From owner-freebsd-pf@FreeBSD.ORG Tue Feb 3 11:56:04 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB9AE106567F for ; Tue, 3 Feb 2009 11:56:04 +0000 (UTC) (envelope-from sebster@sebster.com) Received: from mail.sebster.com (mail.sebster.com [193.46.80.82]) by mx1.freebsd.org (Postfix) with SMTP id 00CFA8FC12 for ; Tue, 3 Feb 2009 11:56:03 +0000 (UTC) (envelope-from sebster@sebster.com) Received: (qmail 86226 invoked from network); 3 Feb 2009 11:29:22 -0000 Received: from unknown (HELO ?10.1.0.6?) (sebster@85.147.225.232) by mail.sebster.com with SMTP; 3 Feb 2009 11:29:22 -0000 Message-ID: <49882A91.3050307@sebster.com> Date: Tue, 03 Feb 2009 12:29:21 +0100 From: Sebastiaan van Erk User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms030304040101070206050604" Cc: Subject: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 11:56:07 -0000 This is a cryptographically signed message in MIME format. --------------ms030304040101070206050604 Content-Type: multipart/mixed; boundary="------------090705060907050206000504" This is a multi-part message in MIME format. --------------090705060907050206000504 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi, I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD 7.1-p2. However, now my firewall will suddenly no longer NAT GRE, so none of client connections to remote (PPTP) VPNs are working. When trying to connect from the client (10.1.0.6) to internet, everything works fine (tcp/udp are natted), but when trying to set up a VPN my firewall log says: 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp] (vr0 is my external interface, which is connected to the ADSL modem) The rule that is blocking is: @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any (192.168.1.2 is my "external" address). This rule is supposed to block any internal stuff going out that is not NATted properly. It is correct to block my client (10.1.0.6), since it should have had its address translated. My nat rule is simple (and DOES NAT tcp/udp): nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if The entire config is attached. Am I doing something stupid? Does anybody know what I'm doing wrong? Thanks in advance, Sebastiaan --------------090705060907050206000504 Content-Type: text/plain; name="pf.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="pf.conf" #============================================================================ # MACROS #---------------------------------------------------------------------------- # External (internet, natted) interface. ext_if = "vr0" ext_net = $ext_if:network ext_ip = "192.168.1.2" ext_gw = "192.168.1.1" # Internal (trusted) interface. int_if = "rl0" int_net = $int_if:network int_ip = "10.0.0.1" # Wifi (untrusted) interface. wifi_if = "rl1" wifi_net = $wifi_if:network wifi_ip = "10.1.0.1" # Allowed ICMP types. icmp_types = "{ echoreq, echorep, timex, unreach }" # Services. tcp_services = "{ ssh, http, https, 8881 }" udp_services = "{ 8881 }" # Internal IPs. blauwoor_ip = "10.1.0.6" printer_ip = "10.0.0.2" # Interal ports. blauwoor_torrent_port = 7880 #============================================================================ # TABLES #---------------------------------------------------------------------------- table const { self } table const { $int_net } #============================================================================ # OPTIONS #---------------------------------------------------------------------------- #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" #============================================================================ # NORMALIZATION #---------------------------------------------------------------------------- # Reassemble fragments and resolve or reduce traffic ambiguities. scrub in all #============================================================================ # QUEUING #---------------------------------------------------------------------------- altq on $ext_if priq bandwidth 900Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) #============================================================================ # NAT #---------------------------------------------------------------------------- # Packets going out through $ext_if with source address $int_net or $wifi_net # will get translated as coming from the address of $ext_if, a state is # created for such packets, and incoming packets will be redirected to the # internal address. nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if #============================================================================ # REDIRECTS #---------------------------------------------------------------------------- # Torrent for blauwoor. rdr on $ext_if proto { tcp, udp } from any to $ext_ip port $blauwoor_torrent_port -> $blauwoor_ip #============================================================================ # BASIC FILTERING RULES #---------------------------------------------------------------------------- # Skip loopback interface. set skip on lo0 # Activate spoofing protection for all interfaces. antispoof for { vr0, rl0, rl1 } inet # Block and log packets going out the external interface that do # not have the external ip address. They are either spoofed or # else something is misconfigured (e.g. NAT disabled). block out log quick on $ext_if from !$ext_ip to any # Silently drop broadcasts (so they do not clog the logs). block in quick on $ext_if from any to 255.255.255.255 # Setup default deny policy. block log all # Prioritize TCP acks. pass out on $ext_if proto tcp from $ext_if to any queue (q_def, q_pri) pass in on $ext_if proto tcp from any to $ext_if queue (q_def, q_pri) #============================================================================ # CUSTOM FILTERING RULES #---------------------------------------------------------------------------- # Open up for allowed ICMP types. pass in quick inet proto icmp all icmp-type $icmp_types # Open up GRE for VPNs pass quick proto gre # Open up LAN network. pass in quick on $int_if from $int_net to any pass out quick on $int_if from any to $int_net # Open up WIFI network, but block access to private networks. pass in quick on $wifi_if from $wifi_net to any pass out quick on $wifi_if from any to $wifi_net block in on $wifi_if from $wifi_net to # Open up outgoing traffic to internet. pass out quick on $ext_if proto tcp all pass out quick on $ext_if proto { udp, icmp } all # Open up services to internet. pass in quick on $ext_if proto tcp from any to $ext_ip port $tcp_services pass in quick on $ext_if proto udp from any to $ext_ip port $udp_services # Open up services and dns to wifi pass in quick on $wifi_if proto tcp from any to port $tcp_services pass in quick on $wifi_if proto udp from any to port $udp_services pass in quick on $wifi_if proto udp from $wifi_net to $int_ip port domain # Printer for wifi pass in quick on $wifi_if proto { tcp, udp } from any to $printer_ip # Torrent for blauwoor. pass in quick on $ext_if proto { tcp, udp } from any to $blauwoor_ip port $blauwoor_torrent_port --------------090705060907050206000504-- --------------ms030304040101070206050604 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJUTCC AwMwggJsoAMCAQICEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDYzMDEzNTE1N1oX DTA5MDYzMDEzNTE1N1owaDEQMA4GA1UEBBMHdmFuIEVyazETMBEGA1UEKhMKU2ViYXN0aWFh bjEbMBkGA1UEAxMSU2ViYXN0aWFhbiB2YW4gRXJrMSIwIAYJKoZIhvcNAQkBFhNzZWJzdGVy QHNlYnN0ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDDAeYHVmH/ GVxi+bhFx27dmg++9BdhPJfk8k041sqEqq7oXnR2GT54quY3Ac7A1BuOM2JvoICraGmjud4y b3EanRnqGIK6iH+VAhhTlV/Owrb2Qm1e13DLxwLp1SocSQl4IrEbF9Y5H3ASdIrE0iFqkpju nPiiHeNhz3LaI5ipjiluKYoH+F6gPx8njHoaDxPePCkSLg4r0IA0afLM74LVZxCRBZEfyRZS J6VVUJefKlz91dWSzR/3xSw/rO4u9Ds/Zh7VBUKy3K+YFryHxRpUek0gSepE1b70Q39L9Sqd M/NZqMvFpwrqgW2Zh2Nh8nqRge90maR4ypBzz3GzLwIDAQABozAwLjAeBgNVHREEFzAVgRNz ZWJzdGVyQHNlYnN0ZXIuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAS1Sk NMgDVzb0ktO9tPPacV0KdKhTYOHcICVmuDEe2sFHOkjLAI1iAKp640pqJEVqvRnfRcCFJ9hK koPjjVZ+ui2rVmJWBG6FSloLRS/YYED4tUAw6DQhK61UOpjkpQxjCdm+5bHG/2ZgJAda1j0x uiN822+xFkcaW/5PQgxSRxcwggMDMIICbKADAgECAhBTfA2qzDbriiQxLX7NFGqlMA0GCSqG SIb3DQEBBQUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTAeFw0wODA2MzAxMzUxNTdaFw0wOTA2MzAxMzUxNTdaMGgxEDAOBgNVBAQTB3ZhbiBFcmsx EzARBgNVBCoTClNlYmFzdGlhYW4xGzAZBgNVBAMTElNlYmFzdGlhYW4gdmFuIEVyazEiMCAG CSqGSIb3DQEJARYTc2Vic3RlckBzZWJzdGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBALCQwwHmB1Zh/xlcYvm4Rcdu3ZoPvvQXYTyX5PJNONbKhKqu6F50dhk+eKrm NwHOwNQbjjNib6CAq2hpo7neMm9xGp0Z6hiCuoh/lQIYU5VfzsK29kJtXtdwy8cC6dUqHEkJ eCKxGxfWOR9wEnSKxNIhapKY7pz4oh3jYc9y2iOYqY4pbimKB/heoD8fJ4x6Gg8T3jwpEi4O K9CANGnyzO+C1WcQkQWRH8kWUielVVCXnypc/dXVks0f98UsP6zuLvQ7P2Ye1QVCstyvmBa8 h8UaVHpNIEnqRNW+9EN/S/UqnTPzWajLxacK6oFtmYdjYfJ6kYHvdJmkeMqQc89xsy8CAwEA AaMwMC4wHgYDVR0RBBcwFYETc2Vic3RlckBzZWJzdGVyLmNvbTAMBgNVHRMBAf8EAjAAMA0G CSqGSIb3DQEBBQUAA4GBAEtUpDTIA1c29JLTvbTz2nFdCnSoU2Dh3CAlZrgxHtrBRzpIywCN YgCqeuNKaiRFar0Z30XAhSfYSpKD441Wfrotq1ZiVgRuhUpaC0Uv2GBA+LVAMOg0ISutVDqY 5KUMYwnZvuWxxv9mYCQHWtY9MbojfNtvsRZHGlv+T0IMUkcXMIIDPzCCAqigAwIBAgIBDTAN BgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTES MBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBl cnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0 aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMC WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAK MNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTX p6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYB Af8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2as Zw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSe JVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHT HUb/XV9lTzGCA3EwggNtAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBAhBTfA2qzDbriiQxLX7NFGqlMAkGBSsOAwIaBQCgggHQMBgGCSqGSIb3 DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA5MDIwMzExMjkyMVowIwYJKoZI hvcNAQkEMRYEFINtGsGuBHgQlwJ+tUATczUwj93IMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZI AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTEl MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwgYcGCyqG SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0ECEFN8DarMNuuKJDEtfs0UaqUwDQYJKoZIhvcNAQEBBQAEggEAgkZKT/oHIt5jQ83n 9TfaIdAOYushG+oWr9jXoTvMmZTj0aiGOY8AjYtIp+tiEP5/wVPFWz+ZvH109XVeHB4PZ5W/ p8XzClmxk9zV9HRaTW8ogQvbyVWy5trLbKswgy0CPtRsJzCkvCHOBnSBZdDz5vO9mWD99oC5 P49qgNSTuHk488CJ6CCGVPWpUDFI8Cap4GiZUrOCXETGp4Y7v/Aj8Cce0Y8nuNk29bnlGJDa oQ+IVuUMPTGuwI0n5HvDf5jcxWiPs6fwsu0yzmM4wKg9zwRzbAZFKYIU0qajmUFeM8egLDOv CsrlC7Pmpnyk2Nr7ZDtQ+R2X+XvtfriFUZwGMQAAAAAAAA== --------------ms030304040101070206050604--