Problems Between NIC and pf

W

wright546

*edit* Let me try to explain this more simply. I have 2 NICs in my computer. I have one pf.conf ruleset with only one line, "pass all". The on-board NIC works with this ruleset. The USB Ethernet adapter does not. Any ideas what might be going on here, and how to fix this?






My apologies if this is the wrong forum. I didn't know if I should post here or in the "Peripheral Hardware" section. I'm having a problem using a Lenovo USB 2.0 Ethernet adapter with the pf firewall.

Here is my setup:

  • Computer A - FreeBSD 10.0-RELEASE, installed a week or two ago on a Lenovo T410 laptop. The laptop has an Ethernet jack built on the motherboard which is detected as em0. I've also plugged in the Lenovo USB 2.0 Ethernet adapter into one of the USB ports and it's detected as ue0. Eventually I want to use this as a NAT box for the internal network for my home connection, which is the reason for 2 NICs. I do not have anything plugged in to the on board Ethernet jack. I have an active Ethernet cable plugged into the USB 2.0 adapter. IP address is 10.50.110.138.

    /etc/rc.conf:
    Code: 
    ifconfig_ue0="DHCP"
sshd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"

    /etc/pf.conf:
    Code: 
    ext_if="ue0"
ssh="{ 22 }"
icmp_types="echoreq"

set block-policy return
set loginterface $ext_if
set skip on lo

block in on $ext_if
pass out quick
pass in on $ext_if inet proto tcp from any to ($ext_if) port $ssh
pass in inet proto icmp all icmp-type $icmp_types
  • Computer B - Windows XP at 10.50.110.38 using PuTTY SSH client
  • Computer C - iMac at 10.50.110.72
I can successfully ping from B to A, and I can successfully ping from C to A. But I cannot SSH into A at all, from B or C. I have run Wireshark/tcpdump on B and C to watch the SSH connection attempt. The SYN goes out from B to A, A replies with SYN/ACK, but after a few seconds B sends out another SYN, and A replies with SYN/ACK, and this repeats until the connection times out. The same thing happens when attempting to SSH from C to A. If I disable the pf firewall ( pfctl -d) then I can SSH to A successfully from B and C.

However, if I switch to using the onboard Ethernet jack (I update rc.conf and set
Code: 
ifconfig_em0="DHCP"
and I update pf.conf and set
Code: 
ext_if="em0"
then run pfctl -f /etc/pf.conf and service netif restart) I can ping and ssh to A (new IP address of 10.50.110.169 due to different NIC/MAC address) successfully from B and C if the pf firewall is enabled or disabled.

I tried another USB 2.0 Ethernet adapter of the same model, and it got a different IP address of course, but had the same results.

So there seems to be some kind of issue with this particular USB 2.0 NIC interacting with pf, but at this point it's over my head. Any suggestions?

Thank you!
Aaron
 
If computer A responds with a SYN/ACK the firewall isn't the issue. The service responds so that means the packets arrive. The problem must be somewhere else.
 
I agree. From my troubleshooting my guess is that it's something with the ue0 driver. I'll post in the Peripheral Hardware section.
 
You must log in or register to reply here.
Back
Top