--- j knight <[EMAIL PROTECTED]> wrote: > Jon Simola wrote: > > On 6/5/05, b h <[EMAIL PROTECTED]> wrote: > > > > > >>Or, could someone please point out something I > might > >>have missed/case of the stupids? > > > > > >>block log all > >>pass quick on lo all > >>antispoof quick for lo > > The documentation explicitly says not to use > antispoof on loopback > interfaces. And Jon's right. You have a "quick" rule > and then your > antispoof rule; makes no sense. > > > The loopback interface is "lo0", not "lo". And you > should probably > > have the antispoof before the pass quick for lo0. > > "lo" is valid as it will apply to all loopback-type > interfaces. You can > do the same with other drivers as well ("em", > "vlan", etc). >
Hi folks: I'm really not getting this. And this all used to work before I upgraded on Sunday. I completely reformatted and installed a Jun 03 snapshot (instead of the current I this was running yesterday). And it still doesn't work. I keep getting a "no route to host". Disabling pf and it connects fine. # tail messages Jun 7 12:55:57 messaging jabberd/s2s[29374]: attempting connection to router at 127.0.0.1, port=5347 Jun 7 12:55:57 messaging jabberd/router[23771]: [0.0.0.0, port=5347] listening for incoming connections Jun 7 12:55:57 messaging jabberd/resolver[7624]: attempting connection to router at 127.0.0.1, port=5347 Jun 7 12:55:57 messaging jabberd/sm[20165]: attempting connection to router at 127.0.0.1, port=5347 Jun 7 12:55:57 messaging jabberd/resolver[7624]: connection attempt to router failed: No route to host (65) Jun 7 12:55:57 messaging jabberd/s2s[29374]: connection attempt to router failed: No route to host (65) Jun 7 12:55:57 messaging jabberd/sm[20165]: connection attempt to router failed: No route to host (65) Jun 7 12:55:57 messaging jabberd/c2s[26777]: [messaging.pbiresearch.com] configured; realm=(null) Jun 7 12:55:57 messaging jabberd/c2s[26777]: attempting connection to router at 127.0.0.1, port=5347 Jun 7 12:55:57 messaging jabberd/c2s[26777]: connection attempt to router failed: No route to host (65) # netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 messaging.ssh my.connection.com.15757 ESTABLISHED tcp 0 0 *.5347 *.* LISTEN tcp 0 0 *.mysql *.* LISTEN tcp 0 0 localhost.submissi *.* LISTEN tcp 0 0 localhost.smtp *.* LISTEN tcp 0 0 *.ssh *.* LISTEN tcp 0 0 *.time *.* LISTEN tcp 0 0 *.daytime *.* LISTEN tcp 0 0 *.auth *.* LISTEN <---- snipped ----> # pfctl -d pf disabled # kill 2636 # su _jabberd -c '/usr/local/sbin/jabberd&' # tail messages Jun 7 14:19:38 messaging jabberd/router[27484]: [127.0.0.1, port=27020] authenticated as jabberd Jun 7 14:19:38 messaging jabberd/router[27484]: [s2s] set as default route Jun 7 14:19:38 messaging jabberd/router[27484]: [s2s] online (bound to 127.0.0.1, port 8116) Jun 7 14:19:38 messaging jabberd/router[27484]: [c2s] online (bound to 127.0.0.1, port 27020) Jun 7 14:19:38 messaging jabberd/sm[59]: ready for sessions Jun 7 14:19:38 messaging jabberd/s2s[7752]: [0.0.0.0, port=5269] listening for connections Jun 7 14:19:38 messaging jabberd/s2s[7752]: ready for connections Jun 7 14:19:38 messaging jabberd/c2s[7234]: [0.0.0.0, port=5222] listening for connections Jun 7 14:19:38 messaging jabberd/c2s[7234]: [0.0.0.0, port=5223] listening for SSL connections Jun 7 14:19:38 messaging jabberd/c2s[7234]: ready for connections # netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 localhost.5347 localhost.10730 TIME_WAIT tcp 0 0 localhost.5347 localhost.44289 ESTABLISHED tcp 0 0 localhost.44289 localhost.5347 ESTABLISHED tcp 0 0 *.5223 *.* LISTEN tcp 0 0 *.5222 *.* LISTEN tcp 0 0 *.5269 *.* LISTEN tcp 0 0 localhost.5347 localhost.27020 ESTABLISHED tcp 0 0 localhost.27020 localhost.5347 ESTABLISHED tcp 0 0 localhost.5347 localhost.8116 ESTABLISHED tcp 0 0 localhost.8116 localhost.5347 ESTABLISHED tcp 0 0 localhost.5347 localhost.36130 ESTABLISHED tcp 0 0 localhost.36130 localhost.5347 ESTABLISHED tcp 0 0 *.5347 *.* LISTEN tcp 0 908 messaging.ssh my.connection.com.15757 ESTABLISHED tcp 0 0 *.mysql *.* LISTEN tcp 0 0 localhost.submissi *.* LISTEN tcp 0 0 localhost.smtp *.* LISTEN tcp 0 0 *.ssh *.* LISTEN tcp 0 0 *.time *.* LISTEN tcp 0 0 *.daytime *.* LISTEN tcp 0 0 *.auth *.* LISTEN <---- snipped ----> And so many people were nice to help me out with my pf.conf (since I assumed that was the initial problem, although now I'm not so sure)...... this is what it is currently at: #cat /etc/pf.conf ext_if = "fxp0" set block-policy return set loginterface $ext_if scrub in all nat on $ext_if from !($ext_if) -> ($ext_if:0) rdr pass on $ext_if proto tcp from any to port https -> 127.0.0.1 port 5222 rdr pass on $ext_if proto tcp from any to port ftp -> 127.0.0.1 port 5223 block log all block drop in quick log on $ext_if proto { tcp, udp } from any os Linux to any port ssh pass quick on lo all pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SA keep state pass in on $ext_if inet proto tcp from any to (lo0) port { 5222, 5223 } flags S/SA keep state pass out on $ext_if proto tcp all flags S/SA keep state pass out on $ext_if proto { udp, icmp } all keep state # pfctl -sn nat on fxp0 from ! (fxp0) to any -> (fxp0:0) rdr pass on fxp0 inet proto tcp from any to any port = https -> 127.0.0.1 port 5222 rdr pass on fxp0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 5223 # pfctl -sr scrub in all fragment reassemble block return log all block drop in log quick on fxp0 proto tcp from any os "Linux" to any port = ssh block drop in log quick on fxp0 proto udp from any os "Linux" to any port = ssh pass quick on lo all pass in on fxp0 inet proto tcp from any to (fxp0) port = ssh flags S/SA keep state pass in on fxp0 inet proto tcp from any to (lo0) port = 5222 flags S/SA keep state pass in on fxp0 inet proto tcp from any to (lo0) port = 5223 flags S/SA keep state pass out on fxp0 proto tcp all flags S/SA keep state pass out on fxp0 proto udp all keep state pass out on fxp0 proto icmp all keep state # any help would be GREATLY appreciated. my head is getting sore. bob __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com