Date: Sat, 10 Sep 2011 19:17:30 -0300 From: Mario Lobo <lobo@bsd.com.br> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem Message-ID: <201109101917.30117.lobo@bsd.com.br> In-Reply-To: <20110910160810.GB29437@insomnia.benzedrine.cx> References: <201109101042.53575.lobo@bsd.com.br> <20110910160810.GB29437@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 10 September 2011 13:08:10 Daniel Hartmeier wrote:
> On Sat, Sep 10, 2011 at 10:42:53AM -0300, Mario Lobo wrote:
> > Sep 10 10:27:16 lobos kernel: pf_map_addr: selected address 177.17.68.103
> > Sep 10 10:27:49 lobos last message repeated 83 times
> > Sep 10 10:28:59 lobos last message repeated 283 times
>
> This looks as if you're not allowing the packet out after NAT, so
> each subsequent packet also causes a pf_map_addr() call, instead
> of creating a state entry.
>
> Make sure you have a rule like
>
> pass out on $ext_if from ($ext_if) ...
>
> Do you see any state entry related to your VPN connection?
> Run pfctl -vvss after the connection attempt.
>
> It helps debugging if you add
>
> block log
>
> as the very first rule, then make sure all other block rules (if any)
> also have 'log'. Then reproduce the problem while running
>
> tcpdump -s 1600 -nvvveeetttpi pflog0
>
> Now you'll see any packet being dropped by pf. Do you see any?
>
Daniel;
Thanks for doing this, man!
I just got home.
On my first VPN connection attempt, connected and got this:
[~]>tcpdump -s 1600 -nvvveeetttpi pflog0 host 10.10.10.2
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 1600 bytes
00:00:00.000000 rule 2/0(match): pass in on rl0: (tos 0x0, ttl 64, id 60903,
offset 0, flags [none], proto TCP (6), length 60)
10.10.10.2.65319 > 189.17.94.162.1723: Flags [S], cksum 0xf79e (correct),
seq 3937019625, win 65535, options [mss 1460,nop,wscale 4,sackOK,TS val
32966455 ecr 0], length 0
00:00:00.496970 rule 1/0(match): pass in on rl0: (tos 0x0, ttl 64, id 3446,
offset 0, flags [none], proto GRE (47), length 60)
10.10.10.2 > 189.17.94.162: GREv1, Flags [key present, sequence# present],
call 64372, seq 0, proto PPP (0x880b), length 40
LCP (0xc021), length 28: LCP, Conf-Request (0x01), id 1, length 26
encoded length 24 (=Option(s) length 20)
0x0000: c021 0101 0018
ACFC Option (0x08), length 2:
PFC Option (0x07), length 2:
ACCM Option (0x02), length 6: 0x000a0000
0x0000: 000a 0000
MRU Option (0x01), length 4: 1486
0x0000: 05ce
Magic-Num Option (0x05), length 6: 0x20bd152c
0x0000: 20bd 152c
00:01:15.359756 rule 2/0(match): pass in on rl0: (tos 0x0, ttl 64, id 35400,
offset 0, flags [none], proto TCP (6), length 60)
10.10.10.2.15327 > 189.17.94.162.1723: Flags [S], cksum 0xc92c (correct),
seq 2129681427, win 65535, options [mss 1460,nop,wscale 4,sackOK,TS val
33042305 ecr 0], length 0
I dropped the connection, waited a bit and tried again. This time (and the
next 5 times), unsuccessful
[~]>tcpdump -s 1600 -nvvveeetttpi pflog0 host 10.10.10.2
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
size 1600 bytes
00:00:00.000000 rule 2/0(match): pass in on rl0: (tos 0x0, ttl 64, id 2673,
offset 0, flags [none], proto TCP (6), length 60)
10.10.10.2.53563 > 189.17.94.162.1723: Flags [S], cksum 0x96e6 (correct),
seq 180477348, win 65535, options [mss 1460,nop,wscale 4,sackOK,TS val
33472258 ecr 0], length 0
00:00:00.528029 rule 1/0(match): pass in on rl0: (tos 0x0, ttl 64, id 22121,
offset 0, flags [none], proto GRE (47), length 60)
10.10.10.2 > 189.17.94.162: GREv1, Flags [key present, sequence# present],
call 64372, seq 0, proto PPP (0x880b), length 40
LCP (0xc021), length 28: LCP, Conf-Request (0x01), id 1, length 26
encoded length 24 (=Option(s) length 20)
0x0000: c021 0101 0018
ACFC Option (0x08), length 2:
PFC Option (0x07), length 2:
ACCM Option (0x02), length 6: 0x000a0000
0x0000: 000a 0000
MRU Option (0x01), length 4: 1486
0x0000: 05ce
Magic-Num Option (0x05), length 6: 0xc80d1b74
0x0000: c80d 1b74
00:00:00.000058 rule 30/0(match): pass out on tun0: (tos 0x0, ttl 63, id
22121, offset 0, flags [none], proto GRE (47), length 60)
10.10.10.2 > 189.17.94.162: GREv1, Flags [key present, sequence# present],
call 64372, seq 0, proto PPP (0x880b), length 40
LCP (0xc021), length 28: LCP, Conf-Request (0x01), id 1, length 26
encoded length 24 (=Option(s) length 20)
0x0000: c021 0101 0018
ACFC Option (0x08), length 2:
PFC Option (0x07), length 2:
ACCM Option (0x02), length 6: 0x000a0000
0x0000: 000a 0000
MRU Option (0x01), length 4: 1486
0x0000: 05ce
Magic-Num Option (0x05), length 6: 0xc80d1b74
0x0000: c80d 1b74
No block shows up.
[~]>pfctl -vvss | grep -A 2 "10.10.10.2:"
rl0 tcp 189.17.94.162:1723 <- 10.10.10.2:19285 ESTABLISHED:ESTABLISHED
[2640059824 + 65535] [2169377171 + 65535]
age 00:00:24, expires in 00:59:57, 6:5 pkts, 584:540 bytes, rule 2
--
tun0 tcp 10.10.10.2:19285 -> 177.17.68.103:16885 -> 189.17.94.162:1723
ESTABLISHED:ESTABLISHED
[2169377171 + 65535] [2640059824 + 65535]
age 00:00:24, expires in 00:59:57, 6:5 pkts, 584:540 bytes, rule 31
--
Bellow is my full pf.conf. Even if I uncomment the very first filtering rule:
# pass quick all
the problem persists.
#>cat /etc/pf.conf
# Required order: options, normalization, queueing, translation, filtering.
# Note that translation rules are first match while filter rules are last
match.
################[ Macros ]####################################
### Interfaces ###
ext_if="tun0"
int_if="rl0"
mid_if="re0"
internal_net="10.10.10.0/24"
### Hosts ###
# Users
papi = "10.10.10.2"
dani = "10.10.10.3"
pinco = "10.10.10.4"
mami = "10.10.10.5"
# Groups
table <hackers> file "/usr/local/etc/hackers"
# Non-public/weird addresses, doesn't include our subnets, anything in here
shouldn't be going anywhere
table <banned> { 0.0.0.0/8, 169.254.0.0/16, 224.0.0.0/3, 204.152.64.0/23 }
################[ Options ]###################################
# We want to sent ICMP RST or unreachable
set block-policy drop
# Bind states to interfaces so we can have a queue for each interface
set state-policy if-bound
set ruleset-optimization basic
set loginterface $ext_if
set fingerprints "/etc/pf.os"
set skip on { lo0, $mid_if }
# set debug misc
# set require-order yes
# set skip on tun
# set optimization normal
# set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
# set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
# set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
# set timeout { other.first 30, other.single 30, other.multiple 30 }
# set timeout { adaptive.start 5000, adaptive.end 10000 }
################[ Normalization ]#############################
# scrub in on $ext_if all random-id
# scrub in on $int_if all random-id
scrub in all fragment reassemble no-df random-id
################[ Queueing ]##################################
altq on $ext_if cbq bandwidth 970Kb queue {ack, dns, ssh, web, mail, bulk,
ftp}
queue ack bandwidth 10% priority 7 cbq(borrow)
queue dns bandwidth 20% priority 6 cbq(borrow)
queue ssh bandwidth 10% cbq(borrow) {ssh_login,
ssh_bulk}
queue ssh_login bandwidth 50% priority 5
queue ssh_bulk bandwidth 50% priority 4
queue mail bandwidth 20% priority 3 cbq(borrow)
queue web bandwidth 10% priority 2 cbq(borrow)
queue bulk bandwidth 20% priority 1 cbq(borrow default red ecn)
queue ftp bandwidth 9% priority 0 cbq(borrow red ecn)
################[ Translation ]###############################
### NAT
# nat on $ext_if from $int_if:network to any -> ($ext_if) port 1024:65535
nat on $ext_if from any to any -> ($ext_if) port 1024:65535
nat-anchor "ftp-proxy/*"
### RDR
no rdr on lo0 from any to any
# frickin ---> Yeah I tried that. It didn't fix the problem.
# rdr on $int_if proto tcp from any to any port 1723 -> 127.0.0.1 port 1723
# rdr on $int_if proto gre from any to any -> 127.0.0.1
# ftp proxy
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> lo0 port 8021
# ssh
rdr on $ext_if proto tcp from any to any port 5952 -> $papi port 5952
# emule
rdr on $ext_if proto tcp from any to any port 4662 -> $papi port 4662
rdr on $ext_if proto tcp from any to any port 4665 -> $papi port 4665
rdr on $ext_if proto udp from any to any port 4672 -> $papi port 4672
rdr on $ext_if proto tcp from any to any port 4762 -> $dani port 4762
rdr on $ext_if proto udp from any to any port 4772 -> $dani port 4772
rdr on $ext_if proto tcp from any to any port 4862 -> $pinco port 4862
rdr on $ext_if proto udp from any to any port 4872 -> $pinco port 4872
# Azureus, ktorrent
rdr on $ext_if proto { tcp, udp } from any to any port 2234 -> $papi port
2234
rdr on $ext_if proto { tcp, udp } from any to any port 6881 -> $papi port
6881
# DENY rouge redirections
no rdr
################[ Filtering ]#################################
# pass quick all
pass quick on lo0 all
#--- Allow vpns from anywhere to anywhere
pass quick log on $int_if proto gre all keep state
pass quick log on $int_if proto tcp from any to any port pptp flags S/SA
keep state
#--- IPs livres de tudo
pass quick on $int_if from $int_if:network to any
#--- Allow networks to see themselves and dns
pass quick from $int_if:network to $int_if:network
############ To Me ############
# icmp
pass in log quick on $ext_if inet proto icmp from any to ($ext_if) icmp-type
{ echorep, echoreq, timex, unreach } keep state
# vpn
pass in quick log on $ext_if proto gre all synproxy state
pass in quick log on $ext_if proto tcp from any to any port pptp synproxy
state
anchor vpns
# Anchor for ftp-proxy
anchor "ftp-proxy/*"
# Incoming to computers
pass in log quick on $ext_if inet proto tcp from any to $papi port
5952 flags S/SA keep state
pass in log quick on $ext_if inet proto {tcp,udp} from any to $papi port
2234 flags S/SA keep state
pass in log quick on $ext_if inet proto {tcp,udp} from any to $papi port
6881 keep state
pass in log quick on $ext_if inet proto tcp from any to $papi port
4662 flags S/SA keep state
pass in log quick on $ext_if inet proto tcp from any to $papi port
4665 flags S/SA keep state
pass in log quick on $ext_if inet proto udp from any to $papi port
4672 keep state
pass in log quick on $ext_if inet proto tcp from any to $dani port
4762 flags S/SA keep state
pass in log quick on $ext_if inet proto udp from any to $dani port
4772 keep state
pass in log quick on $ext_if inet proto tcp from any to $pinco port
4862 flags S/SA keep state
pass in log quick on $ext_if inet proto udp from any to $pinco port
4872 keep state
# Global outgoing prioritized
pass out log quick on $ext_if inet proto icmp from any to any
keep state queue (dns)
pass out log quick on $ext_if inet proto gre from any to any
keep state queue (dns, ack)
pass out log quick on $ext_if inet proto tcp from any to any port pptp
flags S/SA keep state queue (dns, ack)
pass out log quick on $ext_if inet proto tcp from any to any port http
flags S/SA keep state queue (web, ack)
pass out log quick on $ext_if inet proto tcp from any to any port https
flags S/SA keep state queue (web, ack)
pass out log quick on $ext_if inet proto tcp from any to any port ssh
flags S/SA keep state queue (ssh_bulk, ssh_login)
pass out log quick on $ext_if inet proto tcp from any to any port 2200
flags S/SA keep state queue (ssh_bulk, ssh_login)
pass out log quick on $ext_if inet proto tcp from any to any port 5952
flags S/SA keep state queue (ssh_bulk, ssh_login)
pass out log quick on $ext_if inet proto tcp from any to any port pop3
flags S/SA keep state queue (mail, ack)
pass out log quick on $ext_if inet proto tcp from any to any port smtp
flags S/SA keep state queue (mail, ack)
pass out log quick on $ext_if inet proto udp from any to any port domain
keep state queue dns
# pass out log quick on $ext_if inet proto udp from any to any port 27960
keep state
# Global outgoing non-prioritized (default)
# pass out log quick on $ext_if inet proto tcp from any to any port 1863
flags S/SA keep state
pass out log quick on $ext_if inet proto tcp from any to any
flags S/SA keep state
pass out log quick on $ext_if inet proto udp from any to any
keep state
# Block everything else
block log all
--
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109101917.30117.lobo>