Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 23rd September 2010
amorphousone amorphousone is offline
Port Guard
Join Date: Nov 2009
Posts: 11
Default evdo on server: clients can ping www, but not browse

i connected my server to the internet using a novatel u727.
clients can ping google, but when surfing the status stops at "waiting for google.com".
it looks to me like i can send but not receive packets.

packet forwarding and filtering are enabled.

prior to this experiment:


i was expecting to simply change "dc0" to "tun0" in my pf.conf, then just:
# ppp -ddial sprint ; pfctl -d ; pfctl -e
and have everything more or less work the same.

i read in the tun manpage:
Both layer 3 and layer 2 tunneling is supported. Layer 3 tunneling is
the default mode; to enable layer 2 tunneling mode the link0 flag needs
to be set with ifconfig(8), or by setting up a hostname.if(5) configura-
tion file for netstart(8). In layer 2 mode the tun interface is simulat-
ing an Ethernet network interface.
and thought maybe this was my problem, that tun0 was defaulting to a layer 3 tunnel 9or is this barking up the wrong tree?), so i attempted to set a link0 flag a la:
# ifconfig tun0 link0
but then ifconfig tun0 shows the connection's been dropped (NO CARRIER).
the next sentence in man tun is:
...Note that setting or unsetting the link0 flag causes tun to
lose any configuration settings, and that it is not advisable to use the
flag with any other parameters.
but i thought i was following this advice. is the order of operation backwards? should it be:
# ifconfig tun0 link0 ;  ppp -ddial sprint
my pf.conf is 99% from the faq soho example:
# macros

ext_if="tun0" # Novatel U727 via Sprint
#ext_if="dc0" # On-board card
#int_if="ral0" # Wireless access point
int_if="re0" # Realtek gigabit card
tcp_services="{ 22, 113 }"

# options

set block-policy return
set loginterface $ext_if
set skip on lo

# FTP proxy rules

anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
rdr-to port 8021

# match rules

match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules

block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
packet forwarding is on:
# grep \^net /etc/sysctl.conf  
net.inet.ip.forwarding=1        # 1=Permit forwarding (routing) of IPv4 packets
    set log Phase Chat LCP IPCP CCP tun command

    set device /dev/cuaU0
    set speed 230400
\"\" ATZ OK ATQ0V1E1S0=0&C1&D2+FCLASS=0 OK \
    set login
    set timeout 0
    enable dns
    add default HISADDR
    set ifaddr 0 0 0
any advice?
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Interview: Nick Carr talks Google, Apple, and cloud clients J65nko News 5 26th May 2010 12:00 PM
Sapm control from relaying allowed clients (out bound spam) osman General software and network 0 8th May 2009 05:26 AM
torrent clients are driving me nuts graudeejs FreeBSD General 28 9th January 2009 12:43 PM
FreeBSD server, Windows clients, daily backups Weaseal FreeBSD General 4 25th December 2008 05:50 PM
Exempting clients from AuthPF Kristijan NetBSD Security 1 12th July 2008 12:09 AM

All times are GMT. The time now is 09:59 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick