Subject: Can't access NetBSD website after switch to PPPoE
To: None <netbsd-users@NetBSD.org>
From: Steven Sartorius <ssartor@bellatlantic.net>
List: netbsd-users
Date: 03/10/2004 22:06:23
Hi,
Subject line kind of says it all. My ISP (thanks, Verizon!) recently
moved me onto a PPPoE setup and since then I've been unable to access
the NetBSD web site -- the only site I've had trouble reaching since
the switch! I've configured PPPoE as per the documentation on the
NetBSD site (retrieved when I still had a static IP!) and have had no
real problems. I suspect my firewall may be misconfigured -- ipmon
reports the following when I attempt to connect to NetBSD:
10/03/2004 21:45:14.383215 pppoe0 @0:3 b 204.152.184.116 ->
138.89.34.68 PR tcp len 20 (28) frag 8@1472 IN
10/03/2004 21:45:34.882516 pppoe0 @0:3 b 204.152.184.116 ->
138.89.34.68 PR tcp len 20 (28) frag 8@1472 IN
10/03/2004 21:46:18.381955 pppoe0 @0:3 b 204.152.184.116 ->
138.89.34.68 PR tcp len 20 (28) frag 8@1472 IN
10/03/2004 21:46:38.881335 pppoe0 @0:3 b 204.152.184.116 ->
138.89.34.68 PR tcp len 20 (28) frag 8@1472 IN
10/03/2004 21:47:22.380782 pppoe0 @0:3 b 204.152.184.116 ->
138.89.34.68 PR tcp len 20 (28) frag 8@1472 IN
My ipf.conf is as follows:
pass out quick on lo0
pass in quick on lo0
pass out quick on ex0
pass in quick on ex0
block in log on pppoe0
block in quick on pppoe0 from 192.168.0.0/16 to any
block in quick on pppoe0 from 172.16.0.0/12 to any
block in quick on pppoe0 from 10.0.0.0/8 to any
block in quick on pppoe0 from 127.0.0.0/8 to any
block in quick on pppoe0 from 0.0.0.0/8 to any
block in quick on pppoe0 from 169.254.0.0/16 to any
block in quick on pppoe0 from 192.0.2.0/24 to any
block in quick on pppoe0 from 204.152.64.0/23 to any
block in quick on pppoe0 from 224.0.0.0/3 to any
#pass in quick on pppoe0 proto tcp from any to any port = 8000
pass out quick on pppoe0 proto tcp/udp from any to any keep state
pass out quick on pppoe0 proto icmp from any to any keep state
(the pppoe0 interface is facing the net; ex0 is facing my small
(trusted) internal network)
Any help would be much appreciated...
thanks,
Steve