From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:49:56 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 950C016A4CF; Thu, 16 Sep 2004 03:49:56 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 54344 invoked by uid 1005); 2 Sep 2003 13:33:50 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 54341 invoked from network); 2 Sep 2003 13:33:50 -0000 Received: from moutng.kundenserver.de (212.227.126.185) by pd953010a.dip.t-dialin.net with SMTP; 2 Sep 2003 13:33:50 -0000 Received: from [212.227.126.211] (helo=mxng15.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19uCBE-0004Yu-00 for max@vampire.homelinux.org; Tue, 02 Sep 2003 16:30:48 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng15.kundenserver.de with esmtp (Exim 3.35 #1) id 19uCB8-0002Rl-00 for max@love2party.net; Tue, 02 Sep 2003 16:30:42 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id BC9A839096F; Tue, 2 Sep 2003 09:20:31 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Tue, 02 Sep 2003 09:20:27 -0500 (EST) Delivered-To: pf4freebsd@freelists.org Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.189])ESMTP id 84495390840 for ; Tue, 2 Sep 2003 09:20:26 -0500 (EST) Received: from [212.227.126.155] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 19uC1E-0002AB-00 for pf4freebsd@freelists.org; Tue, 02 Sep 2003 16:20:28 +0200 Received: from [217.83.1.10] (helo=max900) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 19uC1E-0001Q4-00 for pf4freebsd@freelists.org; Tue, 02 Sep 2003 16:20:28 +0200 Message-ID: <009e01c3715d$9ce7f3d0$01000001@max900> From: "Max Laier" To: References: <3F54A3F9.3010101@dequim.ist.utl.pt> MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-archive-position: 139 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: max@love2party.net Precedence: normal X-list: pf4freebsd X-UID: 254 X-Length: 4475 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:52 +0000 Subject: [pf4freebsd] Re: pfaltq-5.1.0.4 problem using fingerprinting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:49:56 -0000 X-Original-Date: Tue, 2 Sep 2003 16:22:16 +0200 X-List-Received-Date: Thu, 16 Sep 2004 03:49:56 -0000 > All seems to be working fine including AltQ integration. Only a minor > glitch when I do ifconfig. (box reboots... works perfectly fine on > another 5.1 box. Probably a kernel option. Will do some more research on > this...) I have seen that once and tried to reproduce it with all force, but wasn't able to ... if you find out I am very interested in dumps/traces or whatever you can provide. > Anyway, passive fingerprinting may have a bug, > This is the important rule in question: > > #ssh > pass in on $ext_if proto tcp from any os Windows to $main_ip port 22 > modulate state queue(interact_bulk,interact_ack) > > Without the "os Windows" everything works fine. And I am coming in from > a Windows box as tcpdump shows: > > my.ip.14338 > public.ip.22: S (src OS: Windows 2000 SP3, Windows XP) > 709831067:709831067(0) win 64240 (DF) > > This was a mere test. :-) > > > Now, the interesting part is that, if I use a FreeBSD box to ssh in, it > works... > > FreeBSd.box.ip.57050 > public.ip.22: S (src OS: FreeBSD 5.0, FreeBSD > 4.8-4.9) 632746775:632746775(0) win 65535 1,nop,nop,timestamp 674899877 0> (DF) > > > But even more interesting is that, if I change the rule to: > > #ssh > pass in on $ext_if proto tcp from any os Cisco to $main_ip port 22 > modulate state queue(interact_bulk,interact_ack) > > > I can ssh in using FreeBSD but not using windows box... My FreeBSD box > is on the local network and the windows on a remote one. But, there's a > clear problem in always allowing FreeBSD. > Here is the problem: The rule says: "pass in on **$ext_if** ..." hence is does not apply to traffic comeing from the local network. Even if you use the external ip (as you did obviously) the traffic never shows up on $ext_if and hence your FreeBSD box is allowed by some other rule in your ruleset. Regards, Max