Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Mar 2008 09:21:32 +0000
From:      Greg Hennessy <Greg.Hennessy@nviz.net>
To:        Doug Sampson <dougs@dawnsign.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Bacula File/Storage Connection Woes using PF
Message-ID:  <47E8C41C.9020708@nviz.net>
In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D6D028B@cetus.dawnsign.com>
References:  <9DE6EC5B5CF8C84281AE3D7454376A0D6D028B@cetus.dawnsign.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Doug Sampson wrote:
>> On Friday 21 March 2008 21:59:46 Doug Sampson wrote:
>>     
>>> I want to back up a client running packet filter. I am 
>>>       
>> using Bacula to
>>     
>>> backup this client to a Bacula server in the internal network. The
>>> Bacula client has two interfaces- one external and one internal. The
>>> client's internal IF is 192.168.1.25. The Bacula server is at
>>> 192.168.1.17.
>>>
>>> When I attempt to contact the Bacula file daemon on the client, it
>>> responds by sending packets to the Bacula server daemon at 
>>>       
>> a different
>>     
>>> port. It should contact the storage daemon at port 9103 but 
>>>       
>> instead it
>>     
>>> attempts to contact the storage daemon at a port address that is not
>>> 9103. Thus the backup job fails.
>>>
>>> I've tried rdr to no avail. Here's my pf.conf:
>>>
>>> mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf
>>>       
>> use "pfctl -vvsr" instead of -nf to make sure you really get 
>> the rules 
>> that are loaded and not those that you wanted to load.
>>
>>     
>
> mailfilter-root@/usr/local/etc# pfctl -vvsr
> No ALTQ support in kernel
> ALTQ related functions disabled
> @0 scrub in all fragment reassemble
>   [ Evaluations: 18953753  Packets: 9488185   Bytes: 0           States: 0
> ]
> @0 block drop in log all
>   [ Evaluations: 125309    Packets: 710       Bytes: 107361      States: 0
> ]
> @1 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port = smtp flags
> S/SA synproxy state
>   [ Evaluations: 61682     Packets: 333       Bytes: 141046      States: 0
> ]
> @2 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port = smtp flags
> S/SA synproxy state
>   [ Evaluations: 92705     Packets: 0         Bytes: 0           States: 0
> ]
> @3 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port =
> smtp flags S/SA synproxy state
>   [ Evaluations: 78929     Packets: 0         Bytes: 0           States: 0
> ]
> @4 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port =
> ssh flags S/SA synproxy state
>   [ Evaluations: 29478     Packets: 0         Bytes: 0           States: 0
> ]
> @5 block drop in log quick on rl0 inet from 127.0.0.0/8 to any
>   [ Evaluations: 75458     Packets: 0         Bytes: 0           States: 0
> ]
> @6 block drop in log quick on rl0 inet from 192.168.0.0/16 to any
>   [ Evaluations: 670       Packets: 0         Bytes: 0           States: 0
> ]
> @7 block drop in log quick on rl0 inet from 172.16.0.0/12 to any
>   [ Evaluations: 670       Packets: 0         Bytes: 0           States: 0
> ]
> @8 block drop in log quick on rl0 inet from 10.0.0.0/8 to any
>   [ Evaluations: 670       Packets: 0         Bytes: 0           States: 0
> ]
> @9 block drop out log quick on rl0 inet from any to 127.0.0.0/8
>   [ Evaluations: 62532     Packets: 0         Bytes: 0           States: 0
> ]
> @10 block drop out log quick on rl0 inet from any to 192.168.0.0/16
>   [ Evaluations: 12557     Packets: 0         Bytes: 0           States: 0
> ]
> @11 block drop out log quick on rl0 inet from any to 172.16.0.0/12
>   [ Evaluations: 12557     Packets: 0         Bytes: 0           States: 0
> ]
> @12 block drop out log quick on rl0 inet from any to 10.0.0.0/8
>   [ Evaluations: 12557     Packets: 0         Bytes: 0           States: 0
> ]
> @13 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any
>   [ Evaluations: 125309    Packets: 0         Bytes: 0           States: 0
> ]
> @14 block drop in log quick inet from 192.168.1.25 to any
>   [ Evaluations: 112752    Packets: 0         Bytes: 0           States: 0
> ]
> @15 pass in on xl0 inet from 192.168.1.0/24 to any
>   [ Evaluations: 61682     Packets: 60947     Bytes: 17390149    States: 0
> ]
> @16 pass out log on xl0 inet from any to 192.168.1.0/24
>   [ Evaluations: 124639    Packets: 51070     Bytes: 43963111    States: 0
> ]
> @17 pass out log quick on xl0 inet from any to 10.8.0.0/24
>   [ Evaluations: 51070     Packets: 0         Bytes: 0           States: 0
> ]
> @18 pass out on rl0 proto tcp all flags S/SA modulate state
>   [ Evaluations: 64297     Packets: 53895     Bytes: 42581384    States: 4
> ]
> @19 pass out on rl0 proto udp all keep state
>   [ Evaluations: 12557     Packets: 23586     Bytes: 1793665     States: 0
> ]
> @20 pass out on rl0 proto icmp all keep state
>   [ Evaluations: 12557     Packets: 0         Bytes: 0           States: 0
> ]
> @21 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags
> S/SA synproxy state
>   [ Evaluations: 74239     Packets: 0         Bytes: 0           States: 0
> ]
> @22 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep
> state
>   [ Evaluations: 112420    Packets: 0         Bytes: 0           States: 0
> ]
> mailfilter-root@/usr/local/etc#
>
> According to the output of "pfctl -vvsr", the packets are being allowed back
> into the internal network which is what I want (according to rule #16).
>   
That's part of the problem.....


> Is there another way of writing rules that will enable the Bacula client to
> pass packets to the correct port number?
>   
Yes, make the 1st rule

    block log all

to drop both ingress and egress traffic by default.

Secondly get rid of the stateless rules. Use keep state everywhere, with 
flags S/SA if matching tcp traffic.


Regards

Greg







Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47E8C41C.9020708>