Ok, solved this one. bge0 was in group "local", which is matched by
set skip on lo
is this the desired behavior? It can catch you by surprise easily!
On 07/27/11 18:54, Christopher Zimmermann wrote:
Hi,
I have this simple setup:
[ B ] se0 <---> bge0 [ A ] pppoe0 <----> ISP
A and B both -current.
Now my problem is, pf on A won't filter anything on bge0. Even with this
very simple pf.conf:
set skip on lo
block
pass out inet proto {tcp,udp} to port 53
block in on ! lo0 proto tcp to port 6000:6010
the connection to the internet via pppoe0 is dead, of course. But the
connectio via bge0 to B is completely unfiltered. What the heck is
wrong here?!?
Interfaces:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:11:25:ae:0e:0c
priority: 0
groups: local
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.23.1 netmask 0xffffff00 broadcast 192.168.23.255
inet6 fe80::211:25ff:feae:e0c%bge0 prefixlen 64 scopeid 0x1
iwi0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:12:f0:62:22:ba
priority: 4
groups: wlan
media: IEEE802.11 autoselect
status: no network
ieee80211: nwid "" 100dBm
inet6 fe80::212:f0ff:fe62:22ba%iwi0 prefixlen 64 scopeid 0x2
enc0: flags=0<>
priority: 0
groups: enc
status: active
ep1: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:86:3c:58:ce
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:86ff:fe3c:58ce%ep1 prefixlen 64 scopeid 0x5
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
priority: 0
dev: ep1 state: session
sid: 0x16d0 PADI retries: 1 PADR retries: 0 time: 00:09:27
sppp: phase network authproto pap
groups: pppoe egress
status: active
inet6 fe80::211:25ff:feae:e0c%pppoe0 -> prefixlen 64 scopeid 0x6
inet 92.203.15.60 --> 213.148.133.4 netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
priority: 0
groups: pflog
pfctl -s all:
FILTER RULES:
block drop all
pass out inet proto tcp from any to any port = domain flags S/SA
pass out inet proto udp from any to any port = domain
block drop in on ! lo0 proto tcp from any to any port 6000:6010
No queue in use
INFO:
Status: Enabled for 0 days 00:12:56 Debug: err
State Table Total Rate
current entries 0
searches 380 0.5/s
inserts 138 0.2/s
removals 138 0.2/s
Counters
match 242 0.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
tables hard limit 1000
table-entries hard limit 200000
OS FINGERPRINTS:
700 fingerprints loaded
route -n show:
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 213.148.133.4 UGS 3 183 - 8 pppoe0
127/8 127.0.0.1 UGRS 0 0 33196 8 lo0
127.0.0.1 127.0.0.1 UH 3 3664 33196 4 lo0
192.168.23/24 link#1 UC 1 0 - 4 bge0
192.168.23.2 00:15:f2:64:0c:83 UHLc 0 34 - 4 bge0
213.148.133.4 92.203.15.60 UH 0 0 - 4 pppoe0
224/4 127.0.0.1 URS 0 2 33196 8 lo0
Internet6:
Destination Gateway Flags Refs Use Mtu Prio Iface
::/104 ::1 UGRS 0 0 - 8 lo0
::/96 ::1 UGRS 0 0 - 8 lo0
::1 ::1 UH 14 0 33196 4 lo0
::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0
::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0
2002::/24 ::1 UGRS 0 0 - 8 lo0
2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0
2002:e000::/20 ::1 UGRS 0 0 - 8 lo0
2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0
fe80::/10 ::1 UGRS 0 0 - 8 lo0
fe80::%bge0/64 link#1 UC 0 0 - 4 bge0
fe80::211:25ff:feae:e0c%bge0 00:11:25:ae:0e:0c HL 0 0 - 4 lo0
fe80::%iwi0/64 link#2 C 0 0 - 4 iwi0
fe80::212:f0ff:fe62:22ba%iwi0 00:12:f0:62:22:ba UHL 0 0 - 4 lo0
fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0
fe80::1%lo0 link#4 UHL 0 0 - 4 lo0
fe80::%ep1/64 link#5 C 0 0 - 4 ep1
fe80::200:86ff:fe3c:58ce%ep1 00:00:86:3c:58:ce HL 0 0 - 4 lo0
fe80::%pppoe0/64 fe80::211:25ff:feae:e0c%pppoe0 U 0 0 - 4 pppoe0
fe80::211:25ff:feae:e0c%pppoe0 link#6 HL 0 0 - 4 lo0
fec0::/10 ::1 UGRS 0 0 - 8 lo0
ff01::/16 ::1 UGRS 0 0 - 8 lo0
ff01::%bge0/32 link#1 UC 0 0 - 4 bge0
ff01::%iwi0/32 link#2 C 0 0 - 4 iwi0
ff01::%lo0/32 fe80::1%lo0 UC 0 0 - 4 lo0
ff01::%ep1/32 link#5 C 0 0 - 4 ep1
ff01::%pppoe0/32 fe80::211:25ff:feae:e0c%pppoe0 UC 0 0 - 4 pppoe0
ff02::/16 ::1 UGRS 0 0 - 8 lo0
ff02::%bge0/32 link#1 UC 0 0 - 4 bge0
ff02::%iwi0/32 link#2 C 0 0 - 4 iwi0
ff02::%lo0/32 fe80::1%lo0 UC 0 0 - 4 lo0
ff02::%ep1/32 link#5 C 0 0 - 4 ep1
ff02::%pppoe0/32 fe80::211:25ff:feae:e0c%pppoe0 UC 0 0 - 4 pppoe0
