tech-net: ipf on pppoe0 problem at boot time

Subject: ipf on pppoe0 problem at boot time
To: NetBSD net related <tech-net@NetBSD.org>
From: Bjoern Labitzke <Bjoern.Labitzke@t-online.de>
List: tech-net
Date: 04/23/2002 17:12:07
Hello...

As long as I load the ipf rules on my own (ipf -Fa -v -f /etc/ipf.conf)
everything works as expected and I can use pppoe0 like I want to. This
interface is created and configured up at system startup. But after
booting the system, absolutely everything gets blocked from ipfilter.
Checking the rules with ipfstat -o -n shows, that all the rules
(including the pass rules) are there. And as soon as I reload the
rules manually (ipf -Fa -v -f /etc/ipf.conf) everything works and
ipfstat -o -n shows exactly the same rules as before. What could be
wrong? Could the problem be, that ipfilter gets started before pppoe0
is configured? What would be the correct fix?


Here is my ipf.conf (slightly shortened):

# Possibly dangerous packets are blocked and logged
block in log body quick from any to any with ipopts
block in log body quick proto tcp from any to any with short

# Local traffic
pass out quick on lo0
pass in  quick on lo0 

# Local network traffic
pass out quick on ne0
pass in  quick on ne0

# Block File sharing ports without logging:
# Kazaa   : Port 1214
# EDonkey : Port 4662
# GNUtella: Port 6346
# Napster : Port 6699
block return-rst in quick on pppoe0 proto tcp from any to any port = 1214
block return-rst in quick on pppoe0 proto tcp from any to any port = 4662
block return-rst in quick on pppoe0 proto tcp from any to any port = 6346
block return-icmp-as-dest in quick on pppoe0 proto udp from any to any port = 6346
block return-rst in quick on pppoe0 proto tcp from any to any port = 6699

# Block faked "local" addresses 
block in log body quick on pppoe0 from 0.0.0.0/7 to any
  [... several similar entries deleted ...]
block in log body quick on pppoe0 from 224.0.0.0/3 to any

# Log all other blocks
block in log body all
block return-rst in log body on pppoe0 proto tcp from any to any
block return-icmp-as-dest in log body on pppoe0 proto udp from any to any

## The pass rules 
#
pass in log on pppoe0 proto tcp from any to any port = auth


# Blocking of outgoing "internal" addresses
#
block out log body all
block out log body quick on pppoe0 from any to 0.0.0.0/7 
  [... several similar entries deleted ...]
block out log body quick on pppoe0 from any to 224.0.0.0/3

## The pass rules come here...
#
pass out quick on pppoe0 proto tcp  from any to any keep state 
pass out quick on pppoe0 proto udp  from any to any keep state 
pass out quick on pppoe0 proto icmp from any to any keep state

pass out quick on any proto tcp  from any to any keep state 
pass out quick on any proto udp  from any to any keep state 
pass out quick on any proto icmp from any to any keep state

count out on pppoe0 proto tcp  from any to any
count out on pppoe0 proto udp  from any to any
count out on pppoe0 proto icmp from any to any
count in  on pppoe0 proto tcp  from any to any
count in  on pppoe0 proto udp  from any to any
count in  on pppoe0 proto icmp from any to any


Any help appreciated,
Björn

-- 
Bjoern Labitzke  <hermit@cs.tu-berlin.de>
   Use GPG! (Don't you use envelopes for your letters?)