route flush and sh /etc/netstart not enough?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

route flush and sh /etc/netstart not enough?

Neal Hogan
Hello misc@,

I'm having an issue with my wifi AP after I reconnect to my ISP. That
is, when my internet connection is broken, for whatever reason, and
then reconnected, my wireless machines see that the AP is available,
but fail to connect to it. My hard connection works just fine.

I flush all the routes (ie., # route flush) and then sh /etc/netstart,
but that does not work. At this point, rebooting the AP machine is the
only thing that I've been able to do to rectify the situation. From
the research that I've done, it doesn't look as though I should have
to reboot. Any suggestions?

Thanks!
-Neal

P.S. -- I'm not sure what would be appropriate for you to look at, if
anything. So, I offer a few things below. Let me know if something
else would help.


lambdahogan cat /etc/hostname.ral0
inet 192.168.3.1 255.255.255.0 NONE media autoselect \
        mediaopt hostap nwid lambdaserver nwkey xxxxxxxxxxxxxx



lambdahogan cat /etc/dhcpd.conf
#       $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:              192.168.1.0/255.255.255.0
# Domain name:          my.domain
# Name servers:         192.168.1.3 and 192.168.1.5
# Default router:       192.168.1.1
# Addresses:            192.168.1.32 - 192.168.1.127
#
shared-network ETHERNET  {
        option  domain-name "lambdaserver";
        option  domain-name-servers 64.233.207.8, 64.233.207.9;
        #internal ethernet
        subnet 192.168.2.0 netmask 255.255.255.0 {
                option routers 192.168.2.1;

                range 192.168.2.32 192.168.2.127;
        }
}

shared-network WIRELESS  {
        option domain-name "lambdaserver";
        option domain-name-servers 64.233.207.8, 64.233.207.9;
        #internal wireless
        subnet 192.168.3.0 netmask 255.255.255.0 {
                option routers 192.168.3.1;

                range 192.168.3.32 192.168.3.127;
        }
}

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Ryan Flannery
On Tue, Jan 25, 2011 at 9:01 PM, Neal Hogan <[hidden email]> wrote:
> Hello misc@,
>
> I'm having an issue with my wifi AP after I reconnect to my ISP. That
> is, when my internet connection is broken, for whatever reason, and
> then reconnected, my wireless machines see that the AP is available,
> but fail to connect to it. My hard connection works just fine.

Do you still have a dynamic IP?  If so, is it set to something
different when you reconnect?

If so, the nat in your pf is probably causing the problem.

>
> I flush all the routes (ie., # route flush) and then sh /etc/netstart,
> but that does not work.

Have you also tried restarting pf at this point?

> At this point, rebooting the AP machine is the
> only thing that I've been able to do to rectify the situation. From
> the research that I've done, it doesn't look as though I should have
> to reboot. Any suggestions?
>
> Thanks!
> -Neal

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Neal Hogan
On Tue, Jan 25, 2011 at 9:51 PM, Ryan Flannery <[hidden email]>
wrote:

> On Tue, Jan 25, 2011 at 9:01 PM, Neal Hogan <[hidden email]> wrote:
>> Hello misc@,
>>
>> I'm having an issue with my wifi AP after I reconnect to my ISP. That
>> is, when my internet connection is broken, for whatever reason, and
>> then reconnected, my wireless machines see that the AP is available,
>> but fail to connect to it. My hard connection works just fine.
>
> Do you still have a dynamic IP?  If so, is it set to something
> different when you reconnect?
>
> If so, the nat in your pf is probably causing the problem.
>

I was thinking the same and when I finally got the internet connection
back the IP looked the same.
>>
>> I flush all the routes (ie., # route flush) and then sh /etc/netstart,
>> but that does not work.
>
> Have you also tried restarting pf at this point?
>

I did not not do that this most recent time, but I seem to remember
doing it last time without it helping. When I get time, I will try to
recreate the situation by unplugging my modem and restarting pf.

>> At this point, rebooting the AP machine is the
>> only thing that I've been able to do to rectify the situation. From
>> the research that I've done, it doesn't look as though I should have
>> to reboot. Any suggestions?
>>
>> Thanks!
>> -Neal

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Neal Hogan
On Tue, Jan 25, 2011 at 10:11 PM, Neal Hogan <[hidden email]> wrote:
> On Tue, Jan 25, 2011 at 9:51 PM, Ryan Flannery <[hidden email]>
wrote:

>> On Tue, Jan 25, 2011 at 9:01 PM, Neal Hogan <[hidden email]> wrote:
>>> Hello misc@,
>>>
>>> I'm having an issue with my wifi AP after I reconnect to my ISP. That
>>> is, when my internet connection is broken, for whatever reason, and
>>> then reconnected, my wireless machines see that the AP is available,
>>> but fail to connect to it. My hard connection works just fine.
>>
>> Do you still have a dynamic IP?  If so, is it set to something
>> different when you reconnect?
>>
>> If so, the nat in your pf is probably causing the problem.
>>
>
> I was thinking the same and when I finally got the internet connection
> back the IP looked the same.
>>>
>>> I flush all the routes (ie., # route flush) and then sh /etc/netstart,
>>> but that does not work.
>>
>> Have you also tried restarting pf at this point?
>>
>
> I did not not do that this most recent time, but I seem to remember
> doing it last time without it helping. When I get time, I will try to
> recreate the situation by unplugging my modem and restarting pf.

I tried restarting pf (i.e., pfctl -d && pfctl -ef /etc/pf.conf) and
it didn't work. That is, I flushed the routes, 'sh /etc/netstart'd',
and restarted pf and my wifi access point fails to give addresses.

Below are my pf rules and, route table and ifconfig info before and
after I reboot.

>lambdaroot pfctl -s rules
match in all scrub (no-df random-id reassemble tcp)
match out on em1 from ! (em1) to any nat-to (em1) round-robin
pass in on em1 inet proto tcp from <whitelist> to (em1) port = smtp
flags S/SA keep state rdr-to 127.0.0.1 port 25
pass in on em0 inet proto tcp from any to 192.168.2.1 port = smtp
flags S/SA keep state rdr-to 127.0.0.1 port 25
pass in on em1 inet proto tcp from <spamd> to 64.53.218.214 port =
smtp flags S/SA keep state rdr-to 127.0.0.1 port 8025
pass in on em1 inet proto tcp from <spamd-white> to any port = smtp
flags S/SA keep state rdr-to 127.0.0.1 port 25
pass in on em1 inet proto tcp from ! <spamd-white> to any port = smtp
flags S/SA keep state rdr-to 127.0.0.1 port 8025
block drop in all
block drop out all
block drop in log quick on ! lo inet6 from ::1 to any
block drop in log quick on ! lo inet from 127.0.0.0/8 to any
block drop in log quick inet from 127.0.0.1 to any
block drop in log quick on ! em1 inet from 64.53.216.0/21 to any
block drop in log quick inet from 64.53.218.214 to any
block drop in log quick on ! em0 inet from 192.168.2.0/24 to any
block drop in log quick inet from 192.168.2.1 to any
block drop in log quick on ! ral0 inet from 192.168.3.0/24 to any
block drop in log quick inet from 192.168.3.1 to any
block drop in log quick inet6 from ::1 to any
block drop in log quick on lo0 inet6 from fe80::1 to any
block drop in log quick on em1 inet6 from fe80::2e0:81ff:febc:f36a to any
block drop in log quick on em0 inet6 from fe80::2e0:81ff:febc:f36b to any
block drop in log quick on ral0 inet6 from fe80::20e:2eff:fe96:4ee0 to any
block drop in log quick from <bad_ssh> to any
block drop in log quick from <bad_www> to any
block drop in log quick from <bad_wifi> to any
pass out quick on em1 inet proto tcp from any to 24.172.134.210 port =
finger user = 67 flags S/SA modulate state
pass out quick on ral0 inet proto tcp from any to
<__automatic_80b2c777_0> port = finger user = 67 flags S/SA modulate
state
pass out quick on em0 inet proto tcp from any to
<__automatic_80b2c777_2> port = finger user = 67 flags S/SA modulate
state
pass out quick on ral0 inet proto tcp from any to
<__automatic_80b2c777_1> port = ssh user = 67 flags S/SA modulate
state
pass out quick on em0 inet proto tcp from any to
<__automatic_80b2c777_3> port = ssh user = 67 flags S/SA modulate
state
pass in log on em1 inet proto tcp from any to (em1) port = ssh flags
S/SA synproxy state (source-track rule, max-src-conn-rate 10/20,
overload <bad_ssh> flush global, src.track 20)
pass in log on em1 inet proto tcp from any to (em1) port = smtp flags
S/SA synproxy state
pass in log on em1 inet proto tcp from any to (em1) port = www flags
S/SA synproxy state (source-track rule, max-src-conn 100,
max-src-conn-rate 15/5, overload <bad_www> flush global, src.track 5)
pass in log on em1 inet proto tcp from any to (em1) port = https flags
S/SA synproxy state (source-track rule, max-src-conn 100,
max-src-conn-rate 15/5, overload <bad_www> flush global, src.track 5)
pass in log on em1 inet proto icmp from any to (em1) icmp-type echoreq
keep state
pass in log on em1 inet proto icmp from any to (em1) icmp-type unreach
keep state
pass in on em1 inet proto tcp from any to (em1) port = ftp flags S/SA
keep state (source-track rule, max-src-conn 3, max-src-conn-rate 15/5,
src.track 5)
pass in on em1 proto tcp from any to any port > 49151 flags S/SA keep state
pass in on em1 proto tcp from any to any port = rsync flags S/SA keep state
pass in log on em1 inet proto tcp from 24.172.134.210 to 64.53.218.214
port = finger flags S/SA synproxy state
pass out log on em1 all flags S/SA keep state
pass in quick on em0 inet from 192.168.2.0/24 to any flags S/SA keep state
pass in on ral0 inet from 192.168.3.0/24 to any flags S/SA keep state
pass in on ral0 inet proto udp from 192.168.3.0/24 port = bootpc to
any port = bootps keep state
pass out on ral0 all flags S/SA keep state
pass out on em0 all flags S/SA keep state
pass in log on ral0 inet proto icmp from 192.168.3.0/24 to (ral0) keep state
pass in log on ral0 inet proto tcp from 192.168.3.0/24 to (ral0) port
= ssh flags S/SA synproxy state (source-track rule, max-src-conn-rate
3/20, overload <bad_ssh> flush global, src.track 20)
pass in log on ral0 inet proto tcp from 192.168.3.0/24 to (ral0) port
= www flags S/SA synproxy state (source-track rule, max-src-conn 100,
max-src-conn-rate 15/5, overload <bad_www> flush global, src.track 5)
pass in log on ral0 inet proto tcp from 192.168.3.0/24 to (ral0) port
= https flags S/SA synproxy state (source-track rule, max-src-conn
100, max-src-conn-rate 15/5, overload <bad_www> flush global,
src.track 5)
pass in log on ral0 inet from 192.168.3.0/24 to ! (ral0) flags S/SA
modulate state

lambdaroot route show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            d53-1-216.nap.wide UGS       11   108289     -     8 em1
64.53.216/21       link#2             UC         1        0     -     4 em1
d53-1-216.nap.wide 00:01:5c:32:fa:c1  UHLc       1        0     -     4 em1
d53-214-218.nap.wi www.lambdaserver.c UGHS       0      118 33160     8 lo0
loopback           www.lambdaserver.c UGRS       0        0 33160     8 lo0
www.lambdaserver.c www.lambdaserver.c UH         2        0 33160     4 lo0
192.168.2/24       link#1             UC         2        0     -     4 em0
192.168.2.39       00:0d:9d:43:2b:a7  UHLc       0      236     -     4 em0
192.168.2.43       00:1e:37:d9:cc:ed  UHLc       8     1062     -     4 em0
192.168.3/24       link#5             UC         0        0     -     4 ral0
BASE-ADDRESS.MCAST www.lambdaserver.c URS        0        0 33160     8 lo0

Internet6:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
::/104             www.lambdaserver.c UGRS       0        0     -     8 lo0
::/96              www.lambdaserver.c UGRS       0        0     -     8 lo0
www.lambdaserver.c www.lambdaserver.c UH        14        0 33160     4 lo0
::127.0.0.0/104    www.lambdaserver.c UGRS       0        0     -     8 lo0
::224.0.0.0/100    www.lambdaserver.c UGRS       0        0     -     8 lo0
::255.0.0.0/104    www.lambdaserver.c UGRS       0        0     -     8 lo0
::ffff:0.0.0.0/96  www.lambdaserver.c UGRS       0        0     -     8 lo0
2002::/24          www.lambdaserver.c UGRS       0        0     -     8 lo0
2002:7f00::/24     www.lambdaserver.c UGRS       0        0     -     8 lo0
2002:e000::/20     www.lambdaserver.c UGRS       0        0     -     8 lo0
2002:ff00::/24     www.lambdaserver.c UGRS       0        0     -     8 lo0
fe80::/10          www.lambdaserver.c UGRS       0        0     -     8 lo0
fe80::%em0/64      link#1             UC         0        0     -     4 em0
fe80::%em1/64      link#2             UC         0        0     -     4 em1
fe80::%lo0/64      fe80::1%lo0        U          0        0     -     4 lo0
fe80::%ral0/64     link#5             UC         0        0     -     4 ral0
fec0::/10          www.lambdaserver.c UGRS       0        0     -     8 lo0
ff01::/16          www.lambdaserver.c UGRS       0        0     -     8 lo0
ff01::%em0/32      link#1             UC         0        0     -     4 em0
ff01::%em1/32      link#2             UC         0        0     -     4 em1
ff01::%lo0/32      www.lambdaserver.c UC         0        0     -     4 lo0
ff01::%ral0/32     link#5             UC         0        0     -     4 ral0
ff02::/16          www.lambdaserver.c UGRS       0        0     -     8 lo0
ff02::%em0/32      link#1             UC         0        0     -     4 em0
ff02::%em1/32      link#2             UC         0        0     -     4 em1
ff02::%lo0/32      www.lambdaserver.c UC         0        0     -     4 lo0
ff02::%ral0/32     link#5             UC         0        0     -     4 ral0

lambdaroot ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33160
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:e0:81:bc:f3:6b
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::2e0:81ff:febc:f36b%em0 prefixlen 64 scopeid 0x1
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:e0:81:bc:f3:6a
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::2e0:81ff:febc:f36a%em1 prefixlen 64 scopeid 0x2
        inet 64.53.218.214 netmask 0xfffff800 broadcast 64.53.223.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0e:2e:96:4e:e0
        priority: 4
        groups: wlan
        media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)
        status: active
        ieee80211: nwid lambdaserver chan 1 bssid 00:0e:2e:96:4e:e0
nwkey kashossc63250 100dBm
        inet6 fe80::20e:2eff:fe96:4ee0%ral0 prefixlen 64 scopeid 0x5
        inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
        priority: 0
        groups: pflog

AFTER REBOOT

lambdaroot route show
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            d53-1-216.nap.wide UGS        9   179389     -     8 em1
64.53.216/21       link#2             UC         1        0     -     4 em1
d53-1-216.nap.wide 00:01:5c:32:fa:c1  UHLc       1        0     -     4 em1
d53-214-218.nap.wi www.lambdaserver.c UGHS       0      814 33160     8 lo0
loopback           www.lambdaserver.c UGRS       0        0 33160     8 lo0
www.lambdaserver.c www.lambdaserver.c UH         2      492 33160     4 lo0
192.168.2/24       link#1             UC         2        0     -     4 em0
192.168.2.39       00:0d:9d:43:2b:a7  UHLc       0        8     -     4 em0
192.168.2.43       00:1e:37:d9:cc:ed  UHLc       8     5185     -     4 em0
192.168.3/24       link#5             UC         2        0     -     4 ral0
frege              00:02:6f:98:31:81  UHLc       0      139     -     4 ral0
192.168.3.35       00:02:6f:98:31:81  UHLc       1     1905     -     4 ral0
BASE-ADDRESS.MCAST www.lambdaserver.c URS        0        0 33160     8 lo0

Internet6:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
::/104             www.lambdaserver.c UGRS       0        0     -     8 lo0
::/96              www.lambdaserver.c UGRS       0        0     -     8 lo0
www.lambdaserver.c www.lambdaserver.c UH        14        0 33160     4 lo0
::127.0.0.0/104    www.lambdaserver.c UGRS       0        0     -     8 lo0
::224.0.0.0/100    www.lambdaserver.c UGRS       0        0     -     8 lo0
::255.0.0.0/104    www.lambdaserver.c UGRS       0        0     -     8 lo0
::ffff:0.0.0.0/96  www.lambdaserver.c UGRS       0        0     -     8 lo0
2002::/24          www.lambdaserver.c UGRS       0        0     -     8 lo0
2002:7f00::/24     www.lambdaserver.c UGRS       0        0     -     8 lo0
2002:e000::/20     www.lambdaserver.c UGRS       0        0     -     8 lo0
2002:ff00::/24     www.lambdaserver.c UGRS       0        0     -     8 lo0
fe80::/10          www.lambdaserver.c UGRS       0        0     -     8 lo0
fe80::%em0/64      link#1             UC         0        0     -     4 em0
fe80::2e0:81ff:feb 00:e0:81:bc:f3:6b  HL         0        0     -     4 lo0
fe80::%em1/64      link#2             UC         0        0     -     4 em1
fe80::2e0:81ff:feb 00:e0:81:bc:f3:6a  UHL        0        0     -     4 lo0
fe80::%lo0/64      fe80::1%lo0        U          0        0     -     4 lo0
fe80::1%lo0        link#4             UHL        0        0     -     4 lo0
fe80::%ral0/64     link#5             UC         0        0     -     4 ral0
fe80::20e:2eff:fe9 00:0e:2e:96:4e:e0  UHL        0        0     -     4 lo0
fec0::/10          www.lambdaserver.c UGRS       0        0     -     8 lo0
ff01::/16          www.lambdaserver.c UGRS       0        0     -     8 lo0
ff01::%em0/32      link#1             UC         0        0     -     4 em0
ff01::%em1/32      link#2             UC         0        0     -     4 em1
ff01::%lo0/32      www.lambdaserver.c UC         0        0     -     4 lo0
ff01::%ral0/32     link#5             UC         0        0     -     4 ral0
ff02::/16          www.lambdaserver.c UGRS       0        0     -     8 lo0
ff02::%em0/32      link#1             UC         0        0     -     4 em0
ff02::%em1/32      link#2             UC         0        0     -     4 em1
ff02::%lo0/32      www.lambdaserver.c UC         0        0     -     4 lo0
ff02::%ral0/32     link#5             UC         0        0     -     4 ral0

lambdaroot ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33160
        priority: 0
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:e0:81:bc:f3:6b
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 fe80::2e0:81ff:febc:f36b%em0 prefixlen 64 scopeid 0x1
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:e0:81:bc:f3:6a
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::2e0:81ff:febc:f36a%em1 prefixlen 64 scopeid 0x2
        inet 64.53.218.214 netmask 0xfffff800 broadcast 64.53.223.255
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:0e:2e:96:4e:e0
        priority: 4
        groups: wlan
        media: IEEE802.11 autoselect hostap
        status: active
        ieee80211: nwid lambdaserver chan 2 bssid 00:0e:2e:96:4e:e0
nwkey kashossc63250 100dBm
        inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
        inet6 fe80::20e:2eff:fe96:4ee0%ral0 prefixlen 64 scopeid 0x5
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
        priority: 0
        groups: pflog

>>> At this point, rebooting the AP machine is the
>>> only thing that I've been able to do to rectify the situation. From
>>> the research that I've done, it doesn't look as though I should have
>>> to reboot. Any suggestions?
>>>
>>> Thanks!
>>> -Neal

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Neal Hogan
On Sat, Jan 29, 2011 at 7:24 PM, Neal Hogan <[hidden email]> wrote:
> On Tue, Jan 25, 2011 at 10:11 PM, Neal Hogan <[hidden email]> wrote:
>> On Tue, Jan 25, 2011 at 9:51 PM, Ryan Flannery <[hidden email]>
wrote:
>>> On Tue, Jan 25, 2011 at 9:01 PM, Neal Hogan <[hidden email]> wrote:
>>>> Hello misc@,
>>>>
>>>> I'm having an issue with my wifi AP after I reconnect to my ISP. That
>>>> is, when my internet connection is broken, for whatever reason, and
>>>> then reconnected, my wireless machines see that the AP is available,
>>>> but fail to connect to it. My hard connection works just fine.
>>>

<bump>
I've tried a suggestion:

     # sudo pfclt -F all && sudo pfctl -f /etc/pf.conf
     # sudo ifconfig ral0 down && sudo ifconfig ral0 up

No dice. Are there any suggestions that will allow me to regain my
wifi AP capabilities without having to reboot?

Thanks!

>>> Do you still have a dynamic IP?  If so, is it set to something
>>> different when you reconnect?
>>>
>>> If so, the nat in your pf is probably causing the problem.
>>>
>>
>> I was thinking the same and when I finally got the internet connection
>> back the IP looked the same.
>>>>
>>>> I flush all the routes (ie., # route flush) and then sh /etc/netstart,
>>>> but that does not work.
>>>
>>> Have you also tried restarting pf at this point?
>>>
>>
>> I did not not do that this most recent time, but I seem to remember
>> doing it last time without it helping. When I get time, I will try to
>> recreate the situation by unplugging my modem and restarting pf.
>
> I tried restarting pf (i.e., pfctl -d && pfctl -ef /etc/pf.conf) and
> it didn't work. That is, I flushed the routes, 'sh /etc/netstart'd',
> and restarted pf and my wifi access point fails to give addresses.
>
> Below are my pf rules and, route table and ifconfig info before and
> after I reboot.
>
>>lambdaroot pfctl -s rules
> match in all scrub (no-df random-id reassemble tcp)
> match out on em1 from ! (em1) to any nat-to (em1) round-robin
> pass in on em1 inet proto tcp from <whitelist> to (em1) port = smtp
> flags S/SA keep state rdr-to 127.0.0.1 port 25
> pass in on em0 inet proto tcp from any to 192.168.2.1 port = smtp
> flags S/SA keep state rdr-to 127.0.0.1 port 25
> pass in on em1 inet proto tcp from <spamd> to 64.53.218.214 port =
> smtp flags S/SA keep state rdr-to 127.0.0.1 port 8025
> pass in on em1 inet proto tcp from <spamd-white> to any port = smtp
> flags S/SA keep state rdr-to 127.0.0.1 port 25
> pass in on em1 inet proto tcp from ! <spamd-white> to any port = smtp
> flags S/SA keep state rdr-to 127.0.0.1 port 8025
> block drop in all
> block drop out all
> block drop in log quick on ! lo inet6 from ::1 to any
> block drop in log quick on ! lo inet from 127.0.0.0/8 to any
> block drop in log quick inet from 127.0.0.1 to any
> block drop in log quick on ! em1 inet from 64.53.216.0/21 to any
> block drop in log quick inet from 64.53.218.214 to any
> block drop in log quick on ! em0 inet from 192.168.2.0/24 to any
> block drop in log quick inet from 192.168.2.1 to any
> block drop in log quick on ! ral0 inet from 192.168.3.0/24 to any
> block drop in log quick inet from 192.168.3.1 to any
> block drop in log quick inet6 from ::1 to any
> block drop in log quick on lo0 inet6 from fe80::1 to any
> block drop in log quick on em1 inet6 from fe80::2e0:81ff:febc:f36a to any
> block drop in log quick on em0 inet6 from fe80::2e0:81ff:febc:f36b to any
> block drop in log quick on ral0 inet6 from fe80::20e:2eff:fe96:4ee0 to any
> block drop in log quick from <bad_ssh> to any
> block drop in log quick from <bad_www> to any
> block drop in log quick from <bad_wifi> to any
> pass out quick on em1 inet proto tcp from any to 24.172.134.210 port =
> finger user = 67 flags S/SA modulate state
> pass out quick on ral0 inet proto tcp from any to
> <__automatic_80b2c777_0> port = finger user = 67 flags S/SA modulate
> state
> pass out quick on em0 inet proto tcp from any to
> <__automatic_80b2c777_2> port = finger user = 67 flags S/SA modulate
> state
> pass out quick on ral0 inet proto tcp from any to
> <__automatic_80b2c777_1> port = ssh user = 67 flags S/SA modulate
> state
> pass out quick on em0 inet proto tcp from any to
> <__automatic_80b2c777_3> port = ssh user = 67 flags S/SA modulate
> state
> pass in log on em1 inet proto tcp from any to (em1) port = ssh flags
> S/SA synproxy state (source-track rule, max-src-conn-rate 10/20,
> overload <bad_ssh> flush global, src.track 20)
> pass in log on em1 inet proto tcp from any to (em1) port = smtp flags
> S/SA synproxy state
> pass in log on em1 inet proto tcp from any to (em1) port = www flags
> S/SA synproxy state (source-track rule, max-src-conn 100,
> max-src-conn-rate 15/5, overload <bad_www> flush global, src.track 5)
> pass in log on em1 inet proto tcp from any to (em1) port = https flags
> S/SA synproxy state (source-track rule, max-src-conn 100,
> max-src-conn-rate 15/5, overload <bad_www> flush global, src.track 5)
> pass in log on em1 inet proto icmp from any to (em1) icmp-type echoreq
> keep state
> pass in log on em1 inet proto icmp from any to (em1) icmp-type unreach
> keep state
> pass in on em1 inet proto tcp from any to (em1) port = ftp flags S/SA
> keep state (source-track rule, max-src-conn 3, max-src-conn-rate 15/5,
> src.track 5)
> pass in on em1 proto tcp from any to any port > 49151 flags S/SA keep state
> pass in on em1 proto tcp from any to any port = rsync flags S/SA keep state
> pass in log on em1 inet proto tcp from 24.172.134.210 to 64.53.218.214
> port = finger flags S/SA synproxy state
> pass out log on em1 all flags S/SA keep state
> pass in quick on em0 inet from 192.168.2.0/24 to any flags S/SA keep state
> pass in on ral0 inet from 192.168.3.0/24 to any flags S/SA keep state
> pass in on ral0 inet proto udp from 192.168.3.0/24 port = bootpc to
> any port = bootps keep state
> pass out on ral0 all flags S/SA keep state
> pass out on em0 all flags S/SA keep state
> pass in log on ral0 inet proto icmp from 192.168.3.0/24 to (ral0) keep
state

> pass in log on ral0 inet proto tcp from 192.168.3.0/24 to (ral0) port
> = ssh flags S/SA synproxy state (source-track rule, max-src-conn-rate
> 3/20, overload <bad_ssh> flush global, src.track 20)
> pass in log on ral0 inet proto tcp from 192.168.3.0/24 to (ral0) port
> = www flags S/SA synproxy state (source-track rule, max-src-conn 100,
> max-src-conn-rate 15/5, overload <bad_www> flush global, src.track 5)
> pass in log on ral0 inet proto tcp from 192.168.3.0/24 to (ral0) port
> = https flags S/SA synproxy state (source-track rule, max-src-conn
> 100, max-src-conn-rate 15/5, overload <bad_www> flush global,
> src.track 5)
> pass in log on ral0 inet from 192.168.3.0/24 to ! (ral0) flags S/SA
> modulate state
>
> lambdaroot route show
> Routing tables
>
> Internet:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio
Iface

> default            d53-1-216.nap.wide UGS       11   108289     -     8 em1
> 64.53.216/21       link#2             UC         1        0     -     4 em1
> d53-1-216.nap.wide 00:01:5c:32:fa:c1  UHLc       1        0     -     4 em1
> d53-214-218.nap.wi www.lambdaserver.c UGHS       0      118 33160     8 lo0
> loopback           www.lambdaserver.c UGRS       0        0 33160     8 lo0
> www.lambdaserver.c www.lambdaserver.c UH         2        0 33160     4 lo0
> 192.168.2/24       link#1             UC         2        0     -     4 em0
> 192.168.2.39       00:0d:9d:43:2b:a7  UHLc       0      236     -     4 em0
> 192.168.2.43       00:1e:37:d9:cc:ed  UHLc       8     1062     -     4 em0
> 192.168.3/24       link#5             UC         0        0     -     4
ral0
> BASE-ADDRESS.MCAST www.lambdaserver.c URS        0        0 33160     8 lo0
>
> Internet6:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio
Iface

> ::/104             www.lambdaserver.c UGRS       0        0     -     8 lo0
> ::/96              www.lambdaserver.c UGRS       0        0     -     8 lo0
> www.lambdaserver.c www.lambdaserver.c UH        14        0 33160     4 lo0
> ::127.0.0.0/104    www.lambdaserver.c UGRS       0        0     -     8 lo0
> ::224.0.0.0/100    www.lambdaserver.c UGRS       0        0     -     8 lo0
> ::255.0.0.0/104    www.lambdaserver.c UGRS       0        0     -     8 lo0
> ::ffff:0.0.0.0/96  www.lambdaserver.c UGRS       0        0     -     8 lo0
> 2002::/24          www.lambdaserver.c UGRS       0        0     -     8 lo0
> 2002:7f00::/24     www.lambdaserver.c UGRS       0        0     -     8 lo0
> 2002:e000::/20     www.lambdaserver.c UGRS       0        0     -     8 lo0
> 2002:ff00::/24     www.lambdaserver.c UGRS       0        0     -     8 lo0
> fe80::/10          www.lambdaserver.c UGRS       0        0     -     8 lo0
> fe80::%em0/64      link#1             UC         0        0     -     4 em0
> fe80::%em1/64      link#2             UC         0        0     -     4 em1
> fe80::%lo0/64      fe80::1%lo0        U          0        0     -     4 lo0
> fe80::%ral0/64     link#5             UC         0        0     -     4
ral0
> fec0::/10          www.lambdaserver.c UGRS       0        0     -     8 lo0
> ff01::/16          www.lambdaserver.c UGRS       0        0     -     8 lo0
> ff01::%em0/32      link#1             UC         0        0     -     4 em0
> ff01::%em1/32      link#2             UC         0        0     -     4 em1
> ff01::%lo0/32      www.lambdaserver.c UC         0        0     -     4 lo0
> ff01::%ral0/32     link#5             UC         0        0     -     4
ral0
> ff02::/16          www.lambdaserver.c UGRS       0        0     -     8 lo0
> ff02::%em0/32      link#1             UC         0        0     -     4 em0
> ff02::%em1/32      link#2             UC         0        0     -     4 em1
> ff02::%lo0/32      www.lambdaserver.c UC         0        0     -     4 lo0
> ff02::%ral0/32     link#5             UC         0        0     -     4
ral0

>
> lambdaroot ifconfig -a
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33160
>        priority: 0
>        groups: lo
>        inet6 ::1 prefixlen 128
>        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>        inet 127.0.0.1 netmask 0xff000000
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        lladdr 00:e0:81:bc:f3:6b
>        priority: 0
>        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
>        status: active
>        inet6 fe80::2e0:81ff:febc:f36b%em0 prefixlen 64 scopeid 0x1
>        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        lladdr 00:e0:81:bc:f3:6a
>        priority: 0
>        groups: egress
>        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
>        status: active
>        inet6 fe80::2e0:81ff:febc:f36a%em1 prefixlen 64 scopeid 0x2
>        inet 64.53.218.214 netmask 0xfffff800 broadcast 64.53.223.255
> enc0: flags=0<>
>        priority: 0
>        groups: enc
>        status: active
> ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        lladdr 00:0e:2e:96:4e:e0
>        priority: 4
>        groups: wlan
>        media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)
>        status: active
>        ieee80211: nwid lambdaserver chan 1 bssid 00:0e:2e:96:4e:e0
> nwkey kashossc63250 100dBm
>        inet6 fe80::20e:2eff:fe96:4ee0%ral0 prefixlen 64 scopeid 0x5
>        inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
>        priority: 0
>        groups: pflog
>
> AFTER REBOOT
>
> lambdaroot route show
> Routing tables
>
> Internet:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio
Iface

> default            d53-1-216.nap.wide UGS        9   179389     -     8 em1
> 64.53.216/21       link#2             UC         1        0     -     4 em1
> d53-1-216.nap.wide 00:01:5c:32:fa:c1  UHLc       1        0     -     4 em1
> d53-214-218.nap.wi www.lambdaserver.c UGHS       0      814 33160     8 lo0
> loopback           www.lambdaserver.c UGRS       0        0 33160     8 lo0
> www.lambdaserver.c www.lambdaserver.c UH         2      492 33160     4 lo0
> 192.168.2/24       link#1             UC         2        0     -     4 em0
> 192.168.2.39       00:0d:9d:43:2b:a7  UHLc       0        8     -     4 em0
> 192.168.2.43       00:1e:37:d9:cc:ed  UHLc       8     5185     -     4 em0
> 192.168.3/24       link#5             UC         2        0     -     4
ral0
> frege              00:02:6f:98:31:81  UHLc       0      139     -     4
ral0
> 192.168.3.35       00:02:6f:98:31:81  UHLc       1     1905     -     4
ral0
> BASE-ADDRESS.MCAST www.lambdaserver.c URS        0        0 33160     8 lo0
>
> Internet6:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio
Iface

> ::/104             www.lambdaserver.c UGRS       0        0     -     8 lo0
> ::/96              www.lambdaserver.c UGRS       0        0     -     8 lo0
> www.lambdaserver.c www.lambdaserver.c UH        14        0 33160     4 lo0
> ::127.0.0.0/104    www.lambdaserver.c UGRS       0        0     -     8 lo0
> ::224.0.0.0/100    www.lambdaserver.c UGRS       0        0     -     8 lo0
> ::255.0.0.0/104    www.lambdaserver.c UGRS       0        0     -     8 lo0
> ::ffff:0.0.0.0/96  www.lambdaserver.c UGRS       0        0     -     8 lo0
> 2002::/24          www.lambdaserver.c UGRS       0        0     -     8 lo0
> 2002:7f00::/24     www.lambdaserver.c UGRS       0        0     -     8 lo0
> 2002:e000::/20     www.lambdaserver.c UGRS       0        0     -     8 lo0
> 2002:ff00::/24     www.lambdaserver.c UGRS       0        0     -     8 lo0
> fe80::/10          www.lambdaserver.c UGRS       0        0     -     8 lo0
> fe80::%em0/64      link#1             UC         0        0     -     4 em0
> fe80::2e0:81ff:feb 00:e0:81:bc:f3:6b  HL         0        0     -     4 lo0
> fe80::%em1/64      link#2             UC         0        0     -     4 em1
> fe80::2e0:81ff:feb 00:e0:81:bc:f3:6a  UHL        0        0     -     4 lo0
> fe80::%lo0/64      fe80::1%lo0        U          0        0     -     4 lo0
> fe80::1%lo0        link#4             UHL        0        0     -     4 lo0
> fe80::%ral0/64     link#5             UC         0        0     -     4
ral0
> fe80::20e:2eff:fe9 00:0e:2e:96:4e:e0  UHL        0        0     -     4 lo0
> fec0::/10          www.lambdaserver.c UGRS       0        0     -     8 lo0
> ff01::/16          www.lambdaserver.c UGRS       0        0     -     8 lo0
> ff01::%em0/32      link#1             UC         0        0     -     4 em0
> ff01::%em1/32      link#2             UC         0        0     -     4 em1
> ff01::%lo0/32      www.lambdaserver.c UC         0        0     -     4 lo0
> ff01::%ral0/32     link#5             UC         0        0     -     4
ral0
> ff02::/16          www.lambdaserver.c UGRS       0        0     -     8 lo0
> ff02::%em0/32      link#1             UC         0        0     -     4 em0
> ff02::%em1/32      link#2             UC         0        0     -     4 em1
> ff02::%lo0/32      www.lambdaserver.c UC         0        0     -     4 lo0
> ff02::%ral0/32     link#5             UC         0        0     -     4
ral0

>
> lambdaroot ifconfig -a
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33160
>        priority: 0
>        groups: lo
>        inet 127.0.0.1 netmask 0xff000000
>        inet6 ::1 prefixlen 128
>        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        lladdr 00:e0:81:bc:f3:6b
>        priority: 0
>        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
>        status: active
>        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
>        inet6 fe80::2e0:81ff:febc:f36b%em0 prefixlen 64 scopeid 0x1
> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        lladdr 00:e0:81:bc:f3:6a
>        priority: 0
>        groups: egress
>        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
>        status: active
>        inet6 fe80::2e0:81ff:febc:f36a%em1 prefixlen 64 scopeid 0x2
>        inet 64.53.218.214 netmask 0xfffff800 broadcast 64.53.223.255
> enc0: flags=0<>
>        priority: 0
>        groups: enc
>        status: active
> ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        lladdr 00:0e:2e:96:4e:e0
>        priority: 4
>        groups: wlan
>        media: IEEE802.11 autoselect hostap
>        status: active
>        ieee80211: nwid lambdaserver chan 2 bssid 00:0e:2e:96:4e:e0
> nwkey kashossc63250 100dBm
>        inet 192.168.3.1 netmask 0xffffff00 broadcast 192.168.3.255
>        inet6 fe80::20e:2eff:fe96:4ee0%ral0 prefixlen 64 scopeid 0x5
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
>        priority: 0
>        groups: pflog
>
>>>> At this point, rebooting the AP machine is the
>>>> only thing that I've been able to do to rectify the situation. From
>>>> the research that I've done, it doesn't look as though I should have
>>>> to reboot. Any suggestions?
>>>>
>>>> Thanks!
>>>> -Neal

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Henning Brauer
* Neal Hogan <[hidden email]> [2011-02-16 03:18]:
> I've tried a suggestion:
>
>      # sudo pfclt -F all && sudo pfctl -f /etc/pf.conf

sigh. can people still stop this flush bullshit? it might be needed
with other -beeeep- firewall packages, with pf it is actually counter
productive, since ruleset reload is nicely atomic. if you flush, you
leave a window where everything is passed.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Kevin Chadwick-2
On Wed, 16 Feb 2011 11:46:32 +0100
Henning Brauer wrote:

> with pf it is actually counter
> productive, since ruleset reload is nicely atomic.

Cool, I hadn't noticed that change. :-)))

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Paul de Weerd
On Wed, Feb 16, 2011 at 11:27:13AM +0000, Kevin Chadwick wrote:
| On Wed, 16 Feb 2011 11:46:32 +0100
| Henning Brauer wrote:
|
| > with pf it is actually counter
| > productive, since ruleset reload is nicely atomic.
|
| Cool, I hadn't noticed that change. :-)))

I don't think that was ever a 'change' in pf...

Paul 'WEiRD' de Weerd

--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/                 

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Henning Brauer
* Paul de Weerd <[hidden email]> [2011-02-16 14:46]:
> On Wed, Feb 16, 2011 at 11:27:13AM +0000, Kevin Chadwick wrote:
> | On Wed, 16 Feb 2011 11:46:32 +0100
> | > with pf it is actually counter
> | > productive, since ruleset reload is nicely atomic.
> | Cool, I hadn't noticed that change. :-)))
> I don't think that was ever a 'change' in pf...

indeed.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Kevin Chadwick-2
On Wed, 16 Feb 2011 14:47:39 +0100
Henning Brauer wrote:

> indeed.

hmmm, it's bugging me where I read that there was a window. I have a
memory that it was quite an authoritive source but I guess not.

Anyway, cool to know now.

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Paul de Weerd
On Wed, Feb 16, 2011 at 02:27:08PM +0000, Kevin Chadwick wrote:
| On Wed, 16 Feb 2011 14:47:39 +0100
| Henning Brauer wrote:
|
| > indeed.
|
| hmmm, it's bugging me where I read that there was a window. I have a
| memory that it was quite an authoritive source but I guess not.

Somehow pf has done a lot of things right from day 1 ;)  I've had long
debates with people claiming it was impossible to atomically change
rulesets.  They didn't believe pf could do it, claimed it would have
to cheat by temporarily blocking all while changing the ruleset.  They
realized the sillyness of the argument after I pointed out "ah, you
mean as in the pf rule `block quick all` ?".

Some people are SO stuck on the linux way of things...  Maybe you
mixed up quotes about pf and netfilter ?  I believe it's still not
possible to atomically change rulesets in Linux (although I could be
wrong with the latest firewall-du-jour they have).

| Anyway, cool to know now.

And to have, for almost 10 years now .. mark June 24th in your
calendars people ;)

[weerd@despair] $ grep Insane /usr/share/calendar/calendar.openbsd
Jun 24  PF added. Insane amounts of work done by dhartmei@, 2001

Cheers,

Paul 'WEiRD' de Weerd

--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/                 

Reply | Threaded
Open this post in threaded view
|

Re: route flush and sh /etc/netstart not enough?

Dennis Davis
In reply to this post by Kevin Chadwick-2
On Wed, 16 Feb 2011, Kevin Chadwick wrote:

> From: Kevin Chadwick <[hidden email]>
> To: [hidden email]
> Date: Wed, 16 Feb 2011 14:27:08
> Subject: Re: route flush and sh /etc/netstart not enough?
>
> On Wed, 16 Feb 2011 14:47:39 +0100
> Henning Brauer wrote:
>
> > indeed.
>
> hmmm, it's bugging me where I read that there was a window. I have
> a memory that it was quite an authoritive source but I guess not.
>
> Anyway, cool to know now.

This is quite clearly covered in Peter Hansteen's online PF tutorial.
To quote from:

http://home.nuug.no/~peter/pf/en/stricter.html

  Under any circumstances the last valid rule set loaded will be in
  force until you either disable PF or load a new rule set.

  That is worth noting: When loading a new rule set, the last valid
  rule set stays loaded until the new one is fully parsed and
  loaded, and PF switches directly from one to the other. There is
  no intermediate stage with no rules loaded or a mixture of the two
  rule sets.

This is also explained quite early in both editions of his book.  On
page 14 in the first edition, page 21 in the second edition.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[hidden email]               Phone: +44 1225 386101