From owner-freebsd-pf@FreeBSD.ORG Tue Mar 25 09:21:53 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E3051065674 for ; Tue, 25 Mar 2008 09:21:53 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from v-smtp-auth-relay-2.gradwell.net (v-smtp-auth-relay-2.gradwell.net [79.135.125.41]) by mx1.freebsd.org (Postfix) with ESMTP id 9C2228FC15 for ; Tue, 25 Mar 2008 09:21:52 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from 87-194-161-157.bethere.co.uk ([87.194.161.157] helo=[192.168.0.150] country=GB ident=gregh#pop3&nviz#net) by v-smtp-auth-relay-2.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.288) id 47e8c456.50bf.a32; Tue, 25 Mar 2008 09:22:30 +0000 (envelope-sender ) Message-ID: <47E8C41C.9020708@nviz.net> Date: Tue, 25 Mar 2008 09:21:32 +0000 From: Greg Hennessy User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: Doug Sampson References: <9DE6EC5B5CF8C84281AE3D7454376A0D6D028B@cetus.dawnsign.com> In-Reply-To: <9DE6EC5B5CF8C84281AE3D7454376A0D6D028B@cetus.dawnsign.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Bacula File/Storage Connection Woes using PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2008 09:21:53 -0000 Doug Sampson wrote: >> On Friday 21 March 2008 21:59:46 Doug Sampson wrote: >> >>> I want to back up a client running packet filter. I am >>> >> using Bacula to >> >>> backup this client to a Bacula server in the internal network. The >>> Bacula client has two interfaces- one external and one internal. The >>> client's internal IF is 192.168.1.25. The Bacula server is at >>> 192.168.1.17. >>> >>> When I attempt to contact the Bacula file daemon on the client, it >>> responds by sending packets to the Bacula server daemon at >>> >> a different >> >>> port. It should contact the storage daemon at port 9103 but >>> >> instead it >> >>> attempts to contact the storage daemon at a port address that is not >>> 9103. Thus the backup job fails. >>> >>> I've tried rdr to no avail. Here's my pf.conf: >>> >>> mailfilter@/usr/local/etc# pfctl -vvnf /etc/pf.conf >>> >> use "pfctl -vvsr" instead of -nf to make sure you really get >> the rules >> that are loaded and not those that you wanted to load. >> >> > > mailfilter-root@/usr/local/etc# pfctl -vvsr > No ALTQ support in kernel > ALTQ related functions disabled > @0 scrub in all fragment reassemble > [ Evaluations: 18953753 Packets: 9488185 Bytes: 0 States: 0 > ] > @0 block drop in log all > [ Evaluations: 125309 Packets: 710 Bytes: 107361 States: 0 > ] > @1 pass in log inet proto tcp from any to xxx.xxx.xxx.xxx port = smtp flags > S/SA synproxy state > [ Evaluations: 61682 Packets: 333 Bytes: 141046 States: 0 > ] > @2 pass out log inet proto tcp from xxx.xxx.xxx.xxx to any port = smtp flags > S/SA synproxy state > [ Evaluations: 92705 Packets: 0 Bytes: 0 States: 0 > ] > @3 pass in log inet proto tcp from 192.168.1.0/24 to 192.168.1.25 port = > smtp flags S/SA synproxy state > [ Evaluations: 78929 Packets: 0 Bytes: 0 States: 0 > ] > @4 pass in log quick on xl0 inet proto tcp from any to 192.168.1.25 port = > ssh flags S/SA synproxy state > [ Evaluations: 29478 Packets: 0 Bytes: 0 States: 0 > ] > @5 block drop in log quick on rl0 inet from 127.0.0.0/8 to any > [ Evaluations: 75458 Packets: 0 Bytes: 0 States: 0 > ] > @6 block drop in log quick on rl0 inet from 192.168.0.0/16 to any > [ Evaluations: 670 Packets: 0 Bytes: 0 States: 0 > ] > @7 block drop in log quick on rl0 inet from 172.16.0.0/12 to any > [ Evaluations: 670 Packets: 0 Bytes: 0 States: 0 > ] > @8 block drop in log quick on rl0 inet from 10.0.0.0/8 to any > [ Evaluations: 670 Packets: 0 Bytes: 0 States: 0 > ] > @9 block drop out log quick on rl0 inet from any to 127.0.0.0/8 > [ Evaluations: 62532 Packets: 0 Bytes: 0 States: 0 > ] > @10 block drop out log quick on rl0 inet from any to 192.168.0.0/16 > [ Evaluations: 12557 Packets: 0 Bytes: 0 States: 0 > ] > @11 block drop out log quick on rl0 inet from any to 172.16.0.0/12 > [ Evaluations: 12557 Packets: 0 Bytes: 0 States: 0 > ] > @12 block drop out log quick on rl0 inet from any to 10.0.0.0/8 > [ Evaluations: 12557 Packets: 0 Bytes: 0 States: 0 > ] > @13 block drop in log quick on ! xl0 inet from 192.168.1.0/24 to any > [ Evaluations: 125309 Packets: 0 Bytes: 0 States: 0 > ] > @14 block drop in log quick inet from 192.168.1.25 to any > [ Evaluations: 112752 Packets: 0 Bytes: 0 States: 0 > ] > @15 pass in on xl0 inet from 192.168.1.0/24 to any > [ Evaluations: 61682 Packets: 60947 Bytes: 17390149 States: 0 > ] > @16 pass out log on xl0 inet from any to 192.168.1.0/24 > [ Evaluations: 124639 Packets: 51070 Bytes: 43963111 States: 0 > ] > @17 pass out log quick on xl0 inet from any to 10.8.0.0/24 > [ Evaluations: 51070 Packets: 0 Bytes: 0 States: 0 > ] > @18 pass out on rl0 proto tcp all flags S/SA modulate state > [ Evaluations: 64297 Packets: 53895 Bytes: 42581384 States: 4 > ] > @19 pass out on rl0 proto udp all keep state > [ Evaluations: 12557 Packets: 23586 Bytes: 1793665 States: 0 > ] > @20 pass out on rl0 proto icmp all keep state > [ Evaluations: 12557 Packets: 0 Bytes: 0 States: 0 > ] > @21 pass in on rl0 inet proto tcp from any to 192.168.1.4 port = http flags > S/SA synproxy state > [ Evaluations: 74239 Packets: 0 Bytes: 0 States: 0 > ] > @22 pass in on xl0 inet proto tcp from any to 192.168.1.25 port = ssh keep > state > [ Evaluations: 112420 Packets: 0 Bytes: 0 States: 0 > ] > mailfilter-root@/usr/local/etc# > > According to the output of "pfctl -vvsr", the packets are being allowed back > into the internal network which is what I want (according to rule #16). > That's part of the problem..... > Is there another way of writing rules that will enable the Bacula client to > pass packets to the correct port number? > Yes, make the 1st rule block log all to drop both ingress and egress traffic by default. Secondly get rid of the stateless rules. Use keep state everywhere, with flags S/SA if matching tcp traffic. Regards Greg