On 08/01/15 19:31, Jonathan Gray wrote:
> On Sat, Aug 01, 2015 at 08:46:00PM +0200, Mike Belopuhov wrote:
>> [... snip ...]
>> You're slightly overanalyzing here: panic has caught the unhandled
>> case, but it's not needed per se.
>>
>
> The code directly after the panic assumes rpool is set.
> Something is clearly wrong in the pf code if this triggers.
>
> Without a pf.conf it is hard to guess as to why this triggers...
I've attached a partially sanitized concatenation of pf rules, ifconfig,
netstat -nr, cat /etc/hostname.$if. Please let me know what more info would be
helpful.
FWIW, this firewall has been operating successfully with snaps for many years.
The pf configuration is not tuned as it is somewhat a testbed with an
accumulation of various failed/successful experiments. Also, the urtwn
interface has been removed for at least the past month so treat the associated
rules accordingly.
### pfctl-sr:pfctl -a "*" -sr ###
pass all flags S/SA
match out on egress all set ( prio(5, 6) )
match all scrub (no-df)
match out on pppoe all scrub (max-mss 1440)
block drop all label "block_all"
block drop in on ! int inet from 10.1.2.0/24 to any
block drop in inet from 10.1.2.1 to any
block drop in on ! dsl inet from 192.168.7.0/24 to any
block drop in inet from 192.168.7.2 to any
block drop in quick on int from any to <bogus> label "bogus_in"
anchor "ext1" on pppoe0 all {
block drop in on ! pppoe0 from (pppoe0:network) to any
block drop in from (pppoe0) to any
block drop in log quick on pppoe0 proto tcp from <sshguard> to any port = 22
label "ssh bruteforce_pppoe0"
block drop in log quick on pppoe0 from <bogon> to any label "bogon_in_pppoe0"
block drop out log on pppoe0 from any to <bogon> label "bogon_out_pppoe0"
pass out log on pppoe0 all flags S/SA label "out_pppoe0"
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 80 rdr-to
10.1.2.30
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 6081 rdr-to
10.1.2.30
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 8080 rdr-to
10.1.2.30
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 9418 rdr-to
10.1.2.18 port 9418
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 119 rdr-to
10.1.2.10 port 119
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65429 rdr-to
10.1.2.18 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65428 rdr-to
10.1.2.30 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65427 rdr-to
10.1.2.31 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65426 rdr-to
10.1.2.33 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65425 rdr-to
10.1.2.11 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65424 rdr-to
10.1.2.12 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65423 rdr-to
10.1.2.15 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65420 rdr-to
10.1.2.143 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 65419 rdr-to
10.1.2.144 port 22
match in on pppoe0 inet proto tcp from any to (pppoe0) port = 46889 set (
prio 2 ) rdr-to 10.1.2.17 port 46889
match in on pppoe0 inet proto udp from any to (pppoe0) port = 46889 set (
prio 2 ) rdr-to 10.1.2.17 port 46889
match out on pppoe0 inet from <int_net> to any nat-to (pppoe0:0)
pass in quick on pppoe0 inet proto tcp from any to any port = 22 flags S/SA
synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 52122 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65432 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65431 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65430 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65429 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65428 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65427 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65426 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65425 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65424 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65423 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65420 flags
S/SA synproxy state reply-to pppoe0
pass in quick on pppoe0 inet proto tcp from any to any port = 65419 flags
S/SA synproxy state reply-to pppoe0
pass in on pppoe0 inet proto tcp from any to any port = 119 flags S/SA
reply-to pppoe0
pass in on pppoe0 inet proto tcp from any to any port = 80 flags S/SA
reply-to pppoe0
pass in on pppoe0 inet proto udp from any to any port = 1194 reply-to pppoe0
pass in on pppoe0 inet proto tcp from any to any port = 46889 flags S/SA set
( prio 2 ) reply-to pppoe0
pass in on pppoe0 inet proto udp from any to any port = 46889 set ( prio 2 )
reply-to pppoe0
}
anchor "ext2" on urtwn0 all {
block drop in on ! urtwn0 from (urtwn0:network) to any
block drop in from (urtwn0) to any
block drop in log quick on urtwn0 proto tcp from <sshguard> to any port = 22
label "ssh bruteforce_urtwn0"
block drop in log quick on urtwn0 from <bogon> to any label "bogon_in_urtwn0"
block drop out log on urtwn0 from any to <bogon> label "bogon_out_urtwn0"
pass out log on urtwn0 all flags S/SA label "out_urtwn0"
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 80 rdr-to
10.1.2.18
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 6081 rdr-to
10.1.2.18
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 8080 rdr-to
10.1.2.18
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 9418 rdr-to
10.1.2.18 port 9418
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 119 rdr-to
10.1.2.10 port 119
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65429 rdr-to
10.1.2.18 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65428 rdr-to
10.1.2.30 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65427 rdr-to
10.1.2.31 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65426 rdr-to
10.1.2.33 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65425 rdr-to
10.1.2.11 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65424 rdr-to
10.1.2.12 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65423 rdr-to
10.1.2.15 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65420 rdr-to
10.1.2.143 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 65419 rdr-to
10.1.2.144 port 22
match in on urtwn0 inet proto tcp from any to (urtwn0) port = 46889 rdr-to
10.1.2.17 port 46889
match in on urtwn0 inet proto udp from any to (urtwn0) port = 46889 rdr-to
10.1.2.17 port 46889
match out on urtwn0 inet from ! (urtwn0) to any nat-to (urtwn0:0)
pass in quick on urtwn0 inet proto tcp from any to any port = 22 flags S/SA
synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 52122 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65432 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65431 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65430 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65429 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65428 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65427 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65426 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65425 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65424 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65423 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65420 flags
S/SA synproxy state reply-to urtwn0
pass in quick on urtwn0 inet proto tcp from any to any port = 65419 flags
S/SA synproxy state reply-to urtwn0
pass in on urtwn0 inet proto tcp from any to any port = 119 flags S/SA
reply-to urtwn0
pass in on urtwn0 inet proto tcp from any to any port = 80 flags S/SA
reply-to urtwn0
pass in on urtwn0 inet proto udp from any to any port = 1194 reply-to urtwn0
}
pass out quick all flags S/SA
pass in inet proto icmp all icmp-type echoreq
pass in inet proto icmp all icmp-type unreach
pass in quick on dsl inet from 192.168.7.0/24 to any flags S/SA
pass on lo0 inet6 from fe80::1 to any flags S/SA
pass inet6 from ::1 to any flags S/SA
pass inet from 127.0.0.1 to any flags S/SA
pass inet from 10.1.2.0/24 to any flags S/SA
pass quick on tun0 inet all flags S/SA
pass out on vr3 inet proto tcp from any to 192.168.7.1 port = 80 flags S/SA
### ifconfig:ifconfig ###
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
priority: 0
groups: lo
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:29:14
priority: 0
groups: int
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
vr1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:29:15
priority: 0
media: Ethernet autoselect (none)
status: no carrier
vr2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:29:16
priority: 0
media: Ethernet autoselect (none)
status: no carrier
vr3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:29:17
priority: 0
groups: dsl
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.7.2 netmask 0xffffff00 broadcast 192.168.7.255
enc0: flags=0<>
priority: 0
groups: enc
status: active
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
description: dsl provider
priority: 0
dev: vr3 state: session
sid: 0x17 PADI retries: 0 PADR retries: 0 time: 21:25:34
sppp: phase network authproto pap authname "x...@yyy.zzz"
groups: pppoe egress
status: active
inet a.class.c.194 --> a.class.c.1 netmask 0xffffffff
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
priority: 0
groups: tun
status: active
inet 172.16.16.6 --> 172.16.16.5 netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33192
priority: 0
groups: pflog
### netstat-nr:netstat -nr ###
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default a.class.c.1 UGS 1 636443 - 8 pppoe0
10.1.2/24 10.1.2.1 UC 12 0 - 8 vr0
10.1.2.1 00:00:24:c9:29:14 UHLl 2 565 - 1 lo0
10.1.2.2 ac:22:0b:74:9f:de UHLc 1 46628 - 8 vr0
10.1.2.3 12:98:e1:47:e2:99 UHLc 0 10377 - 8 vr0
10.1.2.4 7a:88:ce:70:09:8e UHLc 0 79 - 8 vr0
10.1.2.6 36:31:4d:56:db:75 UHLc 0 2 - 8 vr0
10.1.2.7 8a:2e:d1:64:f7:6b UHLc 1 3 - 8 vr0
10.1.2.10 96:5e:9d:e9:11:0b UHLc 1 210457 - 8 vr0
10.1.2.13 00:30:18:a3:1b:48 UHLc 0 377 - 8 vr0
10.1.2.17 00:11:32:2e:5b:dd UHLc 0 4948 - 8 vr0
10.1.2.22 00:11:32:40:3b:09 UHLc 0 4649 - 8 vr0
10.1.2.31 00:1b:21:2e:39:c4 UHLc 2 36285 - 8 vr0
10.1.2.33 00:50:43:00:7c:9a UHLc 6 137943 - 8 vr0
10.1.2.35 bc:ae:c5:86:d9:cb UHLc 1 611085 - 8 vr0
10.1.2.255 10.1.2.1 UHb 0 0 - 1 vr0
a.class.c.1 a.class.c.194 UH 0 0 - 8 pppoe0
a.class.c.194 a.class.c.194 UHl 0 106 - 1 lo0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHl 3 118408 32768 1 lo0
172.16.16/24 172.16.16.5 UGS 0 19975 - 8 tun0
172.16.16.5 172.16.16.6 UH 2 0 - 8 tun0
172.16.16.6 172.16.16.6 UHl 0 0 - 1 lo0
192.168.1/24 172.16.16.5 UGS 0 2543 - 8 tun0
192.168.7/24 192.168.7.2 UC 0 0 - 8 vr3
192.168.7.2 00:00:24:c9:29:17 UHLl 0 0 - 1 lo0
192.168.7.255 192.168.7.2 UHb 0 0 - 1 vr3
224/4 127.0.0.1 URS 1 38 32768 8 lo0
Internet6:
Destination Gateway Flags Refs
Use Mtu Prio Iface
::/104 ::1 UGRS 0
0 32768 8 lo0
::/96 ::1 UGRS 0
0 32768 8 lo0
::1 ::1 UHl 14
0 32768 1 lo0
::127.0.0.0/104 ::1 UGRS 0
0 32768 8 lo0
::224.0.0.0/100 ::1 UGRS 0
0 32768 8 lo0
::255.0.0.0/104 ::1 UGRS 0
0 32768 8 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0
0 32768 8 lo0
2002::/24 ::1 UGRS 0
0 32768 8 lo0
2002:7f00::/24 ::1 UGRS 0
0 32768 8 lo0
2002:e000::/20 ::1 UGRS 0
0 32768 8 lo0
2002:ff00::/24 ::1 UGRS 0
0 32768 8 lo0
fe80::/10 ::1 UGRS 0
0 32768 8 lo0
fe80::%lo0/64 fe80::1%lo0 U 0
0 32768 4 lo0
fe80::1%lo0 fe80::1%lo0 UHl 0
0 32768 1 lo0
fec0::/10 ::1 UGRS 0
0 32768 8 lo0
ff01::/16 ::1 UGRS 0
0 32768 8 lo0
ff01::%lo0/32 ::1 UC 0
0 32768 4 lo0
ff02::/16 ::1 UGRS 0
0 32768 8 lo0
ff02::%lo0/32 ::1 UC 0
0 32768 4 lo0
## cat /etc/hostname.pppoe0 ##
inet 0.0.0.0 255.255.255.255 NONE description "ATT - DSL Extreme" \
pppoedev vr3 authproto pap \
authname "x...@yyy.zzz" authkey "who_knows" up
dest 0.0.0.1
!/usr/local/bin/cpdt -x /var/db/ddclient/ddclient.cache
!/sbin/route add default -ifp pppoe0 0.0.0.1
## cat /etc/hostname.tun0 ##
up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.conf
## cat /etc/hostname.vr0 ##
inet 10.1.2.1 255.255.255.0 10.1.2.255
group int
## cat /etc/hostname.vr3 ##
inet 192.168.7.2 255.255.255.0 192.168.7.255
group dsl
