From owner-freebsd-pf@freebsd.org Fri Jan 25 14:17:40 2019 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0C89114B72C1 for ; Fri, 25 Jan 2019 14:17:40 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (mx32.harte-lyne.ca [216.185.71.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx32.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 6307F85B47 for ; Fri, 25 Jan 2019 14:17:29 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (unknown [127.0.32.1]) by mx32.harte-lyne.ca (Postfix) with ESMTP id D625144FB; Fri, 25 Jan 2019 09:17:27 -0500 (EST) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from mx32.harte-lyne.ca ([127.0.32.1]) by mx32.harte-lyne.ca (mx32.harte-lyne.ca [127.0.32.1]) (amavisd-new, port 10024) with ESMTP id qa2BMkP1sQYa; Fri, 25 Jan 2019 09:17:19 -0500 (EST) Received: from webmail.harte-lyne.ca (mx32.harte-lyne.ca [216.185.71.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx32.harte-lyne.ca (Postfix) with ESMTPSA id 59E1344F0; Fri, 25 Jan 2019 09:17:18 -0500 (EST) Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Fri, 25 Jan 2019 09:17:19 -0500 Message-ID: In-Reply-To: <77538042-3448-4C7F-8499-F492A06E52E9@sigsegv.be> References: <77538042-3448-4C7F-8499-F492A06E52E9@sigsegv.be> Date: Fri, 25 Jan 2019 09:17:19 -0500 Subject: Re: routing LAN traffic through/around a pf gateway From: "James B. Byrne" To: "Kristof Provost" Cc: byrnejb@harte-lyne.ca, freebsd-pf@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.23 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Rspamd-Queue-Id: 6307F85B47 X-Spamd-Bar: -------- X-Spamd-Result: default: False [-8.49 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_REPLYTO(0.00)[byrnejb@harte-lyne.ca]; RBL_COMPOSITE_RCVD_IN_DNSWL_MED_DWL_DNSWL_LOW(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:216.185.71.0/26]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DKIM_TRACE(0.00)[harte-lyne.ca:+]; RCVD_IN_DNSWL_MED(-0.20)[32.71.185.216.list.dnswl.org : 127.0.4.2]; HAS_X_PRIO_THREE(0.00)[3]; MX_GOOD(-0.01)[mx32.harte-lyne.ca,mx31.harte-lyne.ca,mx132.harte-lyne.ca]; DMARC_POLICY_ALLOW(-0.50)[harte-lyne.ca,quarantine]; NEURAL_HAM_SHORT(-1.00)[-0.997,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:12021, ipnet:216.185.64.0/20, country:CA]; IP_SCORE(-3.78)[ip: (-9.91), ipnet: 216.185.64.0/20(-4.95), asn: 12021(-3.96), country: CA(-0.09)]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[harte-lyne.ca:s=dkim_hll]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(0.00)[harte-lyne.ca.dwl.dnswl.org : 127.0.4.1]; TO_MATCH_ENVRCPT_SOME(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2019 14:17:40 -0000 On Thu, January 24, 2019 19:31, Kristof Provost wrote: > > > On 25 Jan 2019, at 9:37, James B. Byrne via freebsd-pf wrote: > >> I have limited knowledge of PF being in the process of transitioning >> from 20+ years of RHEL/CentOS to FreeBSD. Neither do I possess a >> great fund of knowledge respecting IP routing. That said this is my >> problem: >> >> On a small test LAN I have three hosts, W44, W4 and G5: >> >> network layout, gateway address 216.185.71.5 >> >> W44 G5 w4 >> 216.185.71.44 ----> 216.185.71.5 216.185.71.4 int_if IP >> 192.168.150.44 192.168.150.5 ----> 192.168.150.4 int_if IP >> alias >> >> Using ssh and with PF running on the gateway, when I connect from >> 216.185.71.44 to 216.185.71.4 then the ssh session operates >> normally. >> However, if instead I connect from 216.185.71.44 to 192.168.150.4 >> then >> the initial connection is made but the ssh session remains >> responsive >> for a brief time before it becomes non-responsive. If I terminate >> the >> PF running on the gateway the ssh session again becomes responsive. >> If I do not terminate PF then eventually the ssh session client >> disconnects with a timeout error. >> >> Besides macros the entire active contents of pf.conf on G5 are: >> >> scrub in all no-df max-mss 1440 fragment reassemble >> >> block return out log all >> >> block drop in log all >> >> pass log on $int_if >> >> pass inet proto icmp all \ >> icmp-type $icmp_types keep state >> >> pass out quick on $ext_if inet proto udp \ >> from any \ >> to any port 33433 >< 33626 keep state >> >> Which results in these rules when PF is running: >> >> @0 scrub in all no-df max-mss 1440 fragment reassemble >> @1 block return out log all >> @2 block drop in log all >> @3 pass log on em0 all flags S/SA keep state >> @4 pass inet proto icmp all icmp-type echoreq keep state >> @5 pass inet proto icmp all icmp-type unreach keep state >> @6 pass out quick on em1 inet proto udp from any to any port 33433 >> >< >> 33626 keep state >> > You don’t appear to have a rule permitting the SSH traffic to pass > through your router. > I’m a more than little surprised you manage to establish a > connection > in the first place. > Unless the connection existed before you started pf, of course. > > Try adding something like: > pass inet porto tcp port 22 > > Regards, > Kristof -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3