Cannot get the configs just right. Any pointers from the more senior
users here? It looks like I have a route set and pfctl should invoke
the firewall rules to be read but its a nogo.


A few points:
- using a standalone host
- a route has been set within the system according to the route command
- I am connecting to the Internet with no firewall at this time...once
pfctl invokes pf.conf "pfctl -e -f /etc/pf.conf" no packets route.
- tcpdump is not collecting any data regarding the tun0 interface.


A lease did not get set in...
/var/db/dhclient.leases.em0


Can anyone direct me to documentation that is more thurough than one
finds in man regarding ifconfig and route. I'm a newbie here and need
a bit of direction.

The quad octets revealed in the following all differ: 69.209.aaa.aaa,
69.209.bbb.bbb, adsl-69-209-ccc.ccc, adsl-69-209-ddd.ddd



carbon# route show
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu
Interface
default link#1 UC 0 0 -
em0
default adsl-69-209-ccc.ccc UGS 0 3196 -
tun0
adsl-69-209-ccc.ccc adsl-69-209-ddd.ddd UH 0 4 1492
tun0

Internet6:
Destination Gateway Flags Refs Use Mtu
Interface
localhost localhost UH 0 0 33224
lo0
fe80::%em0/64 link#1 UC 0 0 -
em0
fe80::%lo0/64 fe80::1%lo0 U 0 0 -
lo0
ff01::/32 localhost UC 0 0 -
lo0
ff02::%em0/32 link#1 UC 0 0 -
em0
ff02::%lo0/32 localhost UC 0 0 -
lo0
ff02::%tun0/32 link#7 UC 0 0 1492
tun0


/var/log/ppp.log obviously a mess, but all of the texts that I have
direct me to the setup that I currently have.

May 23 14:38:49 carbon ppp[30543]: tun0: IPCP: deflink:
RecvConfigAck(3) state = Ack-Sent
May 23 14:38:49 carbon ppp[30543]: tun0: IPCP: IPADDR[6]
69.209.aaa.aaa
May 23 14:38:49 carbon ppp[30543]: tun0: IPCP: PRIDNS[6]
206.141.192.60
May 23 14:38:49 carbon ppp[30543]: tun0: IPCP: SECDNS[6]
206.141.193.55
May 23 14:38:49 carbon ppp[30543]: tun0: IPCP: deflink: State change
Ack-Sent --> Opened
May 23 14:38:49 carbon ppp[30543]: tun0: IPCP: deflink: LayerUp.
May 23 14:38:49 carbon ppp[30543]: tun0: IPCP: myaddr 69.209.aaa.aaa
hisaddr = 69.209.bbb.bbb
May 23 14:38:49 carbon ppp[30543]: tun0: Warning: /etc/ppp/ppp.linkup:
! sh -c "/sbin/pfctl -e -f /etc/pf.conf": Invalid command
May 23 14:38:49 carbon ppp[30543]: tun0: Warning: /etc/ppp/ppp.linkup:
! sh -c "/sbin/ifconfig pflog0 up": Invalid command
May 23 14:38:49 carbon ppp[30543]: tun0: Warning: /etc/ppp/ppp.linkup:
! sh -c "/sbin/pflogd -d 5 -f /var/log/pflog": Invalid command
May 23 14:38:49 carbon ppp[30543]: tun0: Warning: /etc/ppp/ppp.linkup:
! sh -c "/sbin/pfctl -e -f /etc/pf.conf": Invalid command
May 23 14:38:49 carbon ppp[30543]: tun0: Warning: /etc/ppp/ppp.linkup:
! sh -c "/sbin/ifconfig pflog0 up": Invalid command
May 23 14:38:49 carbon ppp[30543]: tun0: Warning: /etc/ppp/ppp.linkup:
! sh -c "/sbin/pflogd -d 5 -f /var/log/pflog": Invalid command
May 23 14:38:49 carbon ppp[30543]: tun0: Warning: 0.0.0.0/0: Change
route failed: errno: No such process


In /etc/rc.local, ....should I have used "/sbin/route add! default
HISADDR"
/sbin/ifconfig em0 inet up
/sbin/ifconfig lo0 localhost up
/sbin/route -v flush
/sbin/route add default HISADDR
/usr/sbin/ppp -ddial pppoe


Modifications to /etc/ppp.linkup
MYADDR:
! sh -c "/sbin/pfctl -e -f /etc/pf.conf"
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pflogd -d 5 -f /var/log/pflog"

"Inquiry" <openbsd_inquiry@yahoo.com> writes:

> - using a standalone host
> - a route has been set within the system according to the route command
> - I am connecting to the Internet with no firewall at this time...once
> pfctl invokes pf.conf "pfctl -e -f /etc/pf.conf" no packets route.

It looks to me like you are making things overly complicated. (One of
the errors is very easy to explain btw - the _ppp user does not have the
privileges to run the pfctl command.)

For one thing, why is it useful to enable or disable pf? pf does not
consume a lot of resources, and compensating for dynamically assigned IP
addresses does not take major magic.

If you are able to connect to the internet without pf, I'd say you have
a reasonable starting point. Go back to the last working setup (the
last one which connected cleanly), strip away anything you're not
positive you need, such as the route commands in rc.local. ppp is pretty
good at setting sensible default routes, and IIRC the default HISADDR
etc belongs strictly in the ppp config files, so you may be setting
yourself up with a default route going essentially nowhere with your
rc.local. Take it from there, create a nice rule set which does its
filtering on the tun0 device.

It's possible my evolving pf tutorial at http://www.bgnett.no/~peter/pf/
is useful.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

Thank you for the response. I'll get on to it tonight.

Several weeks ago I looked through the documents at
http://www.blug.linux.no/rfc1149/ looks like it was a lot of fun! Glad
to have received a response from you.


Thanks,
Tommy


Peter N. M. Hansteen wrote:
> "Inquiry" <openbsd_inquiry@yahoo.com> writes:
>
> > - using a standalone host
> > - a route has been set within the system according to the route command
> > - I am connecting to the Internet with no firewall at this time...once
> > pfctl invokes pf.conf "pfctl -e -f /etc/pf.conf" no packets route.
>
> It looks to me like you are making things overly complicated. (One of
> the errors is very easy to explain btw - the _ppp user does not have the
> privileges to run the pfctl command.)
>
> For one thing, why is it useful to enable or disable pf? pf does not
> consume a lot of resources, and compensating for dynamically assigned IP
> addresses does not take major magic.
>
> If you are able to connect to the internet without pf, I'd say you have
> a reasonable starting point. Go back to the last working setup (the
> last one which connected cleanly), strip away anything you're not
> positive you need, such as the route commands in rc.local. ppp is pretty
> good at setting sensible default routes, and IIRC the default HISADDR
> etc belongs strictly in the ppp config files, so you may be setting
> yourself up with a default route going essentially nowhere with your
> rc.local. Take it from there, create a nice rule set which does its
> filtering on the tun0 device.
>
> It's possible my evolving pf tutorial at http://www.bgnett.no/~peter/pf/
> is useful.
>
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
> "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

"Inquiry" <openbsd_inquiry@yahoo.com> writes:

> Several weeks ago I looked through the documents at
> http://www.blug.linux.no/rfc1149/ looks like it was a lot of fun!

Oh, yes, it was good fun. I still have the machine that was pinged by
carrier pigeon, BTW. A 2000 model, it's not in active daily use, but
will serve as a kind of test bench for simple experiments.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"