pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work"
Rocco Caputo
rcaputo at pobox.com
Wed Jul 30 12:15:39 PDT 2003
[Originally posted to freebsd-questions, but someone suggested
freebsd-net instead.]
I've acquired DSL. My modem's PPPoE and NAT have a tendency to remap
ports, so I switched it to bridged Ethernet. Now I'm using ppp(8) for
PPPoE. I'm using ipfw2 for QOS things (pipes and queues). I'm using
ipf for firewalling and ftp proxying.
Almost everything works well, except (so far) active FTP and pinging the
tun0 interface.
tcpdump shows ICMP echo requests and responses, but ping does not see
them. Opening ipf (pass in all, pass out all) "fixes" ping.
ipfnat's active ftp proxy sees the PORT request and punches a hole
through the firewall, but incoming packets don't arrive. Opening ipf
"fixes" this, too.
Other incoming connections seem to work fine. DNS works fine. TCP
works fine.
I've read the handbook, the howtos, searched the list archives, usenet,
and the web. Nothing solved it.
So. What have I overlooked? Where have I gone wrong? Would you like
to see my cling-film collection? How about an extensive (but perhaps
not exhaustive) collection of excerpts from my system configuration
files? Ok, it is included.
--
Rocco Caputo - rcaputo at pobox.com - http://poe.perl.org/
=== ppp.conf
default:
ident user-ppp VERSION (built COMPILATIONDATE)
set log CBCP CCP Chat Connect Command IPCP tun Phase Warning
papchap:
add default HISADDR
disable ipv6cp
disable vjcomp
enable iface-alias
enable lqr
enable tcpmssfixup
nat enable yes
nat log yes
nat same_ports yes
set authkey *****
set authname *****
set cd 5
set crtscts off
set device PPPoE:dc0
set dia
set ifaddr 68.213.211.142/0 192.168.36.176/0
set login
set lqrperiod 1
set mru 1492
set mtu 1492
set redial 1 0
set server /var/run/tun0 "" 0177
set speed sync
set timeout 0
=== netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.36.176 UGSc 80 1377475 tun0
10 link#2 UC 4 0 rl0
10.0.0.7 link#2 UHLW 0 8 rl0
10.0.0.18 00:e0:18:0b:ac:22 UHLW 1 115334 rl0 303
10.0.0.25 00:e0:18:30:68:32 UHLW 0 292874 lo0
10.0.0.100 00:e0:18:30:65:f6 UHLW 1 111019 rl0 163
127.0.0.1 127.0.0.1 UH 6 196295 lo0
192.168.1 link#1 UC 2 0 dc0
192.168.1.25 00:04:5a:59:8e:92 UHLW 0 142112 lo0
192.168.1.254 00:60:0f:31:c7:86 UHLW 0 75153 dc0 865
192.168.36.176 68.213.211.142 UH 76 71059 tun0
=== ipfstat -i
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 224.0.0.0/4 to any
block in quick on tun0 from 240.0.0.0/4 to any
pass in quick on lo0 from any to any
pass in quick on rl0 from any to any
pass in quick on dc0 from any to any
pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 433 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port 6881 >< 6999 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 11512 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port 32000 >< 32100 flags S/FSRPAU keep state keep frags
block in quick from any to any
=== ipfstat -o
block out quick on tun0 from 0.0.0.0/8 to any
block out quick on tun0 from 127.0.0.0/8 to any
block out quick on tun0 from 169.254.0.0/16 to any
block out quick on tun0 from 172.16.0.0/12 to any
block out quick on tun0 from 192.0.2.0/24 to any
block out quick on tun0 from 192.168.0.0/16 to any
block out quick on tun0 from 224.0.0.0/4 to any
block out quick on tun0 from 240.0.0.0/4 to any
pass out quick on lo0 from any to any
pass out quick on rl0 from any to any
pass out quick on dc0 from any to any
pass out quick on tun0 proto icmp from any to any keep state
pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags
pass out quick on tun0 proto udp from any to any keep state keep frags
block out quick from any to any
=== ipnat -l
List of active MAP/Redirect filters:
map tun0 68.213.211.142/32 -> 68.213.211.142/32 proxy port ftp ftp/tcp
List of active sessions:
(none)
=== various rc.conf bits
ifconfig_dc0="inet 192.168.1.25 netmask 255.255.255.0"
network_interfaces="lo0 rl0 dc0 tun0"
firewall_enable="YES"
firewall_logging="YES"
firewall_type="/etc/rc.firewall.custom"
firewall_flags="-p /usr/bin/cpp"
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ppp_enable="yes"
ppp_mode="ddial"
ppp_nat="yes"
ppp_profile="papchap"
=== ipfw show
01110 queue 18 icmp from any to any in via tun0
01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput
01120 queue 18 tcp from any to any in via tun0 tcpflags ack
01120 queue 18 tcp from any to any in via tun0 tcpflags ack
01300 queue 14 ip from any to any in via tun0 iptos lowdelay
01310 queue 14 tcp from any 6666-6669 to any in via tun0
01320 queue 14 tcp from any 80 to any in via tun0
01400 queue 11 tcp from any 119 to any in via tun0
01410 queue 11 tcp from any 5999 to any in via tun0
01420 queue 11 tcp from any to any in via tun0 iplen 1500
01430 queue 11 tcp from any 6881-6889 to any in via tun0
01440 queue 11 tcp from any to any dst-port 6881-6889 in via tun0
01900 queue 12 ip from any to any in via tun0
02100 queue 28 icmp from any to any out via tun0
02110 queue 28 ip from any to any out via tun0 iptos lowdelay,throughput
02120 queue 28 tcp from any to any out via tun0 tcpflags ack
02130 queue 28 tcp from any to any out via tun0 setup
02300 queue 24 ip from any to any out via tun0 iptos lowdelay
02310 queue 24 tcp from any to any dst-port 6666-6669 out via tun0
02400 queue 21 tcp from any 80 to any out via tun0
02410 queue 21 tcp from any 443 to any out via tun0
02420 queue 21 tcp from any 11512 to any out via tun0
02430 queue 21 tcp from any to any dst-port 119 out via tun0
02440 queue 21 tcp from any to any dst-port 5999 out via tun0
02450 queue 21 tcp from any to any out via tun0 iplen 1500
02460 queue 21 tcp from any 6881-6889 to any out via tun0
02470 queue 21 tcp from any to any dst-port 6881-6889 out via tun0
02900 queue 22 ip from any to any out via tun0
60000 allow ip from any to any via lo0
60010 allow ip from any to any via rl0
60020 allow ip from any to any via dc0
60030 allow ip from any to any via tun0
60040 allow ip from any to any
65535 deny ip from any to any
=== ipfw queue show
00010: 368.000 Kbit/s 0 ms 36 KB 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00011: 736.000 Kbit/s 0 ms 73 KB 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00012: 1.472 Mbit/s 0 ms 147 KB 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00020: 64.000 Kbit/s 0 ms 6144 B 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00021: 128.000 Kbit/s 0 ms 12 KB 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00022: 256.000 Kbit/s 0 ms 25 KB 0 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
=== end
More information about the freebsd-net
mailing list