From owner-freebsd-pf@FreeBSD.ORG Sat Jul 31 23:48:17 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 194E11065674 for ; Sat, 31 Jul 2010 23:48:17 +0000 (UTC) (envelope-from milu@dat.pl) Received: from jab.dat.pl (dat.pl [80.51.155.34]) by mx1.freebsd.org (Postfix) with ESMTP id 821E78FC1A for ; Sat, 31 Jul 2010 23:48:16 +0000 (UTC) Received: from jab.dat.pl (jsrv.dat.pl [127.0.0.1]) by jab.dat.pl (Postfix) with ESMTP id 33E345C5A for ; Sun, 1 Aug 2010 01:32:46 +0200 (CEST) X-Virus-Scanned: amavisd-new at dat.pl Received: from jab.dat.pl ([127.0.0.1]) by jab.dat.pl (jab.dat.pl [127.0.0.1]) (amavisd-new, port 10024) with LMTP id k0lfP41CR+Az for ; Sun, 1 Aug 2010 01:32:42 +0200 (CEST) Received: from snifi.localnet (77-253-105-8.adsl.inetia.pl [77.253.105.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by jab.dat.pl (Postfix) with ESMTPSA id 1E4DF5C4A for ; Sun, 1 Aug 2010 01:32:42 +0200 (CEST) From: Maciej Milewski To: freebsd-pf@freebsd.org Date: Sun, 1 Aug 2010 01:32:37 +0200 User-Agent: KMail/1.13.5 (Linux/2.6.34-ARCH; KDE/4.4.5; x86_64; ; ) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201008010132.38555.milu@dat.pl> Subject: pf filtering openvpn problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 23:48:17 -0000 Hi All, I'm trying to setup OpenVPN in non-nat mode and I stopped on something what I don't understand. The setup is rather simple: (internet) -> (nat)->(ovpn gate-10.0.10.4) -> (host-10.0.10.2) | vpn client Routing is set properly on the server otherwise in tcpdump it shouldn't show returning packets from that host. Firewall on host is disabled. Ping from client to host is working fine. The problem is connecting to ssh or http - it's blocked by gate on returning packet. Can someone point me where is the problem? If ping works then I think tcp should work too. The NAT mode in the same setup works correctly but I'd like to go without nating. Is it possible at all? pf rules are following: # pfctl -s rules block drop in log all pass out log on sk0 inet from (sk0) to any flags S/SA keep state pass out log on tun0 inet from (tun0) to any flags S/SA keep state pass in log on sk0 inet proto tcp from any to 10.0.10.4 port = ssh flags S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload flush global, src.track 3) pass in log on sk0 inet proto udp from any to 10.0.10.4 port = 1194 keep state pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep state pass log on tun0 inet proto udp from 10.10.0.0/24 to 10.0.10.2 keep state pass log on tun0 inet proto icmp from 10.10.0.0/24 to 10.0.10.2 keep state pass log on sk0 inet proto tcp from 10.0.10.2 to 10.10.0.0/24 flags S/SA keep state pass log on sk0 inet proto udp from 10.0.10.2 to 10.10.0.0/24 keep state pass log on sk0 inet proto icmp from 10.0.10.2 to 10.10.0.0/24 keep state and the tcpdump output from pflog: # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 00:00:00.000259 rule 7/0(match): pass in on tun0: 10.10.0.8 > 10.0.10.2: ICMP echo request, id 6381, seq 1, length 64 00:00:00.000494 rule 10/0(match): pass in on sk0: 10.0.10.2 > 10.10.0.8: ICMP echo reply, id 6381, seq 1, length 64 00:00:02.392510 rule 5/0(match): pass in on tun0: 10.10.0.8.33259 > 10.0.10.2.22: [|tcp] 00:00:00.000630 rule 0/0(match): block in on sk0: 10.0.10.2.22 > 10.10.0.8.33259: [|tcp] 00:00:02.997354 rule 0/0(match): block in on sk0: 10.0.10.2.22 > 10.10.0.8.33259: [|tcp] 00:00:02.999400 rule 0/0(match): block in on sk0: 10.0.10.2.22 > 10.10.0.8.33259: [|tcp] 00:00:02.999907 rule 0/0(match): block in on sk0: 10.0.10.2.22 > 10.10.0.8.33259: [|tcp] Regards, Maciej