB 0 queues (1 buckets) droptail
    00011: 736.000 Kbit/s 0 ms 73 KB 0 queues (1 buckets) droptail
    00012: 1.472 Mbit/s 0 ms 147 KB 0 queues (1 buckets) droptail
    00020: 64.000 Kbit/s 0 ms 6144 B 0 queues (1 buckets) droptail
    00021: 128.000 Kbit/s 0 ms 12 KB 0 queues (1 buckets) droptail
    00022: 256.000 Kbit/s 0 ms 25 KB 0 queues (1 buckets) droptail

    === end 

    -- 
Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Bryce Edwards: "Multiple Interfaces"

    Relevant Pages

    • pppoe, cant ping tun0, ipfnat ftp proxy "doesnt work"
      ... tun0 interface. ... ipfnat's active ftp proxy sees the PORT request and punches a hole ... pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags ... 01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput ...
      (freebsd-net)
    • pppoe, cant ping tun0 from dmz machine
      ... tun0 interface. ... pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags ... 01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput ...
      (freebsd-questions)
    • Re: getting DCC fully functioning with ipnat/ipf
      ... Given that you're nat'ing on tun0, I guess you might be using ppp. ... > pass out quick on ed1 all ... > pass out quick on tun0 proto tcp all flags S/SA keep state keep frags ...
      (FreeBSD-Security)