Date: Fri, 31 May 2013 18:14:17 +0300 From: Volodymyr Kostyrko <c.kworr@gmail.com> To: Stefan Desancic <sd@Nanoteq.com>, "questions@FreeBSD.org" <questions@FreeBSD.org> Subject: Re: TCPmux Message-ID: <51A8BE49.3070801@gmail.com> In-Reply-To: <F46C10D2F60F034BB106EAB4CD7E833C01007D987647@ntq-ex.nanoteq.co.za> References: <F46C10D2F60F034BB106EAB4CD7E833C01007D9875D9@ntq-ex.nanoteq.co.za> <51A85FFE.7060701@gmail.com> <F46C10D2F60F034BB106EAB4CD7E833C01007D987647@ntq-ex.nanoteq.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
31.05.2013 14:10, Stefan Desancic:
> Hi,
>
> Thank you for your very speedy response.
> Also Attached is the config file.
>
> Kind Regards
>
> Stefan
>
>
> # Section: Interfaces
> public_if19="em0"
> private_if18="em1"
> mgmt_if="em1"
> # End: Interfaces
>
> # Section: Ports
> Management = "{22,5555}"
> ikeports = "{500,4500}"
> # End: Ports
>
> # Section: Address Table
> table <CENTER-CONTACT> {192.168.50.250}
> table <CONTACT-EDGE1> {192.168.50.1}
> table <IP_10.0.0.1> {10.0.0.1}
> table <IP_10.0.0.2> {10.0.0.2}
> table <IP_192.168.50.250> {192.168.50.250}
> table <LPN_192.168.100.0_24> {192.168.100.0/24}
> table <LPN_192.168.50.0_24> {192.168.50.0/24}
> table <CENTER-CONTACTN> {192.168.50.250}
> # End: Address Table
>
> # Section: Options
> set ruleset-optimization none
> set block-policy return
> set skip on lo
> # End: Options
>
> # Section: Scrubbing
> scrub in all
> # End: Scrubbing
>
> # Section: Anti Spoofing
> antispoof quick for {$public_if19, $private_if18} inet
> # End: Anti Spoofing
>
> # Section: Firewall Rules
> # Section: System Rules
> block in from any to any label RuleId[111]
> pass out from any to any label RuleId[112]
> # End: System Rules
>
> # Section: VPN LPN access Rules
> pass from {<LPN_192.168.100.0_24>} to {<LPN_192.168.50.0_24>} tagged vpn label RuleId[140]
> pass from {<LPN_192.168.50.0_24>} to {<LPN_192.168.100.0_24>} label RuleId[141]
> # End: VPN LPN access Rules
>
> # Section: User Rules
> # block from any to any no state label RuleId[149]
> # pass in from {<LPN_192.168.100.0_24>} to {<LPN_192.168.50.0_24>} label RuleId[151]
> # pass in from {<LPN_192.168.50.0_24>} to {<LPN_192.168.100.0_24>} label RuleId[152]
> pass from any to any label RuleId[157]
> # End: User Rules
>
> # Section: IPsec Rules
> pass in on $mgmt_if proto {udp} from {<CENTER-CONTACTN>} to {<CONTACT-EDGE1>} port $ikeports label RuleId[117]
> pass in on $mgmt_if proto {esp} from {<CENTER-CONTACTN>} to {<CONTACT-EDGE1>} label RuleId[118]
> pass in on $mgmt_if proto {ipencap} from {<CENTER-CONTACTN>} to {<CONTACT-EDGE1>} tag management label RuleId[119]
> pass proto {udp} from {<IP_192.168.50.250>} to {<IP_10.0.0.2>} port $ikeports label RuleId[131]
> pass proto {udp} from {<IP_10.0.0.2>} to {<IP_192.168.50.250>} port $ikeports label RuleId[132]
> pass proto {esp} from {<IP_192.168.50.250>} to {<IP_10.0.0.2>} label RuleId[133]
> pass proto {esp} from {<IP_10.0.0.2>} to {<IP_192.168.50.250>} label RuleId[134]
> pass in on $public_if19 proto {udp} from {<IP_10.0.0.2>} to {<IP_10.0.0.1>} port $ikeports label RuleId[135]
> pass out on $public_if19 proto {udp} from {<IP_10.0.0.1>} to {<IP_10.0.0.2>} port $ikeports label RuleId[136]
> pass in on $public_if19 proto {esp} from {<IP_10.0.0.2>} to {<IP_10.0.0.1>} label RuleId[137]
> pass out on $public_if19 proto {esp} from {<IP_10.0.0.1>} to {<IP_10.0.0.2>} label RuleId[138]
> pass in on $public_if19 proto {ipencap} from {<IP_10.0.0.2>} to {<IP_10.0.0.1>} tag vpn label RuleId[139]
> # End: IPsec Rules
>
> # Section: Management Rules
> pass in on $mgmt_if proto {tcp} from {<CENTER-CONTACT>} to {<CONTACT-EDGE1>} port $Management tagged management label RuleId[120]
> # End: Management Rules
> # End: Firewall Rules
I'm missing a rule which would pass tcp connections to port 1 on any
interface. However I can see a pass all rule. Remote connections should
be enabled.
How your tcpmux server is configured? Can you show the output of
`sockstat | grep ':1 '`?
>> Good Morning,
>>
>> Is there a flag or a setting in the PF firewall in FreeBSD that you can set to allow TCPmux traffic to flow through it? The pass all rule doesn't seem to work, however if I disable PF completely then the TCPmux traffic flow through.
>
> I have no problems with tcpmux and pf. Can you show your config? On my machines tcpmux is served from inetd on default port (1).
--
Sphinx of black quartz, judge my vow.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51A8BE49.3070801>