From owner-freebsd-pf@FreeBSD.ORG Sun Jul 12 14:20:51 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7DF3F106564A for ; Sun, 12 Jul 2009 14:20:51 +0000 (UTC) (envelope-from apetar@gmail.com) Received: from mail-fx0-f224.google.com (mail-fx0-f224.google.com [209.85.220.224]) by mx1.freebsd.org (Postfix) with ESMTP id F40BA8FC08 for ; Sun, 12 Jul 2009 14:20:50 +0000 (UTC) (envelope-from apetar@gmail.com) Received: by fxm24 with SMTP id 24so1444738fxm.43 for ; Sun, 12 Jul 2009 07:20:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=AdMDUoLHrCvZhmbz/c0AGwQ5RMMlXXxPjI3FY8H0ZFQ=; b=eTBaYfaBnVeLFo/w5w3XUNobJFwuCeEdBJ/fSriFz/NZBXbY7R0FFqjB3jE0j24tcK i74dHhlMQLy0WkMcW+DoToHExLLdf1V1/dwGUa1yHxzg/3prRQLWZnvkv4qzV3hb0ys1 vID+DDQKOHGEQQ3k85WF0tL992JIU+den0vDI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=NuuQ63sYoAk9I6R5mYzPHYeOENKfuMYngYhhG97JIcfIzyeOuc9K+x9G2Qnv3DITTh c9pl+wmg2WPmXBa5Kf+Ha3EtDk13s0wjmDn9qbMpi38w+bGMIVqAea397NEa1+cKRTHn DgwWQsNyMHgYGidrSkdM4vCpUStJzR9nw2Ce0= Received: by 10.86.93.11 with SMTP id q11mr2557335fgb.6.1247407158876; Sun, 12 Jul 2009 06:59:18 -0700 (PDT) Received: from overlord ([91.150.111.233]) by mx.google.com with ESMTPS id 4sm2972310fge.2.2009.07.12.06.59.17 (version=SSLv3 cipher=RC4-MD5); Sun, 12 Jul 2009 06:59:18 -0700 (PDT) Date: Sun, 12 Jul 2009 15:57:06 +0200 From: Aleksic Predrag To: freebsd-pf@freebsd.org Message-ID: <20090712155707.4925813c@overlord> In-Reply-To: <3228ef7c0907111044i55b965d3me10ad146314517bf@mail.gmail.com> References: <3228ef7c0907111044i55b965d3me10ad146314517bf@mail.gmail.com> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.2; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: pf between two lans X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2009 14:20:52 -0000 Hi all. I've got two networks setup. 192.168.0.x and 192.168.2.x and I have an freebsd firewall between the two. Problem is people on the 192.168.0.x and 192.168.2.x. cant talk to each other. tzarlazar@192.168.2.248 $ ssh -p 22 -l tzarlazar 192.168.0.246 [root@192.168.0.1 ~]# tcpdump -n -e -vv -i pflog0 port 22 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes 15:49:54.633735 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 18042, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047: tcp 40 [bad hdr length 0 - too short, < 20] 15:50:00.632597 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 27911, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047: tcp 40 [bad hdr length 0 - too short, < 20] 15:50:12.832179 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 36732, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047: tcp 40 [bad hdr length 0 - too short, < 20] 15:50:36.828468 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 27440, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047: tcp 40 [bad hdr length 0 - too short, < 20] 15:51:05.754673 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 40476, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22: tcp 16 [bad hdr length 16 - too short, < 20] 15:51:05.956165 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 2615, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22: tcp 32 [bad hdr length 0 - too short, < 20] 15:51:06.362872 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 21085, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22: tcp 16 [bad hdr length 16 - too short, < 20] 15:51:07.176242 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 59723, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22: tcp 32 [bad hdr length 0 - too short, < 20] 15:51:08.803001 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 25347, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22: tcp 16 [bad hdr length 16 - too short, < 20] 15:51:12.056479 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 57211, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22: tcp 16 [bad hdr length 16 - too short, < 20] 15:51:18.563581 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 64430, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22: tcp 16 [bad hdr length 16 - too short, < 20] 15:51:25.021046 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 4002, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047: tcp 24 [bad hdr length 16 - too short, < 20] 15:51:31.577586 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 65157, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22: tcp 16 [bad hdr length 16 - too short, < 20] Does anyone have any ideas why this is happening? And how to fix it? I've attached my pf.conf. If you need more info, please let me know as I'm new to playing with pf and the like. intIF = "vr0" intIF2 = "vr1" extIF = "sk0" tcpPubServices = "{ 22, 80 }" torrentPort = "57277" IcmpTypes = "echoreq" myNet = "192.168.0.0/16" myLaptop = "192.168.2.248" table persist table persist file "/etc/pf.blocked.sites.conf" set block-policy drop set skip on lo0 scrub in all fragment reassemble random-id no nat on $extIF inet proto {tcp, udp} from $intIF:network to $intIF2:network no nat on $extIF inet proto {tcp, udp} from $intIF2:network to $intIF:network nat on $extIF inet proto {tcp, udp} from $intIF:network to any -> (sk0) port 1024:32255 nat on $extIF inet proto {tcp, udp} from $intIF2:network to any -> (sk0) port 32255:65535 rdr on $extIF proto { tcp, udp } from any to any port $torrentPort -> $myLaptop block log (all, to pflog0) all block drop out log (all) quick on $extIF from any to block drop in log (all) quick on $extIF from to any pass in on $extIF inet proto { tcp, udp } from any to $myLaptop port $torrentPort pass out on $extIF proto { udp, tcp } from $myLaptop port $torrentPort pass in on $extIF inet proto { udp, tcp } from any to any port 80 pass quick proto { tcp, udp } from any to any port 22 \ flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 10/3, \ overload flush global) pass out on $extIF proto tcp all modulate state flags S/SA pass out on $extIF proto { udp, icmp } all keep state pass out on $extIF proto esp from any to any keep state pass in on $intIF from $intIF:network to any keep state pass out on $intIF from any to $intIF:network keep state pass in on $intIF2 from $intIF2:network to any keep state pass out on $intIF2 from any to $intIF2:network keep state