Date: Thu, 24 Jan 2019 15:37:02 -0500 From: "James B. Byrne" <byrnejb@harte-lyne.ca> To: freebsd-pf@freebsd.org Subject: routing LAN traffic through/around a pf gateway Message-ID: <c3e5a147fa9548de5dea67be5e05f8bc.squirrel@webmail.harte-lyne.ca>
next in thread | raw e-mail | index | archive | help
I have limited knowledge of PF being in the process of transitioning
from 20+ years of RHEL/CentOS to FreeBSD. Neither do I possess a
great fund of knowledge respecting IP routing. That said this is my
problem:
On a small test LAN I have three hosts, W44, W4 and G5:
network layout, gateway address 216.185.71.5
W44 G5 w4
216.185.71.44 ----> 216.185.71.5 216.185.71.4 int_if IP
192.168.150.44 192.168.150.5 ----> 192.168.150.4 int_if IP alias
Using ssh and with PF running on the gateway, when I connect from
216.185.71.44 to 216.185.71.4 then the ssh session operates normally.
However, if instead I connect from 216.185.71.44 to 192.168.150.4 then
the initial connection is made but the ssh session remains responsive
for a brief time before it becomes non-responsive. If I terminate the
PF running on the gateway the ssh session again becomes responsive.
If I do not terminate PF then eventually the ssh session client
disconnects with a timeout error.
Besides macros the entire active contents of pf.conf on G5 are:
scrub in all no-df max-mss 1440 fragment reassemble
block return out log all
block drop in log all
pass log on $int_if
pass inet proto icmp all \
icmp-type $icmp_types keep state
pass out quick on $ext_if inet proto udp \
from any \
to any port 33433 >< 33626 keep state
Which results in these rules when PF is running:
@0 scrub in all no-df max-mss 1440 fragment reassemble
@1 block return out log all
@2 block drop in log all
@3 pass log on em0 all flags S/SA keep state
@4 pass inet proto icmp all icmp-type echoreq keep state
@5 pass inet proto icmp all icmp-type unreach keep state
@6 pass out quick on em1 inet proto udp from any to any port 33433 ><
33626 keep state
When the ssh session is non-responsive PF records like this are logged:
rule 1/0(match): block in on em0: 216.185.71.44.63394 >
192.168.150.4.22: Flags [P.], seq 2664:2952, ack 6041, win 1030,
options [nop,nop,TS val 263607703 ecr 653371936], length 288
My question is: What filter rules will permit the ssh session
established as above to remain responsive with PF running on the
gateway while maintaining the default block directive for everything
else?
I am looking for the general case where hosts on the LAN that have
multiple IP addresses can communicate with each other using any
assigned IP without having PF involved at all, but which are filtered
when passing through the gateway or natted to the WAN.
Thanks,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c3e5a147fa9548de5dea67be5e05f8bc.squirrel>