Разрешить igmp



  • При отключенном pf на WAN интерфейсе ходят

    tcpdump -i ae0 -vvn igmp
    tcpdump: listening on ae0, link-type EN10MB (Ethernet), capture size 96 bytes
    19:41:42.431935 IP (tos 0x0, ttl 1, id 41457, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
        1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138
    19:41:42.431946 IP (tos 0xc0, ttl 1, id 12406, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
        1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }]
    19:41:42.722032 IP (tos 0xc0, ttl 1, id 43324, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
        1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }]
    19:41:42.722069 IP (tos 0xc0, ttl 1, id 38139, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
        1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138
    19:41:48.647184 IP (tos 0x0, ttl 1, id 28631, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
        1.1.1.2 > 224.0.0.2: igmp leave 233.3.1.138
    19:41:48.647205 IP (tos 0xc0, ttl 1, id 2551, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
        1.1.1.2 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 0.0.0.0 is_ex { }] bad igmp cksum 0!
    19:41:48.677939 IP (tos 0xc0, ttl 1, id 1802, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
        10.76.92.65 > 233.3.1.138: igmp query v2 [max resp time 10] [gaddr 233.3.1.138]
    ^C
    7 packets captured
    5991 packets received by filter
    0 packets dropped by kernel
    

    Нужные мне igmp.
    Включаю PF и они блокируются при этом в логах тишина.

    Правила PF

    scrub on pppoe0 all fragment reassemble
    scrub on dc0 all fragment reassemble
    scrub on ae0 all fragment reassemble
    anchor "relayd/*" all
    block drop in log all label "Default deny rule"
    block drop out log all label "Default deny rule"
    block drop in quick inet6 all
    block drop out quick inet6 all
    block drop quick proto tcp from any port = 0 to any
    block drop quick proto tcp from any to any port = 0
    block drop quick proto udp from any port = 0 to any
    block drop quick proto udp from any to any port = 0
    block drop quick from <snort2c> to any label "Block snort2c hosts"
    block drop quick from any to <snort2c> label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout> to any port = ssh label "ssh                                                                              lockout"
    block drop in log quick proto tcp from <webconfiguratorlockout> to any port = ht                                                                              tp label "webConfiguratorlockout"
    block drop in quick from <virusprot> to any label "virusprot overload table"
    block drop in log quick on pppoe0 from <bogons> to any label "block bogon networ                                                                              ks from WAN"
    block drop in on ! pppoe0 inet from 109.161.1.1 to any
    block drop in inet from 109.161.1.1 to any
    block drop in on ! dc0 inet from 192.168.0.0/24 to any
    block drop in inet from 192.168.0.50 to any
    block drop in on pppoe0 inet6 from fe80::21d:60ff:fe8c:2fad to any
    block drop in on dc0 inet6 from fe80::2a0:ccff:fe60:8f23 to any
    block drop in log quick on ae0 from <bogons> to any label "block bogon networks                                                                               from IPTV"
    block drop in on ! ae0 inet from 1.1.1.0/24 to any
    block drop in inet from 1.1.1.2 to any
    block drop in on ae0 inet6 from fe80::21d:60ff:fe8c:2fad to any
    pass in on lo0 all flags S/SA keep state label "pass loopback"
    pass out on lo0 all flags S/SA keep state label "pass loopback"
    pass out all flags S/SA keep state allow-opts label "let out anything from firew                                                                              all host itself"
    pass out route-to (pppoe0 10.131.240.4) inet from 109.161.1.1 to ! 109.161.1\.                                                                              1 flags S/SA keep state allow-opts label "let out anything from firewall host i                                                                              tself"
    pass out route-to (ae0 1.1.1.1) inet from 1.1.1.2 to ! 1.1.1.0/24 flags S/SA kee                                                                              p state allow-opts label "let out anything from firewall host itself"
    pass in quick on dc0 proto tcp from any to (dc0) port = http flags S/SA keep sta                                                                              te label "anti-lockout rule"
    pass in quick on dc0 proto tcp from any to (dc0) port = ssh flags S/SA keep stat                                                                              e label "anti-lockout rule"
    anchor "userrules/*" all
    pass in quick on pppoe0 reply-to (pppoe0 10.131.240.4) inet all flags S/SA keep                                                                               state label "USER_RULE"
    pass in log quick on dc0 all flags S/SA keep state label "USER_RULE"
    pass in quick on dc0 all flags S/SA keep state label "USER_RULE"
    pass in quick on dc0 inet from 192.168.0.0/24 to any flags S/SA keep state label                                                                               "USER_RULE: Default allow LAN to any rule"
    pass in quick on ae0 reply-to (ae0 1.1.1.1) inet all flags S/SA keep state label                                                                               "USER_RULE"
    anchor "tftp-proxy/*" all</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>
    

    Если проще тупо одно правило все на все везде "звездочки"
    мои интерфейсы

    ifconfig
    ae0: flags=8b43 <up,broadcast,running,promisc,allmulti,simplex,multicast>metric 0 mtu 1500
            options=82018 <vlan_mtu,vlan_hwtagging,wol_magic,linkstate>ether 00:1d:60:8c:2f:ad
            inet6 fe80::21d:60ff:fe8c:2fad%ae0 prefixlen 64 scopeid 0x1
            inet 1.1.1.2 netmask 0xffffff00 broadcast 1.1.1.255
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    dc0: flags=8a43 <up,broadcast,running,allmulti,simplex,multicast>metric 0 mtu 1500
            options=80008 <vlan_mtu,linkstate>ether 00:a0:cc:60:8f:23
            inet 192.168.0.50 netmask 0xffffff00 broadcast 192.168.0.255
            inet6 fe80::2a0:ccff:fe60:8f23%dc0 prefixlen 64 scopeid 0x2
            nd6 options=43 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    pflog0: flags=100 <promisc>metric 0 mtu 33200
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
            nd6 options=43 <performnud,accept_rtadv>pppoe0: flags=8ad1 <up,pointopoint,running,noarp,allmulti,simplex,multicast>metric 0 mtu 1492
            inet 109.161.1.1 --> 10.131.240.4 netmask 0xffffffff
            inet6 fe80::21d:60ff:fe8c:2fad%pppoe0 prefixlen 64 scopeid 0x7
            nd6 options=43<performnud,accept_rtadv></performnud,accept_rtadv></up,pointopoint,running,noarp,allmulti,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud,accept_rtadv></vlan_mtu,linkstate></up,broadcast,running,allmulti,simplex,multicast></full-duplex></performnud,accept_rtadv></vlan_mtu,vlan_hwtagging,wol_magic,linkstate></up,broadcast,running,promisc,allmulti,simplex,multicast>
    

    какое надо правило чтоб ходил  1.1.1.2 > 233.3.1.138: igmp v2 report 233.3.1.138
    Причем на локальном интерфейсе он igmp не блокирует
    Может я как то не понятно обрисовал ситуацию, готов на любые пояснения
    кароче говоря хочу смотреть iptv, с выкл pf работает
    А с вкл не посылается igmp репорт во внешний интерфейс с правилами как только не изголялся.



  • Спасибо, форуму решение есть и на нем, но натолкнуло вот это.

    http://redmine.pfsense.org/issues/54

    Вопрос решен!


Log in to reply