pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work"
Julian Elischer
julian at elischer.org
Wed Jul 30 12:51:36 PDT 2003
You are complicating things by running both ipfw and ipf.
can you not do just one of them?
On Wed, 30 Jul 2003, Rocco Caputo wrote:
> [Originally posted to freebsd-questions, but someone suggested
> freebsd-net instead.]
>
> I've acquired DSL. My modem's PPPoE and NAT have a tendency to remap
> ports, so I switched it to bridged Ethernet. Now I'm using ppp(8) for
> PPPoE. I'm using ipfw2 for QOS things (pipes and queues). I'm using
> ipf for firewalling and ftp proxying.
>
> Almost everything works well, except (so far) active FTP and pinging the
> tun0 interface.
>
> tcpdump shows ICMP echo requests and responses, but ping does not see
> them. Opening ipf (pass in all, pass out all) "fixes" ping.
>
> ipfnat's active ftp proxy sees the PORT request and punches a hole
> through the firewall, but incoming packets don't arrive. Opening ipf
> "fixes" this, too.
>
> Other incoming connections seem to work fine. DNS works fine. TCP
> works fine.
>
> I've read the handbook, the howtos, searched the list archives, usenet,
> and the web. Nothing solved it.
>
> So. What have I overlooked? Where have I gone wrong? Would you like
> to see my cling-film collection? How about an extensive (but perhaps
> not exhaustive) collection of excerpts from my system configuration
> files? Ok, it is included.
>
> --
> Rocco Caputo - rcaputo at pobox.com - http://poe.perl.org/
>
> === ppp.conf
>
> default:
> ident user-ppp VERSION (built COMPILATIONDATE)
> set log CBCP CCP Chat Connect Command IPCP tun Phase Warning
>
> papchap:
> add default HISADDR
> disable ipv6cp
> disable vjcomp
> enable iface-alias
> enable lqr
> enable tcpmssfixup
> nat enable yes
> nat log yes
> nat same_ports yes
> set authkey *****
> set authname *****
> set cd 5
> set crtscts off
> set device PPPoE:dc0
> set dia
> set ifaddr 68.213.211.142/0 192.168.36.176/0
> set login
> set lqrperiod 1
> set mru 1492
> set mtu 1492
> set redial 1 0
> set server /var/run/tun0 "" 0177
> set speed sync
> set timeout 0
>
> === netstat -rn
>
> Routing tables
>
> Internet:
> Destination Gateway Flags Refs Use Netif Expire
> default 192.168.36.176 UGSc 80 1377475 tun0
> 10 link#2 UC 4 0 rl0
> 10.0.0.7 link#2 UHLW 0 8 rl0
> 10.0.0.18 00:e0:18:0b:ac:22 UHLW 1 115334 rl0 303
> 10.0.0.25 00:e0:18:30:68:32 UHLW 0 292874 lo0
> 10.0.0.100 00:e0:18:30:65:f6 UHLW 1 111019 rl0 163
> 127.0.0.1 127.0.0.1 UH 6 196295 lo0
> 192.168.1 link#1 UC 2 0 dc0
> 192.168.1.25 00:04:5a:59:8e:92 UHLW 0 142112 lo0
> 192.168.1.254 00:60:0f:31:c7:86 UHLW 0 75153 dc0 865
> 192.168.36.176 68.213.211.142 UH 76 71059 tun0
>
> === ipfstat -i
>
> block in quick on tun0 from 0.0.0.0/8 to any
> block in quick on tun0 from 127.0.0.0/8 to any
> block in quick on tun0 from 169.254.0.0/16 to any
> block in quick on tun0 from 172.16.0.0/12 to any
> block in quick on tun0 from 192.0.2.0/24 to any
> block in quick on tun0 from 192.168.0.0/16 to any
> block in quick on tun0 from 224.0.0.0/4 to any
> block in quick on tun0 from 240.0.0.0/4 to any
> pass in quick on lo0 from any to any
> pass in quick on rl0 from any to any
> pass in quick on dc0 from any to any
> pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags
> pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags
> pass in quick on tun0 proto tcp from any to any port = 433 flags S/FSRPAU keep state keep frags
> pass in quick on tun0 proto tcp from any to any port 6881 >< 6999 flags S/FSRPAU keep state keep frags
> pass in quick on tun0 proto tcp from any to any port = 11512 flags S/FSRPAU keep state keep frags
> pass in quick on tun0 proto tcp from any to any port 32000 >< 32100 flags S/FSRPAU keep state keep frags
> block in quick from any to any
>
> === ipfstat -o
>
> block out quick on tun0 from 0.0.0.0/8 to any
> block out quick on tun0 from 127.0.0.0/8 to any
> block out quick on tun0 from 169.254.0.0/16 to any
> block out quick on tun0 from 172.16.0.0/12 to any
> block out quick on tun0 from 192.0.2.0/24 to any
> block out quick on tun0 from 192.168.0.0/16 to any
> block out quick on tun0 from 224.0.0.0/4 to any
> block out quick on tun0 from 240.0.0.0/4 to any
> pass out quick on lo0 from any to any
> pass out quick on rl0 from any to any
> pass out quick on dc0 from any to any
> pass out quick on tun0 proto icmp from any to any keep state
> pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags
> pass out quick on tun0 proto udp from any to any keep state keep frags
> block out quick from any to any
>
> === ipnat -l
>
> List of active MAP/Redirect filters:
> map tun0 68.213.211.142/32 -> 68.213.211.142/32 proxy port ftp ftp/tcp
>
> List of active sessions:
> (none)
>
> === various rc.conf bits
>
> ifconfig_dc0="inet 192.168.1.25 netmask 255.255.255.0"
> network_interfaces="lo0 rl0 dc0 tun0"
>
> firewall_enable="YES"
> firewall_logging="YES"
> firewall_type="/etc/rc.firewall.custom"
> firewall_flags="-p /usr/bin/cpp"
>
> ipfilter_enable="YES"
> ipfilter_program="/sbin/ipf"
> ipfilter_rules="/etc/ipf.rules"
>
> ipnat_enable="YES"
>
> ppp_enable="yes"
> ppp_mode="ddial"
> ppp_nat="yes"
> ppp_profile="papchap"
>
> === ipfw show
>
> 01110 queue 18 icmp from any to any in via tun0
> 01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput
> 01120 queue 18 tcp from any to any in via tun0 tcpflags ack
> 01120 queue 18 tcp from any to any in via tun0 tcpflags ack
> 01300 queue 14 ip from any to any in via tun0 iptos lowdelay
> 01310 queue 14 tcp from any 6666-6669 to any in via tun0
> 01320 queue 14 tcp from any 80 to any in via tun0
> 01400 queue 11 tcp from any 119 to any in via tun0
> 01410 queue 11 tcp from any 5999 to any in via tun0
> 01420 queue 11 tcp from any to any in via tun0 iplen 1500
> 01430 queue 11 tcp from any 6881-6889 to any in via tun0
> 01440 queue 11 tcp from any to any dst-port 6881-6889 in via tun0
> 01900 queue 12 ip from any to any in via tun0
> 02100 queue 28 icmp from any to any out via tun0
> 02110 queue 28 ip from any to any out via tun0 iptos lowdelay,throughput
> 02120 queue 28 tcp from any to any out via tun0 tcpflags ack
> 02130 queue 28 tcp from any to any out via tun0 setup
> 02300 queue 24 ip from any to any out via tun0 iptos lowdelay
> 02310 queue 24 tcp from any to any dst-port 6666-6669 out via tun0
> 02400 queue 21 tcp from any 80 to any out via tun0
> 02410 queue 21 tcp from any 443 to any out via tun0
> 02420 queue 21 tcp from any 11512 to any out via tun0
> 02430 queue 21 tcp from any to any dst-port 119 out via tun0
> 02440 queue 21 tcp from any to any dst-port 5999 out via tun0
> 02450 queue 21 tcp from any to any out via tun0 iplen 1500
> 02460 queue 21 tcp from any 6881-6889 to any out via tun0
> 02470 queue 21 tcp from any to any dst-port 6881-6889 out via tun0
> 02900 queue 22 ip from any to any out via tun0
> 60000 allow ip from any to any via lo0
> 60010 allow ip from any to any via rl0
> 60020 allow ip from any to any via dc0
> 60030 allow ip from any to any via tun0
> 60040 allow ip from any to any
> 65535 deny ip from any to any
>
> === ipfw queue show
>
> 00010: 368.000 Kbit/s 0 ms 36 KB 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> 00011: 736.000 Kbit/s 0 ms 73 KB 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> 00012: 1.472 Mbit/s 0 ms 147 KB 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> 00020: 64.000 Kbit/s 0 ms 6144 B 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> 00021: 128.000 Kbit/s 0 ms 12 KB 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> 00022: 256.000 Kbit/s 0 ms 25 KB 0 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
>
> === end
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list