|
List Info
Thread: pf-nat with userland ppp source address issue
|
|
| pf-nat with userland ppp source address
issue |
|
2006-05-24 19:32:45 |
hello
i've met a very strange issue with NATting.
i've noticed that only every second outgoing SSH
connections succeed, and
this was a bit strange. i've started a few, and tcp dumped
them, applied
a filter for S/SA tcp flags, and i've got the following
result:
No. Time Source Destination
Protocol Info
31 4.513136 213.178.116.238 195.56.55.204
TCP 53480 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2969214 TSER=0
32 6.542201 213.178.109.103 195.56.55.204
TCP 56051 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2971243 TSER=0
73 8.293252 213.178.116.238 195.56.55.204
TCP 61535 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2972994 TSER=0
74 9.834288 213.178.109.103 195.56.55.204
TCP 59672 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2974535 TSER=0
115 11.384353 213.178.116.238 195.56.55.204
TCP 60708 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2976085 TSER=0
take a look at the source address
now i've checked the interface configuration:
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu
1492
inet 213.178.109.103 --> 195.70.32.11 netmask
0xffffffff
Opened by PID 208
for my information i looked them up:
238.116.178.213.in-addr.arpa domain name pointer
caracas-4334.adsl.interware.hu.
103.109.178.213.in-addr.arpa domain name pointer
caracas-2407.adsl.interware.hu.
so it appears that's just an other user-IP from my ISP's
ADSL-pool.
now the ppp.log looked like really interesting, here comes
the point:
--- chop with axe here ---
May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP: IPADDR[6]
changing address: 213.178.116.238 --> 213.
178.109.103
--- chop with axe here ---
as you can see, one source IP is the old one i had before,
and the other on is that i'm using
currently. i've tried to re-read pf.conf with pfctl -f, but
that didn't helped, nor -d/-e (disabling
and then enabling it).
this solved it:
# pfctl -d
# pfctl -F nat
# pfctl -F state
# pfctl -F Sources
# pfctl -f /etc/pf.conf
# pfctl -e
i'm using userland ppp service, as it seems from the tun0
interface.
is this issue alread known, and is it really a bug, or i'm
doing something wrong?
the pf.conf is availabe from here. this is my home gateway,
it's also a testbox, some
kind of playground.
uname -a:
FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD
6.1-STABLE #0: Fri May 19 14:25:03 CEST 2006 root beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBR
OX i386
pf.conf:
http://
phoemix.harmless.hu/pf.beeblebrox.conf
Bye,
Gergely Czuczy
mailto: gergely.czuczyharmless.hu
PGP: http://phoemix
.harmless.hu/phoemix.pgp
Weenies test. Geniuses solve problems that arise.
|
|
| pf-nat with userland ppp source address
issue |
|
2006-05-24 19:50:57 |
On Wednesday 24 May 2006 21:32, Gergely CZUCZY wrote:
> i've met a very strange issue with NATting.
>
> i've noticed that only every second outgoing SSH
connections succeed, and
> this was a bit strange. i've started a few, and tcp
dumped them, applied
> a filter for S/SA tcp flags, and i've got the
following result:
>
> No. Time Source Destination
Protocol
> Info 31 4.513136 213.178.116.238 195.56.55.204
TCP
> 53480 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2969214 TSER=0 32 6.542201
> 213.178.109.103 195.56.55.204 TCP
56051 > ssh [SYN]
> Seq=0 Len=0 MSS=1460 WS=1 TSV=2971243 TSER=0 73
8.293252 213.178.116.238
> 195.56.55.204 TCP 61535 > ssh
[SYN] Seq=0 Len=0 MSS=1460
> WS=1 TSV=2972994 TSER=0 74 9.834288 213.178.109.103
195.56.55.204
> TCP 59672 > ssh [SYN] Seq=0 Len=0
MSS=1460 WS=1 TSV=2974535
> TSER=0 115 11.384353 213.178.116.238
195.56.55.204 TCP
> 60708 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2976085 TSER=0
>
> take a look at the source address
> now i've checked the interface configuration:
>
> # ifconfig tun0
> tun0:
flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
> inet 213.178.109.103 --> 195.70.32.11
netmask 0xffffffff
> Opened by PID 208
>
> for my information i looked them up:
> 238.116.178.213.in-addr.arpa domain name pointer
> caracas-4334.adsl.interware.hu.
103.109.178.213.in-addr.arpa domain name
> pointer caracas-2407.adsl.interware.hu.
>
> so it appears that's just an other user-IP from my
ISP's ADSL-pool.
>
> now the ppp.log looked like really interesting, here
comes the point:
> --- chop with axe here ---
> May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP:
IPADDR[6] changing
> address: 213.178.116.238 --> 213. 178.109.103
> --- chop with axe here ---
> as you can see, one source IP is the old one i had
before, and the other on
> is that i'm using currently. i've tried to re-read
pf.conf with pfctl -f,
> but that didn't helped, nor -d/-e (disabling and then
enabling it).
>
> this solved it:
> # pfctl -d
> # pfctl -F nat
> # pfctl -F state
> # pfctl -F Sources
> # pfctl -f /etc/pf.conf
> # pfctl -e
>
> i'm using userland ppp service, as it seems from the
tun0 interface.
>
> is this issue alread known, and is it really a bug, or
i'm doing something
> wrong? the pf.conf is availabe from here. this is my
home gateway, it's
> also a testbox, some kind of playground.
>
> uname -a:
> FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD
6.1-STABLE #0: Fri May
> 19 14:25:03 CEST 2006
> rootbeeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBR
OX i386
>
> pf.conf:
> http://
phoemix.harmless.hu/pf.beeblebrox.conf
Try using:
(tun0:0) in "to", "from" and
"->" statements. The ":0" after
the interface
name will make sure that we don't use alias addresses on
the interface. In
fact this is a bug in ppp, but it was decided that it was
non-trivial to fix
it. I don't remember all the details, but
http
://www.freebsd.org/cgi/query-pr.cgi?pr=69954
was the PR back then.
btw, you seem to be missing "()" around $if_ppp
in the ftp-proxy rule.
--
/"\ Best regards, | mlaierfreebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.l
ove2party.net/ | mlaierEFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail
and News
|
|
| pf-nat with userland ppp source address
issue |
|
2006-05-24 19:57:33 |
On Wed, May 24, 2006 at 09:50:57PM +0200, Max Laier wrote:
> On Wednesday 24 May 2006 21:32, Gergely CZUCZY wrote:
> > i've met a very strange issue with NATting.
> >
> > i've noticed that only every second outgoing SSH
connections succeed, and
> > this was a bit strange. i've started a few, and
tcp dumped them, applied
> > a filter for S/SA tcp flags, and i've got the
following result:
> >
> > No. Time Source
Destination Protocol
> > Info 31 4.513136 213.178.116.238
195.56.55.204 TCP
> > 53480 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2969214 TSER=0 32 6.542201
> > 213.178.109.103 195.56.55.204 TCP
56051 > ssh [SYN]
> > Seq=0 Len=0 MSS=1460 WS=1 TSV=2971243 TSER=0 73
8.293252 213.178.116.238
> > 195.56.55.204 TCP 61535 >
ssh [SYN] Seq=0 Len=0 MSS=1460
> > WS=1 TSV=2972994 TSER=0 74 9.834288
213.178.109.103 195.56.55.204
> > TCP 59672 > ssh [SYN] Seq=0 Len=0
MSS=1460 WS=1 TSV=2974535
> > TSER=0 115 11.384353 213.178.116.238
195.56.55.204 TCP
> > 60708 > ssh [SYN] Seq=0 Len=0 MSS=1460 WS=1
TSV=2976085 TSER=0
> >
> > take a look at the source address
> > now i've checked the interface configuration:
> >
> > # ifconfig tun0
> > tun0:
flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
> > inet 213.178.109.103 --> 195.70.32.11
netmask 0xffffffff
> > Opened by PID 208
> >
> > for my information i looked them up:
> > 238.116.178.213.in-addr.arpa domain name pointer
> > caracas-4334.adsl.interware.hu.
103.109.178.213.in-addr.arpa domain name
> > pointer caracas-2407.adsl.interware.hu.
> >
> > so it appears that's just an other user-IP from
my ISP's ADSL-pool.
> >
> > now the ppp.log looked like really interesting,
here comes the point:
> > --- chop with axe here ---
> > May 24 18:08:02 beeblebrox ppp[208]: tun0: IPCP:
IPADDR[6] changing
> > address: 213.178.116.238 --> 213. 178.109.103
> > --- chop with axe here ---
> > as you can see, one source IP is the old one i had
before, and the other on
> > is that i'm using currently. i've tried to
re-read pf.conf with pfctl -f,
> > but that didn't helped, nor -d/-e (disabling and
then enabling it).
> >
> > this solved it:
> > # pfctl -d
> > # pfctl -F nat
> > # pfctl -F state
> > # pfctl -F Sources
> > # pfctl -f /etc/pf.conf
> > # pfctl -e
> >
> > i'm using userland ppp service, as it seems from
the tun0 interface.
> >
> > is this issue alread known, and is it really a
bug, or i'm doing something
> > wrong? the pf.conf is availabe from here. this is
my home gateway, it's
> > also a testbox, some kind of playground.
> >
> > uname -a:
> > FreeBSD beeblebrox.harmless.lan 6.1-STABLE FreeBSD
6.1-STABLE #0: Fri May
> > 19 14:25:03 CEST 2006
> > rootbeeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBR
OX i386
> >
> > pf.conf:
> > http://
phoemix.harmless.hu/pf.beeblebrox.conf
>
> Try using:
>
> (tun0:0) in "to", "from" and
"->" statements. The ":0" after
the interface
> name will make sure that we don't use alias addresses
on the interface. In
> fact this is a bug in ppp, but it was decided that it
was non-trivial to fix
> it. I don't remember all the details, but
>
> http
://www.freebsd.org/cgi/query-pr.cgi?pr=69954
yes, seems similar
>
> was the PR back then.
>
> btw, you seem to be missing "()" around
$if_ppp in the ftp-proxy rule.
thanks for this notice
i've changed my rules to:
nat on $if_ppp from {10.1.0.0/16, 127.0.0.1, $ip_zaphod} to
0.0.0.0/0 -> ($if_ppp:0)
and also correct the non-related ftp-proxy rule 
thanks for the workaround, i've adjusted my config, i hope
this
will fix the issue for a while
Bye,
Gergely Czuczy
mailto: gergely.czuczyharmless.hu
PGP: http://phoemix
.harmless.hu/phoemix.pgp
Weenies test. Geniuses solve problems that arise.
|
|
[1-3]
|
|