Date: Fri, 25 Jan 2019 09:17:19 -0500 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: "Kristof Provost" <kristof@sigsegv.be> Cc: byrnejb@harte-lyne.ca, freebsd-pf@freebsd.org Subject: Re: routing LAN traffic through/around a pf gateway Message-ID: <c950c8f2acf385315c8eb0fb30531db6.squirrel@webmail.harte-lyne.ca> In-Reply-To: <77538042-3448-4C7F-8499-F492A06E52E9@sigsegv.be> References: <c3e5a147fa9548de5dea67be5e05f8bc.squirrel@webmail.harte-lyne.ca> <77538042-3448-4C7F-8499-F492A06E52E9@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, January 24, 2019 19:31, Kristof Provost wrote:
>
>
> On 25 Jan 2019, at 9:37, James B. Byrne via freebsd-pf wrote:
>
>> I have limited knowledge of PF being in the process of transitioning
>> from 20+ years of RHEL/CentOS to FreeBSD. Neither do I possess a
>> great fund of knowledge respecting IP routing. That said this is my
>> problem:
>>
>> On a small test LAN I have three hosts, W44, W4 and G5:
>>
>> network layout, gateway address 216.185.71.5
>>
>> W44 G5 w4
>> 216.185.71.44 ----> 216.185.71.5 216.185.71.4 int_if IP
>> 192.168.150.44 192.168.150.5 ----> 192.168.150.4 int_if IP
>> alias
>>
>> Using ssh and with PF running on the gateway, when I connect from
>> 216.185.71.44 to 216.185.71.4 then the ssh session operates
>> normally.
>> However, if instead I connect from 216.185.71.44 to 192.168.150.4
>> then
>> the initial connection is made but the ssh session remains
>> responsive
>> for a brief time before it becomes non-responsive. If I terminate
>> the
>> PF running on the gateway the ssh session again becomes responsive.
>> If I do not terminate PF then eventually the ssh session client
>> disconnects with a timeout error.
>>
>> Besides macros the entire active contents of pf.conf on G5 are:
>>
>> scrub in all no-df max-mss 1440 fragment reassemble
>>
>> block return out log all
>>
>> block drop in log all
>>
>> pass log on $int_if
>>
>> pass inet proto icmp all \
>> icmp-type $icmp_types keep state
>>
>> pass out quick on $ext_if inet proto udp \
>> from any \
>> to any port 33433 >< 33626 keep state
>>
>> Which results in these rules when PF is running:
>>
>> @0 scrub in all no-df max-mss 1440 fragment reassemble
>> @1 block return out log all
>> @2 block drop in log all
>> @3 pass log on em0 all flags S/SA keep state
>> @4 pass inet proto icmp all icmp-type echoreq keep state
>> @5 pass inet proto icmp all icmp-type unreach keep state
>> @6 pass out quick on em1 inet proto udp from any to any port 33433
>> ><
>> 33626 keep state
>>
> You don’t appear to have a rule permitting the SSH traffic to pass
> through your router.
> I’m a more than little surprised you manage to establish a
> connection
> in the first place.
> Unless the connection existed before you started pf, of course.
>
> Try adding something like:
> pass inet porto tcp port 22
>
> Regards,
> Kristof
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c950c8f2acf385315c8eb0fb30531db6.squirrel>