[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf stopped working i think...



--- j knight <[email protected]> wrote:
> Jon Simola wrote:
> > On 6/5/05, b h <[email protected]> wrote:
> > 
> > 
> >>Or, could someone please point out something I
> might
> >>have missed/case of the stupids?
> > 
> > 
> >>block log all
> >>pass quick on lo all
> >>antispoof quick for lo
> 
> The documentation explicitly says not to use
> antispoof on loopback 
> interfaces. And Jon's right. You have a "quick" rule
> and then your 
> antispoof rule; makes no sense.
> 
> > The loopback interface is "lo0", not "lo". And you
> should probably
> > have the antispoof before the pass quick for lo0.
> 
> "lo" is valid as it will apply to all loopback-type
> interfaces. You can 
> do the same with other drivers as well ("em",
> "vlan", etc).
> 
Hi folks:
I'm really not getting this.  And this all used to
work before I upgraded on Sunday.  I completely
reformatted and installed a Jun 03 snapshot (instead
of the current I this was running yesterday).  And it
still doesn't work.
I keep getting a "no route to host".  Disabling pf and
it connects fine.
# tail messages
Jun  7 12:55:57 messaging jabberd/s2s[29374]:
attempting connection to router at 127.0.0.1,
port=5347
Jun  7 12:55:57 messaging jabberd/router[23771]:
[0.0.0.0, port=5347] listening for incoming
connections
Jun  7 12:55:57 messaging jabberd/resolver[7624]:
attempting connection to router at 127.0.0.1,
port=5347
Jun  7 12:55:57 messaging jabberd/sm[20165]:
attempting connection to router at 127.0.0.1,
port=5347
Jun  7 12:55:57 messaging jabberd/resolver[7624]:
connection attempt to router failed: No route to host
(65)
Jun  7 12:55:57 messaging jabberd/s2s[29374]:
connection attempt to router failed: No route to host
(65)
Jun  7 12:55:57 messaging jabberd/sm[20165]:
connection attempt to router failed: No route to host
(65)
Jun  7 12:55:57 messaging jabberd/c2s[26777]:
[messaging.pbiresearch.com] configured; realm=(null)
Jun  7 12:55:57 messaging jabberd/c2s[26777]:
attempting connection to router at 127.0.0.1,
port=5347
Jun  7 12:55:57 messaging jabberd/c2s[26777]:
connection attempt to router failed: No route to host
(65)
# netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign
Address        (state)
tcp        0      0  messaging.ssh         
my.connection.com.15757    ESTABLISHED
tcp        0      0  *.5347                 *.*       
            LISTEN
tcp        0      0  *.mysql                *.*       
            LISTEN
tcp        0      0  localhost.submissi     *.*       
            LISTEN
tcp        0      0  localhost.smtp         *.*       
            LISTEN
tcp        0      0  *.ssh                  *.*       
            LISTEN
tcp        0      0  *.time                 *.*       
            LISTEN
tcp        0      0  *.daytime              *.*       
            LISTEN
tcp        0      0  *.auth                 *.*       
            LISTEN
<---- snipped ---->
# pfctl -d
pf disabled
# kill 2636
# su _jabberd -c '/usr/local/sbin/jabberd&'
# tail messages
Jun  7 14:19:38 messaging jabberd/router[27484]:
[127.0.0.1, port=27020] authenticated as jabberd
Jun  7 14:19:38 messaging jabberd/router[27484]: [s2s]
set as default route
Jun  7 14:19:38 messaging jabberd/router[27484]: [s2s]
online (bound to 127.0.0.1, port 8116)
Jun  7 14:19:38 messaging jabberd/router[27484]: [c2s]
online (bound to 127.0.0.1, port 27020)
Jun  7 14:19:38 messaging jabberd/sm[59]: ready for
sessions
Jun  7 14:19:38 messaging jabberd/s2s[7752]: [0.0.0.0,
port=5269] listening for connections
Jun  7 14:19:38 messaging jabberd/s2s[7752]: ready for
connections
Jun  7 14:19:38 messaging jabberd/c2s[7234]: [0.0.0.0,
port=5222] listening for connections
Jun  7 14:19:38 messaging jabberd/c2s[7234]: [0.0.0.0,
port=5223] listening for SSL connections
Jun  7 14:19:38 messaging jabberd/c2s[7234]: ready for
connections
# netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign
Address        (state)
tcp        0      0  localhost.5347        
localhost.10730        TIME_WAIT
tcp        0      0  localhost.5347        
localhost.44289        ESTABLISHED
tcp        0      0  localhost.44289       
localhost.5347         ESTABLISHED
tcp        0      0  *.5223                 *.*       
            LISTEN
tcp        0      0  *.5222                 *.*       
            LISTEN
tcp        0      0  *.5269                 *.*       
            LISTEN
tcp        0      0  localhost.5347        
localhost.27020        ESTABLISHED
tcp        0      0  localhost.27020       
localhost.5347         ESTABLISHED
tcp        0      0  localhost.5347        
localhost.8116         ESTABLISHED
tcp        0      0  localhost.8116        
localhost.5347         ESTABLISHED
tcp        0      0  localhost.5347        
localhost.36130        ESTABLISHED
tcp        0      0  localhost.36130       
localhost.5347         ESTABLISHED
tcp        0      0  *.5347                 *.*       
            LISTEN
tcp        0    908  messaging.ssh         
my.connection.com.15757    ESTABLISHED
tcp        0      0  *.mysql                *.*       
            LISTEN
tcp        0      0  localhost.submissi     *.*       
            LISTEN
tcp        0      0  localhost.smtp         *.*       
            LISTEN
tcp        0      0  *.ssh                  *.*       
            LISTEN
tcp        0      0  *.time                 *.*       
            LISTEN
tcp        0      0  *.daytime              *.*       
            LISTEN
tcp        0      0  *.auth                 *.*       
            LISTEN
<---- snipped ---->
And so many people were nice to help me out with my
pf.conf (since I assumed that was the initial problem,
although now I'm not so sure)......  this is what it
is currently at:
#cat /etc/pf.conf
ext_if = "fxp0"
set block-policy return
set loginterface $ext_if
scrub in all
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $ext_if proto tcp from any to port https
-> 127.0.0.1 port 5222
rdr pass on $ext_if proto tcp from any to port ftp ->
127.0.0.1 port 5223
block log all
block drop in quick log on $ext_if proto { tcp, udp }
from any os Linux to any port ssh
pass quick on lo all
pass in on $ext_if inet proto tcp from any to
($ext_if) port ssh flags S/SA keep state
pass in on $ext_if inet proto tcp from any to (lo0)
port { 5222, 5223 } flags S/SA keep state
pass out on $ext_if proto tcp all flags S/SA keep
state
pass out on $ext_if proto { udp, icmp } all keep state
# pfctl -sn
nat on fxp0 from ! (fxp0) to any -> (fxp0:0)
rdr pass on fxp0 inet proto tcp from any to any port =
https -> 127.0.0.1 port 5222
rdr pass on fxp0 inet proto tcp from any to any port =
ftp -> 127.0.0.1 port 5223
# pfctl -sr
scrub in all fragment reassemble
block return log all
block drop in log quick on fxp0 proto tcp from any os
"Linux" to any port = ssh
block drop in log quick on fxp0 proto udp from any os
"Linux" to any port = ssh
pass quick on lo all
pass in on fxp0 inet proto tcp from any to (fxp0) port
= ssh flags S/SA keep state
pass in on fxp0 inet proto tcp from any to (lo0) port
= 5222 flags S/SA keep state
pass in on fxp0 inet proto tcp from any to (lo0) port
= 5223 flags S/SA keep state
pass out on fxp0 proto tcp all flags S/SA keep state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
#
any help would be GREATLY appreciated.  my head is
getting sore.
bob
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com