Re: Source-routing hanging my OpenBSD box

[Helio Alexandre Lopes Loureiro]

Em Ter, 2002-10-29 às 18:20, Daniel Hartmeier escreveu:
> On Tue, Oct 29, 2002 at 06:01:05PM -0300, Helio Alexandre Lopes Loureiro wrote:
> 
> >                                   xl0:192.168.0.254/24
> >                                       |
> >                                    +----+
> > gw=2.2.8.1/26      xl3=2.2.8.20/26 |    |xl2=2.1.7.56/26  gw=2.1.7.1/26
> > <----------------------------------| FW |------------------------------>
> >                                    |    |
> >                                    +----+
> >                                       |
> >                                    xl1=2.2.8.65/26
> > 
> > pass in quick on xl1 route-to xl3:200.211.81.1 from 200.211.81.26/26 to
> > any keep state
> 
> The 'from ... .26/26' looks wrong, did you mean .20/26? Apart from that
> potential typo this rule looks fine.

        Ops!  The first mistake.  I was supposed to wrote " "200.211.81.64/26",
that is my network segment on xl1.  I'm trying to route xl1 network by
xl3 interface...
 
> > pass in quick on xl3 route-to xl3:200.211.81.1 from 200.211.81.20/32 to
> > any keep state
> 
> That doesn't make much sense, you hardly want to forward incoming
> packets on xl3 back out through xl3. And incoming packets on xl3 never
> have a source address of 200.211.81.20, probably. :)

        I'm trying a response for pings on xl3 interface.  See, from another
host in the net:

helio@pasargada ~> ping 200.211.81.20 -c 10
PING 200.211.81.20 (200.211.81.20): 56 data bytes

--- 200.211.81.20 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

        At same time in firewall machine:

root@cramulhao in ~# pfctl -vsr
@0 pass in quick on xl1 route-to xl3:200.211.81.1 inet from
200.211.81.64/26 to any keep state 
[ Evaluations: 257         Packets: 1           Bytes: 68         ]
root@cramulhao in ~# tcpdump -i xl3 icmp
tcpdump: listening on xl3
19:27:43.228992 200.207.129.199 > 200.211.81.20: icmp: echo request (DF)
19:27:44.226036 200.207.129.199 > 200.211.81.20: icmp: echo request (DF)
[...]

        How you can see, I haven't responses from xl3 interface.  But looking
at xl2 interface:

root@cramulhao in ~# tcpdump -i xl2 -n icmp
tcpdump: listening on xl2
19:29:48.227935 200.211.81.20 > 200.207.129.199: icmp: echo reply (DF)
19:29:49.228161 200.211.81.20 > 200.207.129.199: icmp: echo reply (DF)

        So my firewall is routing packets to 200.211.81.20 on interface xl2
where my default route is located.  In rule above, I tried to force a
route over xl3 gateway, but how you said, I'm complete wrong.  So what
is your suggestion?

[...]
> It shouldn't hang, at least I can't reproduce that with 3.2. But there
> have been changes in route-to since 3.1.

        Now the system doesn't hanged anymore.  I guess the first mistake was
killing my routing table (and openbsd together).  The funny is that even
console access was hanged.

        Thanks!
-- 

Hélio Alexandre Lopes Loureiro [[EMAIL PROTECTED]]
Regional Software Supply & Integration
South America
Tel.: + 55 11 6224-1795 
Public Key ID: FB5972D1@http://search.keyserver.net