DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th December 2009
Monkey Monkey is offline
New User
 
Join Date: Dec 2009
Posts: 7
Thanked 0 Times in 0 Posts
Default Problem with pf for PPPoE

Hi,

I just installed OpenBSD 4.6, because I want to use nat to make a very basic firewall to split my ADSL connection between a few computers (some Linux, some Windows). I set up a very basic pf.conf with only what is necessary to use the internet. On my OpenBSD box everything work fine, I have access to any website but on my other computers only 80% of the websites work, other website like "msn.com" and "grc.com" doesn't work, it say 'Waiting for www.grc.com..." in the Firefox status bar. I tried many different settings but nothing work ... Here is my pf.conf:

Code:
ext_if = "pppoe0"

set skip on lo

match in all scrub (no-df max-mss 1440)

nat on $ext_if from !(ext_if$) to any -> (ext_if$)
For now I just want my internet access to be shared to all my computer, I'll add security rules later...

Anybody have a clue?


Thanks a lot
Reply With Quote
  #2   (View Single Post)  
Old 18th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

The following section from the pppoe(4) man page discusses the MTU issue but gives a different match rule than yours
Code:
MTU/MSS ISSUES
     Problems can arise on machines with private IPs connecting to the Inter-
     net via a machine running both Network Address Translation (NAT) and
     pppoe.  Standard Ethernet uses a Maximum Transmission Unit (MTU) of 1500
     bytes, whereas PPPoE mechanisms need a further 8 bytes of overhead.  This
     leaves a maximum MTU of 1492.  pppoe sets the MTU on its interface to
     1492 as a matter of course.  However, machines connecting on a private
     LAN will still have their MTUs set to 1500, causing conflict.

     While pppoe(8) has an internal option, ``mssfixup'', which is enabled by
     default and takes care of this, pppoe users have to rely on other meth-
     ods.  Using a packet filter, the Maximum Segment Size (MSS) can be set
     (clamped) to the required value.  The following rule in pf.conf(5) would
     set the MSS to 1440:

           match on pppoe0 scrub (max-mss 1440)

     Although in theory the maximum MSS over a PPPoE interface is 1452 bytes,
     1440 appears to be a safer bet.  Note that setting the MSS this way can
     have undesirable effects, such as interfering with the OS detection fea-
     tures of pf(4).

     See pf.conf(5) for more information on MTU, MSS, and NAT.
Could you try this match rule, and see whether that improves the situation?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 18th December 2009
Monkey Monkey is offline
New User
 
Join Date: Dec 2009
Posts: 7
Thanked 0 Times in 0 Posts
Default

It works!!!!!


Thanks a lot for the help, i'm a newbie in the networking world and I don't think I would have solved this by myself...

Now I'll add some security...
Reply With Quote
Reply

Tags
match on pppoe, mss, pppoe

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freebsd router PPP/PPPoE connection problem mrthomas FreeBSD General 4 1st January 2010 10:36 PM
pppoe internet connection on another lladdr enaqx General software and network 3 4th July 2009 12:07 AM
pppoe kaschei OpenBSD General 2 20th May 2009 01:14 AM
PF and kernel-level PPPoE(4) gezley OpenBSD Security 3 15th May 2009 06:56 PM
Modem PPPoE vs OpenBSD PPPoE ryoken OpenBSD Security 13 15th June 2008 10:07 PM


All times are GMT. The time now is 01:32 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick