From owner-freebsd-pf@FreeBSD.ORG  Wed Jul 26 07:45:24 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 642F916A4DA
	for <freebsd-pf@freebsd.org>; Wed, 26 Jul 2006 07:45:24 +0000 (UTC)
	(envelope-from jeff@sailorfej.net)
Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1837F43D46
	for <freebsd-pf@freebsd.org>; Wed, 26 Jul 2006 07:45:24 +0000 (GMT)
	(envelope-from jeff@sailorfej.net)
Received: from [192.168.150.100] (c-24-20-239-104.hsd1.wa.comcast.net
	[24.20.239.104]) (authenticated bits=0)
	by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id k6Q7gox5039413
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <freebsd-pf@freebsd.org>; Wed, 26 Jul 2006 00:42:51 -0700 (PDT)
	(envelope-from jeff@sailorfej.net)
Message-ID: <44C71D8F.9090007@sailorfej.net>
Date: Wed, 26 Jul 2006 00:45:19 -0700
From: Jeffrey Williams <jeff@sailorfej.net>
User-Agent: Thunderbird 1.5.0.4 (Windows/20060516)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.6 required=6.0 tests=BAYES_00,RCVD_IN_SORBS_DUL 
	autolearn=no version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net
Subject: nat/outbound traffic not passing in pf on FreeBSD 6.1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2006 07:45:24 -0000

This is the first time I have tried to use pf on FreeBSD, I usually use 
ipfw, however I have been using pf on OpenBSD, and wanted change over on 
my FreeBSD boxes.

I am having problems with a very basic rule set for a nat-ed small 
network.  Currently no traffic is being passed between the internal and 
public networks.

I am using the same rule set (see below) on a pf firewall running on a 
OpenBSD 3.8 box, with the exception of the to last rule (pass out....) I 
had to add to the freebsd boxes I am working on to be able to initiate 
outbound connections during configuration.  This alone confuses me, I 
was under the impression that pf was default pass unless blocked, hence 
the starting of filter blocks of rules with "block in all" and/or "block 
out all"

I did try adding a "pass out all" rule, but it had no effect.

The freebsd box is a running 6.1p3 on a Dell PowerEdge 1850 single 
dual-core proc, with SMP kernel, if pertinent, IPSEC options are also in 
the kernel including filtergif, this box will eventually become the 
perimeter firewall between our public ip space and the ISP (with 
queuing/traffic shaping requirements), while an identical box will 
replace it as firewall between our public and private ip spaces and 
provide ipsec vpn tunnels as well.

shown below in order are the rc.conf entries, the compiled kernel 
options, the pf.conf, and the pfctl -sa output. I would appreciate any 
assistance, I really don't want to have to go back to ipfw.

kern options:

device		pf
device		pflog
device		pfsync

options		ALTQ
options		ALTQ_CBQ
options		ALTQ_RED
options		ALTQ_RIO
options		ALTQ_HFSC
options		ALTQ_PRIQ
options		ALTQ_NOPCC

rc.conf entries:

defaultrouter="o.o.33.41"
hostname="me.domain.com"
sshd_enable="YES"
ifconfig_em0="inet o.o.33.46 netmask 255.255.255.248"
ifconfig_em1="inet i.i.10.1 netmask 255.255.255.0"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

pf.conf entries:

oif="em0"
onwr="o.o.33.40/29"
oip="o.o.33.46"

iif="em1"
inwr="i.i.10.0/24"
iip="i.i.10.1"

is1="i.i.10.15"

scrub in all

nat on $oif from $inwr to any -> $oif

rdr on $oif proto tcp from any to $oip port 1000 -> $is1 port 22

block in log all

pass in on $oif proto tcp from any to $is1 port 22 keep state
pass in on $oif proto tcp from any to $oip port 22 keep state

pass in on $iif inet from $inwr to any keep state
pass out on $oif inet from $oip to any keep state (additional rule 
referred to above that needed to be added to enable outbound 
connections, should not be needed?)

antispoof for $oif
antispoof for $iif


pfctl -sa output:

TRANSLATION RULES:
nat on em0 inet from i.i.10.0/24 to any -> o.o.33.46
rdr on em0 inet proto tcp from any to o.o.33.46 port = cadlock2 -> 
i.i.10.15 port 22

FILTER RULES:
scrub in all fragment reassemble
block drop in log all
pass in on em0 inet proto tcp from any to i.i.10.15 port = ssh keep state
pass in on em0 inet proto tcp from any to o.o.33.46 port = ssh keep state
pass in on em1 inet from i.i.10.0/24 to any keep state
pass out on em0 inet from o.o.33.46 to any keep state
block drop in on ! em0 inet from o.o.33.i/29 to any
block drop in on em0 inet6 from fe80::213:72ff:fe5f:6e6b to any
block drop in inet from o.o.33.46 to any
block drop in on ! em1 inet from i.i.10.0/24 to any
block drop in on em1 inet6 from fe80::213:72ff:fe5f:6e6c to any
block drop in inet from i.i.10.1 to any
No queue in use

STATES:
self tcp i.i.10.1:56727 <- i.i.10.15:22       FIN_WAIT_2:FIN_WAIT_2
self tcp o.o.33.46:22 <- x.x.239.104:62760       ESTABLISHED:ESTABLISHED
self pfsync o.o.33.46 -> 0.0.0.0       SINGLE:NO_TRAFFIC

INFO:
Status: Enabled for 0 days 00:02:47           Debug: Urgent

Hostid: 0xfb5oe08

State Table                          Total             Rate
   current entries                        3
   searches                             838            5.0/s
   inserts                               20            0.1/s
   removals                              17            0.1/s
Counters
   match                                 45            0.3/s
   bad-offset                             0            0.0/s
   fragment                               0            0.0/s
   short                                  0            0.0/s
   normalize                              0            0.0/s
   memory                                 0            0.0/s
   bad-timestamp                          0            0.0/s
   congestion                             0            0.0/s
   ip-option                              0            0.0/s
   proto-cksum                            0            0.0/s
   state-mismatch                         0            0.0/s
   state-insert                           0            0.0/s
   state-limit                            0            0.0/s
   src-limit                              0            0.0/s
   synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  os
tcp.established           86i0s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   os
udp.first                    60s
udp.single                   os
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 os
other.multiple               60s
frag                         os
interval                     10s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

LIMITS:
states     hard limit  10000
src-nodes  hard limit  10000
frags      hard limit   5000

OS FINGERPRINTS:
345 fingerprints loaded