Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Sep 2004 03:49:56 -0000
From:      "Max Laier" <max@love2party.net>
To:        <pf4freebsd@freelists.org>
Subject:   [pf4freebsd] Re: pfaltq-5.1.0.4 problem using fingerprinting
Message-ID:  <009e01c3715d$9ce7f3d0$01000001@max900>
References:  <3F54A3F9.3010101@dequim.ist.utl.pt>
next in thread | previous in thread | raw e-mail | index | archive | help 
> All seems to be working fine including AltQ integration. Only a minor
> glitch when I do ifconfig. (box reboots... works perfectly fine on
> another 5.1 box. Probably a kernel option. Will do some more research on
> this...)

I have seen that once and tried to reproduce it with all force, but wasn't
able to ... if you find out I am very interested in dumps/traces or whatever
you can provide.

> Anyway, passive fingerprinting may have a bug,
> This is the important rule in question:
>
> #ssh
> pass in on $ext_if proto tcp from any os Windows to $main_ip port 22
> modulate state queue(interact_bulk,interact_ack)
>
> Without the "os Windows" everything works fine. And I am coming in from
> a Windows box as tcpdump shows:
>
> my.ip.14338 > public.ip.22: S (src OS: Windows 2000 SP3, Windows XP)
> 709831067:709831067(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
>
> This was a mere test. :-)
>
>
> Now, the interesting part is that, if I use a FreeBSD box to ssh in, it
> works...
>
> FreeBSd.box.ip.57050 > public.ip.22: S (src OS: FreeBSD 5.0, FreeBSD
> 4.8-4.9) 632746775:632746775(0) win 65535 <mss 1460,nop,wscale
> 1,nop,nop,timestamp 674899877 0> (DF)
>
>
> But even more interesting is that, if I change the rule to:
>
> #ssh
> pass in on $ext_if proto tcp from any os Cisco to $main_ip port 22
> modulate state queue(interact_bulk,interact_ack)
>
>
> I can ssh in using FreeBSD but not using windows box... My FreeBSD box
> is on the local network and the windows on a remote one. But, there's a
> clear problem in always allowing FreeBSD.
>

Here is the problem:
The rule says: "pass in on **$ext_if** ..." hence is does not apply to
traffic comeing from the local network. Even if you use the external ip (as
you did obviously) the traffic never shows up on $ext_if and hence your
FreeBSD box is allowed by some other rule in your ruleset.

Regards,
    Max

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?009e01c3715d$9ce7f3d0$01000001>