Разрешить igmp
-
При отключенном pf на WAN интерфейсе ходят
tcpdump -i ae0 -vvn igmp tcpdump: listening on ae0, link-type EN10MB (Ethernet), capture size 96 bytes 19:41:42.431935 IP (tos 0x0, ttl 1, id 41457, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138 19:41:42.431946 IP (tos 0xc0, ttl 1, id 12406, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }] 19:41:42.722032 IP (tos 0xc0, ttl 1, id 43324, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }] 19:41:42.722069 IP (tos 0xc0, ttl 1, id 38139, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138 19:41:48.647184 IP (tos 0x0, ttl 1, id 28631, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 1.1.1.2 > 224.0.0.2: igmp leave 233.3.1.138 19:41:48.647205 IP (tos 0xc0, ttl 1, id 2551, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }] bad igmp cksum 0! 19:41:48.677939 IP (tos 0xc0, ttl 1, id 1802, offset 0, flags [none], proto IGMP (2), length 32, options (RA)) 10.76.92.65 > 233.3.1.138: igmp query v2 [max resp time 10] [gaddr 233.3.1.138] ^C 7 packets captured 5991 packets received by filter 0 packets dropped by kernel
Нужные мне igmp.
Включаю PF и они блокируются при этом в логах тишина.Правила PF
scrub on pppoe0 all fragment reassemble scrub on dc0 all fragment reassemble scrub on ae0 all fragment reassemble anchor "relayd/*" all block drop in log all label "Default deny rule" block drop out log all label "Default deny rule" block drop in quick inet6 all block drop out quick inet6 all block drop quick proto tcp from any port = 0 to any block drop quick proto tcp from any to any port = 0 block drop quick proto udp from any port = 0 to any block drop quick proto udp from any to any port = 0 block drop quick from <snort2c> to any label "Block snort2c hosts" block drop quick from any to <snort2c> label "Block snort2c hosts" block drop in log quick proto tcp from <sshlockout> to any port = ssh label "ssh lockout" block drop in log quick proto tcp from <webconfiguratorlockout> to any port = ht tp label "webConfiguratorlockout" block drop in quick from <virusprot> to any label "virusprot overload table" block drop in log quick on pppoe0 from <bogons> to any label "block bogon networ ks from WAN" block drop in on ! pppoe0 inet from 109.161.1.1 to any block drop in inet from 109.161.1.1 to any block drop in on ! dc0 inet from 192.168.0.0/24 to any block drop in inet from 192.168.0.50 to any block drop in on pppoe0 inet6 from fe80::21d:60ff:fe8c:2fad to any block drop in on dc0 inet6 from fe80::2a0:ccff:fe60:8f23 to any block drop in log quick on ae0 from <bogons> to any label "block bogon networks from IPTV" block drop in on ! ae0 inet from 1.1.1.0/24 to any block drop in inet from 1.1.1.2 to any block drop in on ae0 inet6 from fe80::21d:60ff:fe8c:2fad to any pass in on lo0 all flags S/SA keep state label "pass loopback" pass out on lo0 all flags S/SA keep state label "pass loopback" pass out all flags S/SA keep state allow-opts label "let out anything from firew all host itself" pass out route-to (pppoe0 10.131.240.4) inet from 109.161.1.1 to ! 109.161.1\. 1 flags S/SA keep state allow-opts label "let out anything from firewall host i tself" pass out route-to (ae0 1.1.1.1) inet from 1.1.1.2 to ! 1.1.1.0/24 flags S/SA kee p state allow-opts label "let out anything from firewall host itself" pass in quick on dc0 proto tcp from any to (dc0) port = http flags S/SA keep sta te label "anti-lockout rule" pass in quick on dc0 proto tcp from any to (dc0) port = ssh flags S/SA keep stat e label "anti-lockout rule" anchor "userrules/*" all pass in quick on pppoe0 reply-to (pppoe0 10.131.240.4) inet all flags S/SA keep state label "USER_RULE" pass in log quick on dc0 all flags S/SA keep state label "USER_RULE" pass in quick on dc0 all flags S/SA keep state label "USER_RULE" pass in quick on dc0 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on ae0 reply-to (ae0 1.1.1.1) inet all flags S/SA keep state label "USER_RULE" anchor "tftp-proxy/*" all</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>
Если проще тупо одно правило все на все везде "звездочки"
мои интерфейсыifconfig ae0: flags=8b43 <up,broadcast,running,promisc,allmulti,simplex,multicast>metric 0 mtu 1500 options=82018 <vlan_mtu,vlan_hwtagging,wol_magic,linkstate>ether 00:1d:60:8c:2f:ad inet6 fe80::21d:60ff:fe8c:2fad%ae0 prefixlen 64 scopeid 0x1 inet 1.1.1.2 netmask 0xffffff00 broadcast 1.1.1.255 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active dc0: flags=8a43 <up,broadcast,running,allmulti,simplex,multicast>metric 0 mtu 1500 options=80008 <vlan_mtu,linkstate>ether 00:a0:cc:60:8f:23 inet 192.168.0.50 netmask 0xffffff00 broadcast 192.168.0.255 inet6 fe80::2a0:ccff:fe60:8f23%dc0 prefixlen 64 scopeid 0x2 nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>) status: active pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 pflog0: flags=100 <promisc>metric 0 mtu 33200 enc0: flags=0<> metric 0 mtu 1536 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 nd6 options=43 <performnud,accept_rtadv>pppoe0: flags=8ad1 <up,pointopoint,running,noarp,allmulti,simplex,multicast>metric 0 mtu 1492 inet 109.161.1.1 --> 10.131.240.4 netmask 0xffffffff inet6 fe80::21d:60ff:fe8c:2fad%pppoe0 prefixlen 64 scopeid 0x7 nd6 options=43<performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,allmulti,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud,accept_rtadv></vlan_mtu,linkstate></up,broadcast,running,allmulti,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu,vlan_hwtagging,wol_magic,linkstate></up,broadcast,running,promisc,allmulti,simplex,multicast>
какое надо правило чтоб ходил 1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138
Причем на локальном интерфейсе он igmp не блокирует
Может я как то не понятно обрисовал ситуацию, готов на любые пояснения
кароче говоря хочу смотреть iptv, с выкл pf работает
А с вкл не посылается igmp репорт во внешний интерфейс с правилами как только не изголялся. -
Спасибо, форуму решение есть и на нем, но натолкнуло вот это.
http://redmine.pfsense.org/issues/54
Вопрос решен!