From owner-freebsd-questions@FreeBSD.ORG Wed May 11 00:08:18 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB60916A4CE for ; Wed, 11 May 2005 00:08:17 +0000 (GMT) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id A979F43D7E for ; Wed, 11 May 2005 00:08:13 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a161.otenet.gr [212.205.215.161]) j4B06ZiO014548; Wed, 11 May 2005 03:06:37 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.3/8.13.3) with ESMTP id j4B0833n002397; Wed, 11 May 2005 03:08:05 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.13.3/8.13.3/Submit) id j4B052GN001568; Wed, 11 May 2005 03:05:02 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 11 May 2005 03:05:01 +0300 From: Giorgos Keramidas To: Fafa Hafiz Krantz Message-ID: <20050511000501.GA1341@gothmog.gr> References: <20050510121948.BCA794BEAD@ws1-1.us4.outblaze.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050510121948.BCA794BEAD@ws1-1.us4.outblaze.com> cc: freebsd-questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 May 2005 00:08:18 -0000 On 2005-05-10 07:19, Fafa Hafiz Krantz wrote: > "Giorgos Keramidas" wrote: > > Show us the output of: > > > > # pfctl -sr > > > > [snip ruleset] > > Hello! > > # pfctl -sr > > scrub in all fragment reassemble > block drop log all > pass quick on lo0 all > pass quick on ep0 all Good so far. > pass out on lnc0 inet proto tcp from (lnc0) to any keep state > pass out on lnc0 inet proto udp from (lnc0) to any keep state > pass out on lnc0 inet proto icmp from (lnc0) to any keep state > pass in on lnc0 inet proto tcp from any to (lnc0) port = domain > pass in on lnc0 inet proto udp from any to (lnc0) port = domain > pass out on lnc0 inet proto tcp from (lnc0) port = domain to any > pass out on lnc0 inet proto udp from (lnc0) port = domain to any > pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state > pass out on lnc0 inet proto udp from (lnc0) to any port = ntp keep state > pass in on lnc0 inet proto tcp from any to (lnc0) port = ssh flags S/SA keep state > pass in on lnc0 inet proto tcp from any to (lnc0) port = http flags S/SA keep state > pass in on lnc0 inet proto tcp from any to (lnc0) port = auth flags S/SA keep state > pass in on lnc0 inet proto tcp from any port = ftp-data to (lnc0) user = 62 flags S/SA keep state > pass in on lnc0 proto tcp from any to any port = 31337 keep state > pass in on lnc0 proto tcp from any to any port 53333:55555 There are at least two problems with the above rules: 1. You are using (lnc0) on all the rules below. 2. There are no address mapping rules (nar or binat). The reason why (1) may cause problems is that they assume that all packets that come *in* on the lc0 interface have as their source or destination address one of the IP addresses of that interface. This may not be true if you have packet forwarding enabled. Especially when NAT is not enabled; which is not, in your ruleset. Even if NAT _is_ enabled, I think that packets that come in on ep0 will still have the same source address as they go in lnc0 and will only change their source address "en route" through lnc0, as the NAT rules are applied. Pay very close attention to the following example from the pf.conf manpage itself. It may help a bit to explain what I said above: In the example below, the machine sits between a fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100. The no nat rule excludes protocol AH from being translated. # NO NAT no nat on $ext_if proto ah from 144.19.74.0/24 to any nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100 Both number (1) and (2) are not problems if you have public, routable IP addresses on all the hosts visible through the ep0 interface. The fact that you do have a problem suggests that the IP addresses of the ep0 interface (not visible above) are all parts of unroutable, private address blocks. Another problem that is easily noticed is that you have lots of redundant rules that serve only as a waste of CPU cycles. For instance, these sets of rules will match a common set of IP packets. You may find it useful to note that the *first* rule of each group matches a superset of the packets that the rest match, so you can keep just the first rule of each group for exactly the same effect! pass out on lnc0 inet proto tcp from (lnc0) to any keep state pass out on lnc0 inet proto tcp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) to any keep state pass out on lnc0 inet proto udp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state - Giorgos