Date: Sun, 19 Mar 2006 23:46:22 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-pf@freebsd.org Subject: Strange problem with UDP packets and openvpn Message-ID: <6.2.3.4.0.20060319230922.085947b0@64.7.153.2>
next in thread | raw e-mail | index | archive | help
I have been having some problems with pf and openvpn on RELENG_6. I
use UDP as the transport and I wanted to try blocking access from
certain established connections, however it never seems to work.
I add just two rules
block in log quick proto udp from any to any
block out log quick proto udp from any to any
Yet it does not kill the connection, (ip address 1.1.1.1 bound on lo0
ports 11648, 11649)
tcpdump -i vlan38 -n -c 20 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan38, link-type EN10MB (Ethernet), capture size 96 bytes
23:09:29.433952 IP 1.1.1.1.11649 > 199.212.134.18.65116: UDP, length 69
23:09:29.441073 IP 199.212.134.18.65116 > 1.1.1.1.11649: UDP, length 69
23:09:29.597941 IP 205.211.165.120.62612 > 1.1.1.51.53: 25588+ PTR?
18.134.212.199.in-addr.arpa. (45)
23:09:29.598363 IP 1.1.1.51.53 > 205.211.165.120.62612: 25588* 1/2/2 (144)
23:09:31.094967 IP 1.1.1.1.11648 > 199.212.134.18.63461: UDP, length 69
23:09:31.100675 IP 199.212.134.18.63461 > 1.1.1.1.11648: UDP, length 69
I dont understand how these packets would be working ? Dumping
pflog0, I see the DNS packets being blocked, but I can still connect
from the remote side as the openvpn packets are passed and processed.
e.g. here is connecting across the tunnel
client-1-vpn # telnet 10.151.2.1 22
Trying 10.151.2.1...
Connected to 10.151.2.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903
Protocol mismatch.
Connection closed by foreign host.
# tcpdump -nei pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 96 bytes
23:17:35.284785 rule 1/0(match): block out on lo0: 127.0.0.1.61107 >
127.0.0.1.53: 62092+[|domain]
23:17:35.284825 rule 1/0(match): block out on vlan38:
205.211.165.120.58604 > 1.1.1.51.53: 62092+[|domain]
Now, if I kill openvpn and start it up after I have those rules in
place, the packets are indeed stopped.
23:23:48.943583 rule 0/0(match): block in on vlan38:
199.212.134.18.49856 > 1.1.1.1.11648: UDP, length 42
23:23:51.081301 rule 0/0(match): block in on vlan38:
199.212.134.18.49856 > 1.1.1.1.11648: UDP, length 42
23:23:51.685599 rule 0/0(match): block in on vlan38:
199.212.134.18.65183 > 1.1.1.1.11649: UDP, length 42
23:23:53.219143 rule 0/0(match): block in on vlan38:
199.212.134.18.49856 > 1.1.1.1.11648: UDP, length 42
23:23:53.942001 rule 0/0(match): block in on vlan38:
199.212.134.18.65183 > 1.1.1.1.11649: UDP, length 42
23:23:55.528519 rule 0/0(match): block in on vlan38:
199.212.134.18.49856 > 1.1.1.1.11648: UDP, length 42
23:23:56.198406 rule 0/0(match): block in on vlan38:
199.212.134.18.65183 > 1.1.1.1.11649: UDP, length 42
Why would the behavior be any different if I start or stop the
program ? The same strange behavior does not happen with ipfw
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.2.3.4.0.20060319230922.085947b0>