From owner-freebsd-pf@FreeBSD.ORG  Fri Dec 10 15:07:16 2004
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E6B9516A4CE
	for <freebsd-pf@freebsd.org>; Fri, 10 Dec 2004 15:07:16 +0000 (GMT)
Received: from bsdfreaks.muntinternet.nl (bsdfreaks.zone1.muntinternet.net
	[81.173.4.8])	by mx1.FreeBSD.org (Postfix) with ESMTP id B03EB43D1D
	for <freebsd-pf@freebsd.org>; Fri, 10 Dec 2004 15:07:15 +0000 (GMT)
	(envelope-from rob@bsdfreaks.nl)
Received: (qmail 89793 invoked by uid 89); 10 Dec 2004 15:10:16 -0000
Received: by simscan 1.0.7 ppid: 89777, pid: 89781, t: 2.0754s
         scanners: clamav: 0.80/m:28/d:615 spam: 3.0.1
Received: from unknown (HELO ?213.46.20.204?) (rob@bsdfreaks.nl@213.46.20.204)
	encrypted) SMTP; 10 Dec 2004 15:10:14 -0000
Message-ID: <41B9BB9A.7000300@bsdfreaks.nl>
Date: Fri, 10 Dec 2004 16:07:06 +0100
From: Rob Lensen <rob@bsdfreaks.nl>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: multipart/mixed;
 boundary="------------040102010302040300030907"
X-Spam-DCC: sgs_public_dcc_server: bsdfreaks.muntinternet.nl 1199; Body=1 
	Fuz1=1 Fuz2=1
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on 
	bsdfreaks.muntinternet.nl
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham 
	version=3.0.1
X-Spam-Pyzor: Reported 0 times.
Subject: Strange bridge problem with pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical discussion and general questions about packet filter (pf)
	<freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2004 15:07:17 -0000

This is a multi-part message in MIME format.
--------------040102010302040300030907
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hello,

I have strange problem with pf on a bridged setup.

Did read the previous thread about the pf problem with a bridge, since 
sysctl value of ipf bridge should be enabled.

In the attached file the pf.conf is given. (fxp0 is the outside nic)

The firewall is working for all machines behind the firewall except sf1, 
nothing seem to go this machine if the firewall is enanbled.

If I look at the output of pfctl -sr I can see the rules for this 
machine are loaded:

@7 pass in quick on fxp0 inet proto tcp from any to X.6 port = ssh flags 
S/SA keep state
@16 pass in quick on fxp0 inet proto tcp from any to X.6 port = http 
flags S/SA keep state
@17 pass in quick on fxp0 inet proto tcp from any to X.6 port = https 
flags S/SA keep state

This should open the ports for ssh and http to machine X.6 (sf1), 
however no connection can be made.
Nmap shows:
22/tcp  open     ssh
80/tcp  open     http

#telnet X.6 22
gives a time out

All other hosts are working fine.

Doe anyone have any clue on this problem?

Best
Rob Lensen

--------------040102010302040300030907
Content-Type: text/plain;
 name="pf.conf.new"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="pf.conf.new"

outside="fxp0"
ext_if="fxp0"
inside="fxp1"
local="rl0"

ext_ip=""
local_net ="X.0/24"

# Tables: similar to macros, but more flexible for many addresses.
table <priv_nets> {127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8 }

set loginterface $outside
set block-policy return

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all

web_A_2     = "X.2"
web_A_3     = "X.3"  
web_A_4     = "X.4"
web_A_7     = "X.7"
web_A_8     = "X.8"
web_A_9     = "X.9"
web_A_20    = "X.20"
sf1   = "X.6"
sf2             = "X.30"
mysql2          = "X.14"
extranet        = "X.13"
firewall        = "X.254"
sec_dns         = "X"

http_servers = "{" $web_A_2 $web_A_4 $sf1 $web_A_8 $web_A_9 $extranet "}"
ssh_servers = "{"  $web_A_2 $sf1 $sf2 $extranet $mysql2 $firewall "}"
ftp_servers = "{" $web_A_2 $sf1 "}"
mail_servers = "{" $extranet "}"
samba_servers = "{" $extranet "}"
dns_servers = "{" $web_A_3 "}"

ssh_ports = "{ 22 }"
http_ports = "{ 80 , 443 }"
ftp_ports = "{ 20, 21  }"
ftp_ports_pasv = "{ 65000:65500 }"
snmp_ports = "{ 161 }"
mysql_ports = "{ 3306 }"
dns_ports = "{ 53 }"
email_ports = "{ 25, 110, 143, 993, 995 }"
samba_udp_ports = "{ 137, 138, 587 }"
samba_tcp_ports = "{ 139, 445, 587 }"

# filtering done on public side of bridge, so allow everything
# on the protected side of things
pass  in  quick on $inside all
pass  out quick on $inside all

# block everything by default on bridge
block in log  on $outside all
pass out on $outside all
#block out log on $outside all

pass in quick on $local all
pass out quick on $local all

############
# IN RULES
############

#allow ssh to defined servers
pass in quick on $outside proto tcp from any to $ssh_servers \
	port $ssh_ports  flags S/SA keep state


#allow http for the defined servers
pass in quick on $outside proto tcp from any to $http_servers \
	port $http_ports  flags S/SA keep state

#allow ftp for defined servers
pass in quick on $outside proto tcp from any to $ftp_servers \
	port $ftp_ports 
#flags S/SA keep state
pass in quick on $outside proto tcp from any to $ftp_servers \
	port $ftp_ports_pasv 
#keep state	
	
#allow email for defined server
pass in quick on $outside proto tcp from any to $mail_servers \
	port $email_ports 
#flags S/SA keep state

#allow samba for defined server
pass in quick on $outside proto tcp from any to $samba_servers \
	port $samba_tcp_ports 
#flags S/SA keep state

pass in quick on $outside proto udp from any to $samba_servers \
	port $samba_udp_ports 
#keep state

#allow dns for defined server
pass in quick on $outside proto { tcp, udp } from any to $dns_servers \
	port domain keep state

#snmp on firewall
#pass in quick on $outside proto {tcp, udp } from any to $local_ip \
#	port $snmp_ports

#pass in quick on $local proto {tcp,udp } from any to $firewall_bridge \
#        port $snmp_ports 

# Allow ICMP (ping) IN
# pass out/in certain ICMP queries and keep state (ping)
pass in on $outside inet proto icmp all icmp-type {0,3 ,8, 11}


############
# OUT RULES
############
# Allow ICMP (ping) OUT
pass out on $outside inet proto icmp all icmp-type {0,3 ,8, 11}
        
# Pass (Allow) all UDP/TCP OUT and keep state
pass out on $outside proto udp all 
#keep state
pass out on $outside proto tcp all
        

--------------040102010302040300030907--