On Wed, Jul 27, 2011 at 09:11:45PM +0200, Christopher Zimmermann wrote:
> Ok, solved this one. bge0 was in group "local", which is matched by
>
> set skip on lo
>
> is this the desired behavior? It can catch you by surprise easily!
No, not desired behavior. "set skip on" with its own little magic interface
matching logic is long overdue to be fixed by using the same logic for
interfaces as the rest of pf.
That an interface with group local matches in "set skip on lo" is a very
bad bug.
> On 07/27/11 18:54, Christopher Zimmermann wrote:
> >Hi,
> >
> >I have this simple setup:
> >
> >[ B ] se0 <---> bge0 [ A ] pppoe0 <----> ISP
> >
> >A and B both -current.
> >
> >Now my problem is, pf on A won't filter anything on bge0. Even with this
> >very simple pf.conf:
> >
> >set skip on lo
> >
> >block
> >pass out inet proto {tcp,udp} to port 53
> >
> >block in on ! lo0 proto tcp to port 6000:6010
> >
> >
> >the connection to the internet via pppoe0 is dead, of course. But the
> >connectio via bge0 to B is completely unfiltered. What the heck is
> >wrong here?!?
> >
> >
> >Interfaces:
> >
> >lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
> >priority: 0
> >groups: lo
> >inet6 ::1 prefixlen 128
> >inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> >inet 127.0.0.1 netmask 0xff000000
> >bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> >lladdr 00:11:25:ae:0e:0c
> >priority: 0
> >groups: local
> >media: Ethernet autoselect (100baseTX full-duplex)
> >status: active
> >inet 192.168.23.1 netmask 0xffffff00 broadcast 192.168.23.255
> >inet6 fe80::211:25ff:feae:e0c%bge0 prefixlen 64 scopeid 0x1
> >iwi0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
> >lladdr 00:12:f0:62:22:ba
> >priority: 4
> >groups: wlan
> >media: IEEE802.11 autoselect
> >status: no network
> >ieee80211: nwid "" 100dBm
> >inet6 fe80::212:f0ff:fe62:22ba%iwi0 prefixlen 64 scopeid 0x2
> >enc0: flags=0<>
> >priority: 0
> >groups: enc
> >status: active
> >ep1: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> >lladdr 00:00:86:3c:58:ce
> >priority: 0
> >media: Ethernet autoselect (100baseTX full-duplex)
> >status: active
> >inet6 fe80::200:86ff:fe3c:58ce%ep1 prefixlen 64 scopeid 0x5
> >pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
> >priority: 0
> >dev: ep1 state: session
> >sid: 0x16d0 PADI retries: 1 PADR retries: 0 time: 00:09:27
> >sppp: phase network authproto pap
> >groups: pppoe egress
> >status: active
> >inet6 fe80::211:25ff:feae:e0c%pppoe0 -> prefixlen 64 scopeid 0x6
> >inet 92.203.15.60 --> 213.148.133.4 netmask 0xffffffff
> >pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
> >priority: 0
> >groups: pflog
> >
> >
> >pfctl -s all:
> >FILTER RULES:
> >block drop all
> >pass out inet proto tcp from any to any port = domain flags S/SA
> >pass out inet proto udp from any to any port = domain
> >block drop in on ! lo0 proto tcp from any to any port 6000:6010
> >No queue in use
> >
> >INFO:
> >Status: Enabled for 0 days 00:12:56 Debug: err
> >
> >State Table Total Rate
> >current entries 0
> >searches 380 0.5/s
> >inserts 138 0.2/s
> >removals 138 0.2/s
> >Counters
> >match 242 0.3/s
> >bad-offset 0 0.0/s
> >fragment 0 0.0/s
> >short 0 0.0/s
> >normalize 0 0.0/s
> >memory 0 0.0/s
> >bad-timestamp 0 0.0/s
> >congestion 0 0.0/s
> >ip-option 0 0.0/s
> >proto-cksum 0 0.0/s
> >state-mismatch 0 0.0/s
> >state-insert 0 0.0/s
> >state-limit 0 0.0/s
> >src-limit 0 0.0/s
> >synproxy 0 0.0/s
> >
> >TIMEOUTS:
> >tcp.first 120s
> >tcp.opening 30s
> >tcp.established 86400s
> >tcp.closing 900s
> >tcp.finwait 45s
> >tcp.closed 90s
> >tcp.tsdiff 30s
> >udp.first 60s
> >udp.single 30s
> >udp.multiple 60s
> >icmp.first 20s
> >icmp.error 10s
> >other.first 60s
> >other.single 30s
> >other.multiple 60s
> >frag 30s
> >interval 10s
> >adaptive.start 6000 states
> >adaptive.end 12000 states
> >src.track 0s
> >
> >LIMITS:
> >states hard limit 10000
> >src-nodes hard limit 10000
> >frags hard limit 5000
> >tables hard limit 1000
> >table-entries hard limit 200000
> >
> >OS FINGERPRINTS:
> >700 fingerprints loaded
> >
> >
> >
> >route -n show:
> >Routing tables
> >
> >Internet:
> >Destination Gateway Flags Refs Use Mtu Prio Iface
> >default 213.148.133.4 UGS 3 183 - 8 pppoe0
> >127/8 127.0.0.1 UGRS 0 0 33196 8 lo0
> >127.0.0.1 127.0.0.1 UH 3 3664 33196 4 lo0
> >192.168.23/24 link#1 UC 1 0 - 4 bge0
> >192.168.23.2 00:15:f2:64:0c:83 UHLc 0 34 - 4 bge0
> >213.148.133.4 92.203.15.60 UH 0 0 - 4 pppoe0
> >224/4 127.0.0.1 URS 0 2 33196 8 lo0
> >
> >Internet6:
> >Destination Gateway Flags Refs Use Mtu Prio Iface
> >::/104 ::1 UGRS 0 0 - 8 lo0
> >::/96 ::1 UGRS 0 0 - 8 lo0
> >::1 ::1 UH 14 0 33196 4 lo0
> >::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
> >::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0
> >::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
> >::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0
> >2002::/24 ::1 UGRS 0 0 - 8 lo0
> >2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0
> >2002:e000::/20 ::1 UGRS 0 0 - 8 lo0
> >2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0
> >fe80::/10 ::1 UGRS 0 0 - 8 lo0
> >fe80::%bge0/64 link#1 UC 0 0 - 4 bge0
> >fe80::211:25ff:feae:e0c%bge0 00:11:25:ae:0e:0c HL 0 0 - 4 lo0
> >fe80::%iwi0/64 link#2 C 0 0 - 4 iwi0
> >fe80::212:f0ff:fe62:22ba%iwi0 00:12:f0:62:22:ba UHL 0 0 - 4 lo0
> >fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0
> >fe80::1%lo0 link#4 UHL 0 0 - 4 lo0
> >fe80::%ep1/64 link#5 C 0 0 - 4 ep1
> >fe80::200:86ff:fe3c:58ce%ep1 00:00:86:3c:58:ce HL 0 0 - 4 lo0
> >fe80::%pppoe0/64 fe80::211:25ff:feae:e0c%pppoe0 U 0 0 - 4 pppoe0
> >fe80::211:25ff:feae:e0c%pppoe0 link#6 HL 0 0 - 4 lo0
> >fec0::/10 ::1 UGRS 0 0 - 8 lo0
> >ff01::/16 ::1 UGRS 0 0 - 8 lo0
> >ff01::%bge0/32 link#1 UC 0 0 - 4 bge0
> >ff01::%iwi0/32 link#2 C 0 0 - 4 iwi0
> >ff01::%lo0/32 fe80::1%lo0 UC 0 0 - 4 lo0
> >ff01::%ep1/32 link#5 C 0 0 - 4 ep1
> >ff01::%pppoe0/32 fe80::211:25ff:feae:e0c%pppoe0 UC 0 0 - 4 pppoe0
> >ff02::/16 ::1 UGRS 0 0 - 8 lo0
> >ff02::%bge0/32 link#1 UC 0 0 - 4 bge0
> >ff02::%iwi0/32 link#2 C 0 0 - 4 iwi0
> >ff02::%lo0/32 fe80::1%lo0 UC 0 0 - 4 lo0
> >ff02::%ep1/32 link#5 C 0 0 - 4 ep1
> >ff02::%pppoe0/32 fe80::211:25ff:feae:e0c%pppoe0 UC 0 0 - 4 pppoe0
>
--
:wq Claudio
