Date: Tue, 30 May 2017 18:17:30 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Subject: pf not checking traffic from tunnels Message-ID: <1853600.RL7SYQSJBX@energia>
next in thread | raw e-mail | index | archive | help
--nextPart1513953.f5dSObalmV
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Hello,
I have a setup where FreeBSD-based routers serving datacenters are connected
via gif tunnels which are additionally encrypted using transport mode IPsec.
Each router runs pf and provides firewalling between multiple VLANs. Tunnel
interfaces were always trusted, though.
Every rule is with the following options:
"flags any keep state (sloppy)"
This of course makes the firewall a bit less secure but allows routers to be
rebooted without (usually) resetting connections. Or at least that was the
idea.
Because of this rule I never noticed that in fact there are never states
created for connections incoming on tunnels.
In a very simple experiment, even without routing to vlans but just by
communication between routers I get the following behaviour:
1. I have this rule:
pass quick log on $if_tunnels flags any keep state (sloppy)
2. I ping this router from another one.
3. I observe pflog0.
4. The 1st entry appearing on pflog0 is ANSWER to the ping:
17:55:08.276321 rule 0..16777216/0(match): \
pass out on gif_aw2_YYY1: 10.XX.YYY.201 > 10.XX.YYY.130: \
ICMP echo reply, id 63443, seq 0, length 64
If I make a rule clearly matching incoming traffic, it won't ever match on
packets, its counters won't increase.
This is also seen here:
[root@aw-router02 ~]% pfctl -qvvsI | grep -A10 gif_
No ALTQ support in kernel
ALTQ related functions disabled
gif_aw2_awpay1
Cleared: Tue May 30 16:35:25 2017
References: 3
In4/Pass: [ Packets: 9 Bytes: 660 ]
In4/Block: [ Packets: 0 Bytes: 0 ]
Out4/Pass: [ Packets: 10380 Bytes: 800248 ]
Out4/Block: [ Packets: 0 Bytes: 0 ]
In6/Pass: [ Packets: 0 Bytes: 0 ]
In6/Block: [ Packets: 0 Bytes: 0 ]
Out6/Pass: [ Packets: 0 Bytes: 0 ]
Out6/Block: [ Packets: 0 Bytes: 0 ]
Here I have a fast ping command running and Out4/Pass counters are increasing
quite fast while In4/Pass does not grow at all.
This particular machine runs FreeBSD 11.0, same thing happens on my other
routers running FreeBSD 10.
Is there any option to check from userspace if the gif interface has pf
attached in netpfil hook for incoming traffic? Running tcpdump on gif
interface correctly shows incoming icmp echo request.
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
--nextPart1513953.f5dSObalmV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCWS2bGgAKCRDjtFCvbXs6
FOyNAKCv9f7cV8fHNfn/QsrNDSLKgY2CkQCg0lIchPG4DMI0HJsXYi+Vn9wbiG0=
=w8d/
-----END PGP SIGNATURE-----
--nextPart1513953.f5dSObalmV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1853600.RL7SYQSJBX>