Date: Wed, 26 Sep 2007 17:39:57 -0300 From: "David Verzolla" <dverzolla@fcl.com.br> To: <freebsd-bugs@freebsd.org> Subject: Problem? With PF Message-ID: <94CADB570ACCB0418E8236C8F24BD95C01469F9E@VIRTUALEXCHANGE.corp.com>
next in thread | raw e-mail | index | archive | help
Hello,
I'm not sure about if this trouble must be posted in this list. BTW.
I'm working with two firewall box:
- Dell poweredge 2950
- First network device BCE0
- Second network device BCE1
- HP ML350 G3
- First network device BGE0
- Second network device XL0
I'm working with PF Firewall + PFSYNC + VLANS (3 vlans) + CARP.
All interfaces is cloned with CARP.
The problem is:
My network is slow, when I try to connect in a web server, or try pings =
from my Firewall to some machine located in DMZ (tests from DMZ -> =
Firewall Box have the same result), I get this trouble:
The command: while true ; do ping -c 1 DMZ_IP ; done
Ping works in the most of tests, but some tests give me this error:
(For security reasons I suppress my original IP, sorry for =
inconvenience)
--- 201.x.x.x ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev =3D 0.194/0.194/0.194/0.000 ms
PING 201.x.x.x (201.x.x.x): 56 data bytes
64 bytes from 201.x.x.x: icmp_seq=3D0 ttl=3D64 time=3D0.197 ms
--- 201.x.x.x ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev =3D 0.197/0.197/0.197/0.000 ms
PING 201.x.x.x (201.x.x.x): 56 data bytes
64 bytes from 201.x.x.x: icmp_seq=3D0 ttl=3D64 time=3D0.192 ms
--- 201.x.x.x ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev =3D 0.211/0.211/0.211/0.000 ms
PING 201.x.x.x (201.x.x.x): 56 data bytes
---> ping: sendto: Operation not permitted
The ping returns "Operation not permitted".
Other command:
[root@f1000 /etc/pf]# ping 201.x.x.x
PING 201.x.x.x (201.x.x.x): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
64 bytes from 201.x.x.x: icmp_seq=3D4 ttl=3D64 time=3D2.636 ms
64 bytes from 201.x.x.x: icmp_seq=3D5 ttl=3D64 time=3D0.210 ms
64 bytes from 201.x.x.x: icmp_seq=3D6 ttl=3D64 time=3D0.136 ms
The ping returns "Operation not permitted" too.
I have other applications working with Ajax that is broken, the time to =
load all the resources is bigger, within this trouble (Ajax) its =
possible verify that the problem occur with TCP protocol as well. =20
When I disable PF, all works greatly.
Bellow my rules:
-- begin
# $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, =
filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are =
last match.
# Macros: define common values, so they can be referenced and changed =
easily.
### NET DEVICES
ext_if =3D "bce0"
dmz_if =3D "vlan20"
corp_if =3D "vlan30"
ras_if =3D "vlan40"
sync_if =3D $ras_if
### ICMP OPTIONS
icmp_types=3D"{ echoreq, unreach }"
table <impsat> { 200.x.x.0/26 }
table <totalrange> { 201.x.x.0/20 }
table <dmz> { 201.x.x.0/24 }
# Options: tune the behavior of pf, default values are given.
set optimization normal
#set timeout { tcp.closing 900, tcp.finwait 15, tcp.closed 90 }
set block-policy return
set state-policy floating=20
set skip on lo
set loginterface $ext_if
set fingerprints "/etc/pf/_pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic =
ambiguities.
scrub in all
#### start
block in
# PFSYNC
pass on $sync_if proto pfsync
# Permit all out
pass out keep state
# PERMIT MULTI-CAST (CARP)
pass quick on { $dmz_if $corp_if $ras_if $ext_if } inet from any to =
224.0.0.0/4 allow-opts keep state
# PERMIT DNS OUT
pass in quick on { $dmz_if $corp_if $ras_if } inet proto { udp tcp } =
from any to any port 53 keep state
# PERMIT DMZ OUT
pass in quick on { $dmz_if } inet proto tcp from <dmz> to any \
port 80 flags S/SA keep state
# PERMITE SSH=20
pass in quick on { $ext_if } inet proto tcp from <impsat> to any \
port { 22 } flags S/SA keep state
# TEMP PERMIT, OLD NET -> NEW NET
pass quick inet proto tcp from <totalrange> to <impsat> \
flags S/SA keep state
# ME
pass in quick on $ext_if inet proto tcp from <impsat> to $ext_if:network =
\
port 22 flags S/SA keep state
pass in quick on $ext_if inet proto udp from <impsat> to $ext_if:network =
\
port snmp keep state
pass in quick on $ext_if inet proto tcp from <totalrange> to =
$ext_if:network \
port 22 flags S/SA keep state
pass in quick on $ext_if inet proto udp from <totalrange> to =
$ext_if:network \
port snmp keep state
### GERAL RULES
## NTP
pass in quick on { $dmz_if } inet proto udp from 200.x.x.1 port { 123 } =
to any \
port { 123 } keep state
### <NS1>
pass in quick on { $ext_if $corp_if } inet proto tcp from any port { 53 =
} to 200.x.x.2 \
port { 53 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.2 \
port { 53 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto tcp from <impsat> to =
200.x.x.2 \
port { 22 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto udp from any to =
200.x.x.2 \
port { 53 } keep state
### </NS1>
### <HERZOG_NEW>
pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.3 \
port { 20 21 80 443 } flags S/SA keep state
# RSYNC
pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.3 \
port { 873 } flags S/SA keep state
# FTP
pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.3 \
port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE
# FTP
pass in quick on { $dmz_if } inet proto tcp from 200.x.x.3 port 20 to =
any \
flags S/SA keep state tag FTP-BACK # ACTIVE MODE
### </HERZOG_NEW>
### <Webtrends teste>
# WEB
pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.4 \
port { 80 } flags S/SA keep state
### </Webtrends teste>
# <WINDOWS MEDIA>
pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.5 \
port { 554 1755 } flags S/SA keep state
# VNC
pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.5 \
port { 5900 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto udp from any to =
200.x.x.5 \
port { 554 1755 } keep state
# </WINDOWS MEDIA>
# TEST NOTEBOOK - HOLYDAY
pass in quick on { $ext_if $dmz_if } inet proto tcp from any to =
200.x.x.6 \
port { 22 80 } flags S/SA keep state
# </TESTE COM NOTEBOOK - HOLYDAY>
# TEST WITH CISNET=20
pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.7 \
port { 21 22 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.7 \
port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE
pass in quick on { $dmz_if } inet proto tcp from 200.x.x.7 port 20 to =
any \
flags S/SA keep state tag FTP-BACK # ACTIVE MODE
# </TESTE COM CISNET>
# PING
pass log inet proto icmp all icmp-type $icmp_types keep state
# TRACEROUTE
pass inet proto udp from any to any \
port 33433 >< 33626 keep state
-- end
Thanks in advance.
David Verzolla
Administrador de Redes
Funda=E7=E3o C=E1sper L=EDbero - FCLNet
Tel: +55 11 3170.5937
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94CADB570ACCB0418E8236C8F24BD95C01469F9E>