[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
3.2 pf.conf problems and miscellaneous crashes
I've noticed a couple problems under 3.2 .... mainly the following...
1. When connecting via IPSEC using the SSH Sentinel VPN client,
connections to the world wide web seem to not work when viewing
sites with large amounts of content. (Namely, <http://www.iwon.com/>
is one that comes to mind off-hand). It looks like the external
interface might be dropping fragmented packets; but this wasn't a
problem under pf on 3.1 (Please see my PF rules further below).
2. Secondly, when multiple connection are made to isakmpd, the host
will crash (aka. no typing allowed on console, etc..). I did see
a "/bsd: stray interrupt 7" on the console once, but not each time.
Again, this is only problematic when running isakmpd with multiple
client connections.
Any assistance is appreciate...at first I had assumed it was happening
due to the host not being powerful enough (P200, 128Mbps of RAM), but
SSH, ICMP and telnet works when being encapsulated, without problem.
Here's a dmesg....
OpenBSD 3.2 (GENERIC) #25: Thu Oct 3 19:51:53 MDT 2002
deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: F00F bug workaround installed
cpu0: Intel Pentium/MMX ("GenuineIntel" 586-class) 200 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
real mem = 133804032 (130668K)
avail mem = 118452224 (115676K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(37) BIOS, date 09/25/97, BIOS32 rev. 0 @ 0xfb560
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xf0000/0xba34
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xf2c00/112 (5 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 6 Interrupt Routing table entries
pcibios0: PCI Interrupt Router at 000:01:0 ("Intel 82371AB PIIX4 ISA" rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x4000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82439TX System" rev 0x01
pcib0 at pci0 dev 1 function 0 "Intel 82371AB PIIX4 ISA" rev 0x01
pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
uhci0 at pci0 dev 1 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: vendor 0x0000 UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x01 at pci0 dev 1 function 3 not configured
tx0 at pci0 dev 9 function 0 "SMC 83C170 (EPIC/100)" rev 0x06: irq 11 address 00:e0:29:22:ea:00
qsphy0 at tx0 phy 3: QS6612 10/100 media interface, rev. 1
tx1 at pci0 dev 10 function 0 "SMC 83C170 (EPIC/100)" rev 0x06: irq 9 address 22:d4:2b:cf:22:d4
qsphy1 at tx1 phy 3: QS6612 10/100 media interface, rev. 1
bha3 at pci0 dev 11 function 0 "BusLogic MultiMaster" rev 0x08: irq 10, BusLogic 9xxC SCSI
bha3: model BT-958, firmware 5.07B
bha3: sync, parity
bha3 targ 2: sync, offset 15, period 100nsec
bha3 targ 4: sync, offset 15, period 100nsec
scsibus0 at bha3: 8 targets
sd0 at scsibus0 targ 2 lun 0: <IBM-PCCO, DDRS-39130W !#, S97B> SCSI2 0/direct fixed
sd0: 8678MB, 8387 cyl, 10 head, 211 sec, 512 bytes/sec, 17774160 sec total
sd1 at scsibus0 targ 4 lun 0: <SEAGATE, ST34501W, 0018> SCSI2 0/direct fixed
sd1: 4339MB, 6576 cyl, 8 head, 168 sec, 512 bytes/sec, 8887200 sec total
vga1 at pci0 dev 12 function 0 "Matrox MGA Millennium II 2164W" rev 0x00
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pccom2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask c40 netmask e40 ttymask e42
pctr: 586-class performance counters and user-level cycle counter enabled
dkcsum: sd0 matched BIOS disk 80
dkcsum: sd1 matched BIOS disk 81
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02
Here's my pf.conf filters.
###############################################################
### --> Variables :: Define as needed <-- ###
loopbk="lo0"
ext_if="tx0"
int_if="tx1"
int_net="10.12.11.0/25"
int_addr="10.12.11.1/32"
broadcast="255.255.255.255"
bogon="{\
255.255.255.255/32, 127.0.0.0/8, 0.0.0.0/8, \
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
192.0.2.0/24, 169.254.0.0/16, \
248.0.0.0/5, 240.0.0.0/4 \
}"
ks="keep state"
ms="modulate state"
#; Set logging of stats on the given interface.
set loginterface $ext_if
#; Fixup all packets
scrub in all no-df
scrub out all no-df
###############################################################
#; NAT rules...
nat on $ext_if \
from $int_net to any -> $ext_if
###############################################################
##; Begin filter statements...
#; Loopback
pass out on $loopbk all
pass in on $loopbk all
block out on $loopbk inet6 all
block in on $loopbk inet6 all
block in \
from no-route to any
block in log quick on $ext_if \
from $bogon to any
block in quick on $ext_if \
from any to $broadcast
antispoof log quick for {$ext_if, $loopbk, $altlo}
block return-rst in log on $ext_if inet proto tcp all
block return-icmp in log on $ext_if inet proto udp all
block in log on $ext_if inet proto icmp all
block in log on $ext_if all
pass in quick on $ext_if inet proto icmp \
from any to $ext_if icmp-type echoreq $ks
pass in quick on $ext_if inet proto tcp \
from $trusted to $ext_if port 22 $ks
pass out quick on $ext_if inet proto tcp all $ms
pass out quick on $ext_if all $ks
###>
#; Internal inferface
block in log on $int_if inet6 all
block out log on $int_if inet6 all
block in log on $int_if all
#; Blanket deny on internal interface...
block return-rst in log on $int_if inet proto tcp all
block return-icmp in log on $int_if inet proto udp all
block in log on $int_if inet proto icmp all
block in log on $int_if all
#; Traffic allowed to this host...
pass in quick on $int_if inet proto icmp \
from $int_net to $int_if icmp-type echoreq $ks
pass in quick on $int_if inet proto esp \
from $int_net to $int_if $ks
pass out quick on $int_if inet proto esp \
from $int_if to $int_net $ks
pass in quick on $int_if inet proto udp \
from $int_net to $int_if port 53 $ks
pass in quick on $int_if inet proto udp \
from $int_net to $int_if port 67 $ks
pass in quick on $int_if inet proto udp \
from $int_net to $int_if port 123 $ks
pass in quick on $int_if inet proto udp \
from $int_net to $int_if port 500 $ks
pass in quick on $int_if inet proto tcp \
from $int_net to $int_if port 22 $ks
#; Protect this host...
block in log quick on $int_if \
from any to $int_addr
#; Pass any other traffic in and out
pass in quick on $int_if \
from $int_net to any $ks
pass out quick on $int_if proto tcp \
from $int_net to any $ms
pass out quick on $int_if all $ks