Date: Thu, 3 Jun 2010 16:49:30 +0200 From: Gianni <gdoe6545@yahoo.it> To: freebsd-pf@freebsd.org Subject: udp redirect problem Message-ID: <A587AC01-D0C4-452A-8DE4-5A657E604C6E@yahoo.it>
next in thread | raw e-mail | index | archive | help
I'm redirecting incoming requests to tcp/udp port 5080 to an internal =
host with the following rule:
rdr on $ext_if2 proto { tcp, udp } from any to $ext_if2 port 5080 -> =
$pbx_host
The problem is that the udp packets never seem to reach the destined =
host, I've checked with tcpdump and incoming TCP packets are accepted by =
the filter and passed out of the internal interface (vr0) to go to the =
intended destination.
7. 725492 rule 51/0(match): pass in on tun1: x.x.x.x.58770 > =
192.168.200.42.5080: tcp 32 [bad hdr length 8 - too short, < 20]
000144 rule 19/0(match): pass out on vr0: x.x.x.x.58770 > =
192.168.200.42.5080: tcp 32 [bad hdr length 8 - too short, < 20]
For UDP the packets seem to be accepted by the filter but not passed on =
to the destination, there's no log entry to show them leaving the =
internal interface or messages to say they are getting dropped.
000000 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > =
192.168.200.42.5080: SIP, length: 1207
529850 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > =
192.168.200.42.5080: SIP, length: 1207
2. 028043 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > =
192.168.200.42.5080: SIP, length: 1207
4. 048524 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > =
192.168.200.42.5080: SIP, length: 1207
I'm a bit puzzled as I can't see any difference between the tcp and udp =
rules (complete ruleset below).
Any suggestions would be greatly appreciated.
# PF ruleset
loopback_if =3D "lo0"
int_if =3D "vr0"
localnet =3D "192.168.200.0/24"
pbx_host =3D "192.168.200.42"
mx_host =3D "192.168.200.41"
ext_if1 =3D "tun0"
ext_if2 =3D "tun1"
ext_ifs =3D "{ tun0, tun1 }"
vpn_if =3D "tun2"
vpn_nets =3D "{ 192.168.0.0/24 }"
icmp_in_types =3D "{ unreach,echoreq }"
table <bruteforce> persist
table <martians> persist { 127.0.0.0/8, 172.16.0.0/12 \
10.0.0.0/8, 169.254.0.0/16, =
192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }
set block-policy return
set skip on { $loopback_if, vr1, vr2 }
#scrub in all
scrub log all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment =
reassemble
tcp_services =3D "{ 2525, ssh, smtp, smtps, domain, https, imaps, sip, =
1194, 5080 }"
udp_services =3D "{ domain, sip, 4569, 1194, 5080 }"
tcp_client =3D "{ ssh, domain, pop3, pop3s, imap, imaps, smtp, smtps, =
auth, ntp,\
http, https, 8080, sip, 5080, cvsup, postgresql, 3306, =
8180, 1863, 444, 1194 }"
udp_client =3D "{ domain, sip, 5080, ntp, 4569, 1194, 5222 }"
# NAT
no nat on $ext_if1 from $localnet to $vpn_nets=20
nat on $ext_if1 from $localnet to any -> ($ext_if1)
no nat on $ext_if2 from $localnet to $vpn_nets=20
nat on $ext_if2 from $localnet to any -> ($ext_if2)
rdr on $ext_if1 proto tcp from any to $ext_if1 port 222 -> =
192.168.200.40 port 22
rdr on $ext_if1 proto tcp from any to $ext_if1 port 25 -> $mx_host=20
rdr on $ext_if1 proto tcp from any to $ext_if1 port 2525 -> $mx_host=20
rdr on $ext_if1 proto tcp from any to $ext_if1 port 993 -> $mx_host=20
rdr on $ext_if1 proto tcp from any to $ext_if1 port 465 -> $mx_host=20
rdr on $ext_if2 proto tcp from any to $ext_if2 port 222 -> =
192.168.200.40 port 22
rdr on $ext_if2 proto tcp from any to $ext_if2 port 25 -> $mx_host=20
rdr on $ext_if2 proto tcp from any to $ext_if2 port 2525 -> $mx_host=20
rdr on $ext_if2 proto tcp from any to $ext_if2 port 993 -> $mx_host=20
rdr on $ext_if2 proto tcp from any to $ext_if2 port 465 -> $mx_host=20
# SIP
#rdr pass log on $int_if proto udp from $localnet to any port 5060 -> =
127.0.0.1 port 5060
rdr on $ext_if1 proto { tcp, udp } from any to $ext_if1 port 5080 -> =
$pbx_host=20
rdr on $ext_if2 proto { tcp, udp } from any to $ext_if2 port 5080 -> =
$pbx_host
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $localnet to any port 21 -> 127.0.0.1 =
port 8021
antispoof log for $ext_ifs
antispoof log for $int_if
block log all
block log quick from <bruteforce>
block drop in log quick on $ext_ifs from <martians> to any
block drop out log quick on $ext_ifs from any to <martians>
pass log from { $loopback_if, $localnet } to any
pass in log on $int_if=20
pass out log on $int_if
pass out log on $ext_ifs
pass out log quick on $ext_ifs proto udp from any to $pbx_host port 5080
# Client
pass out log quick on $ext_if1 route-to ($ext_if2 ($ext_if2:peer)) from =
$ext_if2 to any=20
pass out log quick on $ext_if2 route-to ($ext_if1 ($ext_if1:peer)) from =
$ext_if1 to any=20
# ICMP
pass in log inet proto icmp all icmp-type $icmp_in_types
pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto =
icmp all icmp-type $icmp_in_types
pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto =
icmp all icmp-type $icmp_in_types
# Public services=20
pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto =
tcp \
from any to any port $tcp_services \
#synproxy state \
(max-src-conn 100, max-src-conn-rate 50/5, \
overload <bruteforce> flush global)
pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto =
tcp \
from any to any port $tcp_services \
#synproxy state \
(max-src-conn 100, max-src-conn-rate 50/5, \
overload <bruteforce> flush global)
pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto =
tcp \
from any to any port { ssh, 222 } \
#synproxy state \
(max-src-conn 10, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto =
tcp \
from any to any port { ssh, 222 } \
#synproxy state \
(max-src-conn 10, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto =
udp \
from any to any port $udp_services
pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto =
udp \
from any to any port $udp_services
# VPN
pass in log on $ext_ifs inet proto icmp from $vpn_nets to $localnet
pass out log on $vpn_if from any to any keep state=20
# FTP-proxy
anchor "ftp-proxy/*"=20
pass out log proto tcp from ($ext_if1) to any port 21
pass out log proto tcp from ($ext_if2) to any port 21
-Gianni
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A587AC01-D0C4-452A-8DE4-5A657E604C6E>