--- j knight <[EMAIL PROTECTED]> wrote:
> Jon Simola wrote:
> > On 6/5/05, b h <[EMAIL PROTECTED]> wrote:
> >
> >
> >>Or, could someone please point out something I
> might
> >>have missed/case of the stupids?
> >
> >
> >>block log all
> >>pass quick on lo all
> >>antispoof quick for lo
>
> The documentation explicitly says not to use
> antispoof on loopback
> interfaces. And Jon's right. You have a "quick" rule
> and then your
> antispoof rule; makes no sense.
>
> > The loopback interface is "lo0", not "lo". And you
> should probably
> > have the antispoof before the pass quick for lo0.
>
> "lo" is valid as it will apply to all loopback-type
> interfaces. You can
> do the same with other drivers as well ("em",
> "vlan", etc).
>
Hi folks:
I'm really not getting this. And this all used to
work before I upgraded on Sunday. I completely
reformatted and installed a Jun 03 snapshot (instead
of the current I this was running yesterday). And it
still doesn't work.
I keep getting a "no route to host". Disabling pf and
it connects fine.
# tail messages
Jun 7 12:55:57 messaging jabberd/s2s[29374]:
attempting connection to router at 127.0.0.1,
port=5347
Jun 7 12:55:57 messaging jabberd/router[23771]:
[0.0.0.0, port=5347] listening for incoming
connections
Jun 7 12:55:57 messaging jabberd/resolver[7624]:
attempting connection to router at 127.0.0.1,
port=5347
Jun 7 12:55:57 messaging jabberd/sm[20165]:
attempting connection to router at 127.0.0.1,
port=5347
Jun 7 12:55:57 messaging jabberd/resolver[7624]:
connection attempt to router failed: No route to host
(65)
Jun 7 12:55:57 messaging jabberd/s2s[29374]:
connection attempt to router failed: No route to host
(65)
Jun 7 12:55:57 messaging jabberd/sm[20165]:
connection attempt to router failed: No route to host
(65)
Jun 7 12:55:57 messaging jabberd/c2s[26777]:
[messaging.pbiresearch.com] configured; realm=(null)
Jun 7 12:55:57 messaging jabberd/c2s[26777]:
attempting connection to router at 127.0.0.1,
port=5347
Jun 7 12:55:57 messaging jabberd/c2s[26777]:
connection attempt to router failed: No route to host
(65)
# netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign
Address (state)
tcp 0 0 messaging.ssh
my.connection.com.15757 ESTABLISHED
tcp 0 0 *.5347 *.*
LISTEN
tcp 0 0 *.mysql *.*
LISTEN
tcp 0 0 localhost.submissi *.*
LISTEN
tcp 0 0 localhost.smtp *.*
LISTEN
tcp 0 0 *.ssh *.*
LISTEN
tcp 0 0 *.time *.*
LISTEN
tcp 0 0 *.daytime *.*
LISTEN
tcp 0 0 *.auth *.*
LISTEN
<---- snipped ---->
# pfctl -d
pf disabled
# kill 2636
# su _jabberd -c '/usr/local/sbin/jabberd&'
# tail messages
Jun 7 14:19:38 messaging jabberd/router[27484]:
[127.0.0.1, port=27020] authenticated as jabberd
Jun 7 14:19:38 messaging jabberd/router[27484]: [s2s]
set as default route
Jun 7 14:19:38 messaging jabberd/router[27484]: [s2s]
online (bound to 127.0.0.1, port 8116)
Jun 7 14:19:38 messaging jabberd/router[27484]: [c2s]
online (bound to 127.0.0.1, port 27020)
Jun 7 14:19:38 messaging jabberd/sm[59]: ready for
sessions
Jun 7 14:19:38 messaging jabberd/s2s[7752]: [0.0.0.0,
port=5269] listening for connections
Jun 7 14:19:38 messaging jabberd/s2s[7752]: ready for
connections
Jun 7 14:19:38 messaging jabberd/c2s[7234]: [0.0.0.0,
port=5222] listening for connections
Jun 7 14:19:38 messaging jabberd/c2s[7234]: [0.0.0.0,
port=5223] listening for SSL connections
Jun 7 14:19:38 messaging jabberd/c2s[7234]: ready for
connections
# netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign
Address (state)
tcp 0 0 localhost.5347
localhost.10730 TIME_WAIT
tcp 0 0 localhost.5347
localhost.44289 ESTABLISHED
tcp 0 0 localhost.44289
localhost.5347 ESTABLISHED
tcp 0 0 *.5223 *.*
LISTEN
tcp 0 0 *.5222 *.*
LISTEN
tcp 0 0 *.5269 *.*
LISTEN
tcp 0 0 localhost.5347
localhost.27020 ESTABLISHED
tcp 0 0 localhost.27020
localhost.5347 ESTABLISHED
tcp 0 0 localhost.5347
localhost.8116 ESTABLISHED
tcp 0 0 localhost.8116
localhost.5347 ESTABLISHED
tcp 0 0 localhost.5347
localhost.36130 ESTABLISHED
tcp 0 0 localhost.36130
localhost.5347 ESTABLISHED
tcp 0 0 *.5347 *.*
LISTEN
tcp 0 908 messaging.ssh
my.connection.com.15757 ESTABLISHED
tcp 0 0 *.mysql *.*
LISTEN
tcp 0 0 localhost.submissi *.*
LISTEN
tcp 0 0 localhost.smtp *.*
LISTEN
tcp 0 0 *.ssh *.*
LISTEN
tcp 0 0 *.time *.*
LISTEN
tcp 0 0 *.daytime *.*
LISTEN
tcp 0 0 *.auth *.*
LISTEN
<---- snipped ---->
And so many people were nice to help me out with my
pf.conf (since I assumed that was the initial problem,
although now I'm not so sure)...... this is what it
is currently at:
#cat /etc/pf.conf
ext_if = "fxp0"
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $ext_if proto tcp from any to port https
-> 127.0.0.1 port 5222
rdr pass on $ext_if proto tcp from any to port ftp ->
127.0.0.1 port 5223
block log all
block drop in quick log on $ext_if proto { tcp, udp }
from any os Linux to any port ssh
pass quick on lo all
pass in on $ext_if inet proto tcp from any to
($ext_if) port ssh flags S/SA keep state
pass in on $ext_if inet proto tcp from any to (lo0)
port { 5222, 5223 } flags S/SA keep state
pass out on $ext_if proto tcp all flags S/SA keep
state
pass out on $ext_if proto { udp, icmp } all keep state
# pfctl -sn
nat on fxp0 from ! (fxp0) to any -> (fxp0:0)
rdr pass on fxp0 inet proto tcp from any to any port =
https -> 127.0.0.1 port 5222
rdr pass on fxp0 inet proto tcp from any to any port =
ftp -> 127.0.0.1 port 5223
# pfctl -sr
scrub in all fragment reassemble
block return log all
block drop in log quick on fxp0 proto tcp from any os
"Linux" to any port = ssh
block drop in log quick on fxp0 proto udp from any os
"Linux" to any port = ssh
pass quick on lo all
pass in on fxp0 inet proto tcp from any to (fxp0) port
= ssh flags S/SA keep state
pass in on fxp0 inet proto tcp from any to (lo0) port
= 5222 flags S/SA keep state
pass in on fxp0 inet proto tcp from any to (lo0) port
= 5223 flags S/SA keep state
pass out on fxp0 proto tcp all flags S/SA keep state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
#
any help would be GREATLY appreciated. my head is
getting sore.
bob
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
