Reply
 
Thread Tools Display Modes
  #1  
Old 06-18-2010, 12:56 AM
ememem ememem is offline
Member
 
Join Date: Apr 2010
Location: Running, Amuk
Posts: 71
Thanks: 0
Thanked 0 Times in 0 Posts
Default Simple Gateway
Trying to get a simple gateway established as such: NET > re0 > PC-BSD >
fxp0

/etc/pf.conf :

Code:
set skip on lo0
set block-policy return
scrub in all
nat on fxp0 from lo1:network to any -> (fxp0)
nat on re0 from lo1:network to any -> (re0)
nat on re0 from fxp0:network to any -> (re0)
block in log
antispoof quick for lo0 inet
block in from no-route to any
pass out keep state
table <blacklist> persist file "/etc/blacklist"
pass inet proto icmp from any to any
pass inet6 proto icmp6 from any to any
pass in proto {tcp,udp} from any to any port 49152:65535 keep state
block from <blacklist> to any
pass in on re0 proto udp from any to (re0) port 137 keep state
pass in on re0 proto udp from any to (re0) port 138 keep state
pass in on re0 proto udp from any to (re0) port 111 keep state
pass in on re0 proto udp from any to (re0) port 1110 keep state
pass in on re0 proto udp from any to (re0) port 2049 keep state
pass in on re0 proto udp from any to (re0) port 4045 keep state
pass in on re0 proto tcp from any to (re0) port 445 keep state
pass in on re0 proto tcp from any to (re0) port 137 keep state
pass in on re0 proto tcp from any to (re0) port 139 keep state
pass in on re0 proto tcp from any to (re0) port 111 keep state
pass in on re0 proto tcp from any to (re0) port 1110 keep state
pass in on re0 proto tcp from any to (re0) port 4045 keep state
pass in on fxp0 proto udp from any to (fxp0) port 137 keep state
pass in on fxp0 proto udp from any to (fxp0) port 138 keep state
pass in on fxp0 proto udp from any to (fxp0) port 111 keep state
pass in on fxp0 proto udp from any to (fxp0) port 1110 keep state
pass in on fxp0 proto udp from any to (fxp0) port 2049 keep state
pass in on fxp0 proto udp from any to (fxp0) port 4045 keep state
pass in on fxp0 proto tcp from any to (fxp0) port 445 keep state
pass in on fxp0 proto tcp from any to (fxp0) port 137 keep state
pass in on fxp0 proto tcp from any to (fxp0) port 139 keep state
pass in on fxp0 proto tcp from any to (fxp0) port 111 keep state
pass in on fxp0 proto tcp from any to (fxp0) port 1110 keep state
pass in on fxp0 proto tcp from any to (fxp0) port 4045 keep state
/etc/rc.conf :
Code:
background_dhclient="YES"
compat5x_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
devd_enable="YES"
devfs_system_ruleset="devfsrules_common"
ldconfig_paths="/usr/lib/compat /usr/local/lib /usr/local/kde4/lib /usr/local/lib/compat/pkg"

# Disable Sendmail by default
sendmail_enable="NONE"

# Enable console mouse
moused_type="auto"
moused_enable="YES"

# Enable the pcbsd startup / shutdown scripts
pcbsdinit_enable="YES"

#Enable samba server
samba_enable="YES"
winbindd_enable="YES"

# Disable LPD
lpd_enable="NO"

# Enable CUPS
cupsd_enable="YES"
linux_enable="YES"

# FSCK Enhancements
fsck_y_enable="YES"

# Denyhosts Startup
denyhosts_enable="YES"

# powerd: adaptive speed while on AC power, adaptive while on battery power
powerd_enable="YES"
powerd_flags="-a adaptive -b adaptive" # set CPU frequency

# enable HAL / DBUS
dbus_enable="YES"
polkitd_enable="YES"
hald_enable="YES"

# Enables support for HPLIP
hpiod_enable="NO"
hpssd_enable="NO"

# Enable the firewall
pf_rules="/etc/pf.conf"
pf_enable="YES"
pf_flags=""

# DHCP server
dhcpd_enable="YES"
dhcpd_ifaces="fxp0"

# DHCP server BIND
named_enable="YES"

# INETD for ftp-proxy
inetd_enable="YES"

# Enable sound-support
snddetect_enable="YES"
mixer_enable="YES"

# Enable avahi_daemon
avahi_daemon_enable="YES"

# Run the port jail
portjail_enable="YES"

# Added for sound support in the portjail, access to /dev/random, /dev/null, etc.
jail_pcbsd_devfs_enable="YES"

# Start the swapmonitor
swapmonitor_enable="YES"

# Enable IPV6 support
ipv6_enable="YES"

# Enable BSDStats
bsdstats_enable="YES"

# Enable webcamd
webcamd_enable="YES"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
keymap="us.iso"

# Auto-Enabled NICs from pc-sysinstall
gateway_enable="YES"
ifconfig_re0="DHCP media 1000baseTX mediaopt full-duplex"
ifconfig_fxp0="inet 192.168.10.1 media 100baseTX mediaopt full-duplex"
hostname="pcbsd-5050"
Now, before anyone says anything like "Don't ask M$ questions here!"....
let me just say this... if that's all you got then don't even say it. Any of
that and I'll simply ask a mod to remove your trolling. I know there are
a ton of people using XP on a machine behind a FreeBSD gateway and if
you've ever tried to get info out of the M$ site you'll know that's a
nightmare. So...

When setting the TCP/IP in XP using Network Connections I can set the
following :
IP address: 192.168.10.2
Subnet mask: 255.255.255.0
Default gateway: 192.168.10.1

However,with cmd, it will not let me use:
>route ADD 192.168.10.2 MASK 255.255.255.0 gateway 192.168.10.1 METRIC 1 IF 30002
(or any combination of 192.168.10.* in the route and gateway places)
because it says: "bad gateway address"

HA!

What is strange is that if I directly connect the ethernet cable from my
modem to the XP machine with those settings above... instantly the
connection works (it doesn't actually connect to anything but all bells
and whistles go off and it lights up and says that it's "ready"). On the PC
-BSD machine I can ping 192.168.10.1 fine, nothing else.

I've tried about everything... adding ipfw_load="YES" etc etc to the
/boot/loader.conf. Every conceivable combination in rc.conf and pf.conf
even opened up about every single option in /etc/hosts. I've added direct
pass statements to pf.conf telling it directly to pass any from re0 to
fxp0 and the other way around. There not being any and I mean ANY
direct instructions for doing something this simple anywhere on the net
that is not hosted by FreeBSD or PC-BSD is understandable but there not
being any direct explanations of this here in the PC-BSD sites (where pf
comes by default installed into the os)... is kind of crazy absurd.

Any help from anyone at this point would be appreciated. Anyone who
gives a bunch of links to crappily written obscure man pages will be shot.
Reply With Quote
  #2  
Old 06-18-2010, 10:48 AM
ememem ememem is offline
Member
 
Join Date: Apr 2010
Location: Running, Amuk
Posts: 71
Thanks: 0
Thanked 0 Times in 0 Posts
Cool
Riddle me this...

# pfctl -nf /etc/pf.conf gives...

Code:
no IP address found for lo1:network
/etc/pf.conf:4: could not parse host specification
no IP address found for lo1:network
/etc/pf.conf:5: could not parse host specification

and... no matter how many times I remove:

Code:
nat on fxp0 from lo1:network to any -> (fxp0)
nat on re0 from lo1:network to any -> (re0)

It just keeps coming back. I'm sure there's a perfectly sound explanation
of this behavior somewhere.

Since the first post I've re-read every single word of Peter N. M. Hansteen's online pf
doc's at http://home.nuug.no/~peter/pf/en/
and the OpenBSD faq's on pf at http://openbsd.org/faq/pf/

... and PC-BSD is still kicking me in the teeth. All I am able to ping locally
via fxp0 is the 192.168.10.1 that's been statically set for it. Nothing
internally can find or ping it.

# pfctl -s state gives...

Code:
all tcp 96.35.23.149:33532 -> 74.119.236.134:80       FIN_WAIT_2:FIN_WAIT_2
all udp 192.168.10.1:5353 -> 224.0.0.251:5353       SINGLE:NO_TRAFFIC
all udp 96.35.23.149:5353 -> 224.0.0.251:5353       SINGLE:NO_TRAFFIC
all udp 96.35.23.149:123 -> 204.9.54.119:123       MULTIPLE:SINGLE
all udp 96.35.23.149:123 -> 173.45.238.221:123       MULTIPLE:SINGLE
all udp 96.35.23.149:123 -> 66.218.191.240:123       MULTIPLE:SINGLE

But that's only a connection from the PC-BSD machine... nothing internal
is getting anywhere nor is it able to go internally :/
Reply With Quote
  #3  
Old 06-18-2010, 11:00 AM
ememem ememem is offline
Member
 
Join Date: Apr 2010
Location: Running, Amuk
Posts: 71
Thanks: 0
Thanked 0 Times in 0 Posts
Default
If I were sniffing around the area of taboo I would understand. I once offered
$5,000 for a solution such as this and was told that it would never happen
because the "services" people who win their bread based solely upon
intentional obscurity in their code would never let it happen. So much
for the concept of opensource. At least the redhat people had the nerve to
admit that they were bought.

Forget I even asked.
Reply With Quote
  #4  
Old 06-18-2010, 02:16 PM
kmoore134's Avatar
kmoore134 kmoore134 is offline
Administrator
 
Join Date: May 2005
Location: Knoxville, TN
Posts: 2,568
Thanks: 0
Thanked 163 Times in 127 Posts
Default Simple Gateway
The lo1 stuff is for the ports jail. If you edit rc.conf, disable
portjail_enable and it'll stop adding those at bootup.
__________________
----
Kris Moore
PC-BSD Founder
Reply With Quote
  #5  
Old 06-19-2010, 05:03 AM
ememem ememem is offline
Member
 
Join Date: Apr 2010
Location: Running, Amuk
Posts: 71
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Makes sense.

I'm going to take a break for a while man. This is starting to drive me a bit
crazy. Not that that wasn't fairly obvious.

One (hopefully) last question on the subject however... the ipfw stuff gets in
the way of pf right? They conflict somehow? If so, that may be a big chunk
of my misunderstanding(s). Docs on either seem about 25% voodoo, 25% logical
and 50% just... missing.

I just wish it didn't feel like so much of a moving target. Every few months...
everything changes, is depreciated or turns up conflicting with whatever's
the flavor of the week. It's not PC-BSD's fault. Just browse the FreeBSD forums
for 1 hour and count the number of times that mods / heavy poster's thump
on people for knocking the missing man pages or the wiki/handbook pages
that say "more needed here" and yet... when technical points are brought up...
those poster's get ice'd, ignored and their posts end up archived.

It gets to be annoying having a million google results with examples that are
2-3 years old and 80% of them being outdated. Yet, alot of the time all the
FreeBSD handbook has is a page listing something's 50 optional flags with 1
paragraph of explanation for the entire thing (the wiki usually nothing). Why
spend 3 years writing a script only to release 100 vague words describing it?
Ok, because someone is writing a book. Then, by time the "book" on it gets
published FreeBSD has moved on 1 or 2 releases and that book is no longer
relevant. Search amazon for 'the book of pf' and read the reviews. It's sad.
Someone should write a book titled "Zen and the art of finding what you need
for FreeBSD... and then keeping it up to date". The only people who possibly
could somewhat keep up with it (at this point) are full-timer's - either employed
to do so or retired, handicapped, whatever.
Reply With Quote
  #6  
Old 12-23-2010, 03:58 PM
ememem ememem is offline
Member
 
Join Date: Apr 2010
Location: Running, Amuk
Posts: 71
Thanks: 0
Thanked 0 Times in 0 Posts
Default
From http://www.freebsd.org/doc/en_US.ISO...ewalls-pf.html

Quote:
Warning: When browsing the PF FAQ, please keep in mind that different
versions of FreeBSD can contain different versions of PF. Currently, FreeBSD is
using the same version of PF as OpenBSD 4.1.

And from http://openbsd.org/faq/pf/

Quote:
As with the rest of the FAQ, this set of documents is focused on users of
OpenBSD 4.8. As PF is always growing and developing, there are changes and
enhancements between the 4.8-release version and the version in OpenBSD-
current as well as differences between 4.8 and earlier versions. The reader is
advised to see the man pages for the version of OpenBSD they are currently
working with. In particular, there are significant differences between
4.6 and 4.7
.

Ok, so THAT kind of explains why I can get a gateway up and running with
OpenBSD in about 30 minutes and I've not been able to get farther than
pinging between machines with PCBSD ... for about 3 years. It's interesting that
that last little note just showed up recently.

So what's the deal Kris? There are tons of people on the FreeBSD forums,
Daemonforums etc having major networking problems and it's because they are
being bounced left and right all over the place getting conflicting and confusing
information because FreeBSD is using a WAY outdated version of pf. Shouldn't
something be done about this? How about Dru... ? She seems up on what's
going on with the KDE side of PCBSD's networking, are the internal FreeBSD parts
just not as interesting?

I would like BOTH of you to attempt building a gateway with a PCBSD machine.
How about one such as are described on these pages:

http://openbsd.org/faq/pf/example1.html (at bottom)

http://www.freebsd.org/doc/en/books/...-STATIC-ROUTES

Meanwhile, do keep in mind that anyone else trying to do this with PCBSD's pf will
eventually come to deal with crappy handbook pages like the following one that
completely avoids pf in order to quickly blowoff the reader and subject with a little
dribble about ipfw.

http://www.freebsd.org/doc/en_US.ISO...work-natd.html

If I seem testy please keep in mind that I've spent a few hundred hours
on this over the last few years. Yesterday alone I racked up about 14 more. Not
to mention several hundred, if not thousand, reboots and dozens of installs
because of this. I've been trying! Would like to get a PCBSD gateway setup so that
I can use my other (non-test) machines to test other things... like maybe,
possibly, could be... some things that are a little more fun or even find out why
KDE freezes or why the correct ZFS vm.kmem_size or vm.kmem_size_max are
not set.

Anyway, I'm looking forward to both of your successes with getting a
fully functioning gateway up and running using PCBSD (and of course, it's version
of pf, the one that has been driving thousand of people out of their MINDS for
at least a couple of years now).
Reply With Quote
  #7  
Old 01-13-2011, 06:40 PM
ememem ememem is offline
Member
 
Join Date: Apr 2010
Location: Running, Amuk
Posts: 71
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Just a quick update to the situation with pf:


Originally Posted by Today from: freebsd-pf at freebsd dot org mailing list
Hi!

I have digged into the archive after reading in the handbook that pf is
stuck at OpenBSD's 4.1 version, which is now quite old (may 2007).

I have found this thread mentionning testing required for a patch:

http://lists.freebsd.org/pipermail/f...er/005842.html

... it then seemed the patch had some issues:

http://lists.freebsd.org/pipermail/f...er/005860.html

Others have raised a similar issue about backporting 4.7 into FreeBSD:

http://lists.freebsd.org/pipermail/f...er/005862.html

For context, OpenBSD 4.7 (may 2010) is the last significant release
including changes in pf:

http://openbsd.org/47.html#new

So my question is: what's the plan? Is anybody actively maintaining pf
in FreeBSD at this point?

Is it because the backporting process is painful that it's not being
done regularly?

Or is it only because of the lack of testers?

A.

PS: I ask because we're considering switching our routers from OpenBSD
to FreeBSD to ease maintenance (yay freebsd-update) but the outdated pf
version is a serious hindrance as we're looking at using the new
'sloppy' state tracking mecanisms
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:41 PM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.