From owner-freebsd-pf@FreeBSD.ORG Fri Jul 28 06:12:07 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56EA316A4DE for ; Fri, 28 Jul 2006 06:12:07 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id E838243D49 for ; Fri, 28 Jul 2006 06:12:06 +0000 (GMT) (envelope-from jeff@sailorfej.net) Received: from [192.168.150.100] (c-24-20-239-104.hsd1.wa.comcast.net [24.20.239.104]) (authenticated bits=0) by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id k6S69GVw052178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 27 Jul 2006 23:09:17 -0700 (PDT) (envelope-from jeff@sailorfej.net) Message-ID: <44C9AAAF.1090705@sailorfej.net> Date: Thu, 27 Jul 2006 23:11:59 -0700 From: Jeffrey Williams User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <44C71D8F.9090007@sailorfej.net> <20060726202454.GG18492@insomnia.benzedrine.cx> In-Reply-To: <20060726202454.GG18492@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=6.0 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Subject: Re: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 06:12:07 -0000 Daniel and all on list, Thank you and mea culpa, I should have tried that first. tcpdump showed no packets coming in from the inside network on em1 (even with pf disabled), although the aggregate port switch saw them. so it is either bad switch configuration (likely, my first time with a Dell switch) or bad switch port. Either way it does not appear to be pf/FreeBSD's fault, after moving the inside interface to another port, it works fine. Although I was able to ssh from em1 out to machines on the inside network, weird, I have revisit this when I have time. Thanks, Jeff Daniel Hartmeier wrote: > Can you give us an example of just one connection that doesn't work? > > Like, local workstation i.i.10.3, connected to em1, matching $inwr, > tries to connect to an external host 62.65.145.30. Protocol TCP, source > port 12345, destination port 80. The TCP SYN is seen (with tcpdump) > incoming on em1. But it's not seen outgoing (NAT'ed to source address > o.o.33.46) on em0. > >> scrub in all fragment reassemble >> block drop in log all >> pass in on em0 inet proto tcp from any to i.i.10.15 port = ssh keep state >> pass in on em0 inet proto tcp from any to o.o.33.46 port = ssh keep state >> pass in on em1 inet from i.i.10.0/24 to any keep state >> pass out on em0 inet from o.o.33.46 to any keep state >> block drop in on ! em0 inet from o.o.33.i/29 to any >> block drop in on em0 inet6 from fe80::213:72ff:fe5f:6e6b to any >> block drop in inet from o.o.33.46 to any >> block drop in on ! em1 inet from i.i.10.0/24 to any >> block drop in on em1 inet6 from fe80::213:72ff:fe5f:6e6c to any >> block drop in inet from i.i.10.1 to any > > A packet that doesn't match any of those rules will be passed. Since you > don't block outgoing packets at all, you should see the TCP SYN go out > on em1 (properly NAT'ed). Since NAT implies keep state, a state entry > should be created even if you don't have an explicit 'pass out keep > state' rule. > > Your pfctl -si output shows that there are states created, and that > packets are matching those states and passing. > > You should see the returning TCP SYN+ACK incoming on em1 (with tcpdump), > get NAT'ed back to the internal destination address, and leave out on > em0. > > Make sure that there's nothing weird going on with the network cables, > i.e. that em0 is really the internal NIC, that the local workstation > does not have any other way to reach the external host except through > the pf box, and that it's using the pf box as default gateway. > > If the TCP SYN and SYN+ACK show up in any other order (than described > above) on the two interfaces, that would be the clue to the problem. > > There is no difference between pf on OpenBSD and FreeBSD in this regard, > and I very much doubt there is a bug as basic as this still undetected. > More likely, there is some other difference between your OpenBSD and > FreeBSD setups, as simple as a cable plugged in somewhere :) > > Daniel