From owner-freebsd-pf@FreeBSD.ORG Thu Mar 31 07:31:11 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3FB016A4D0 for ; Thu, 31 Mar 2005 07:31:11 +0000 (GMT) Received: from helium.webpack.hosteurope.de (helium.webpack.hosteurope.de [217.115.142.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id C587D43D46 for ; Thu, 31 Mar 2005 07:31:10 +0000 (GMT) (envelope-from me@hexren.net) Received: by helium.webpack.hosteurope.de running Exim 4.34 using asmtp helo=hexren.steenbuck.net) id 1DGu8y-0003jR-So; Thu, 31 Mar 2005 09:31:09 +0200 Date: Thu, 31 Mar 2005 09:31:07 +0200 From: Hexren X-Mailer: The Bat! (v1.62i) Business X-Priority: 3 (Normal) Message-ID: <1571611907.20050331093107@hexren.net> To: Jayel Villamin In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: weird PF behavior X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Hexren List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Mar 2005 07:31:12 -0000 > Here's a rough sketch of the home network FBSD 5.3 box ===>>>> xl0 ===>>> ADSL modem > ===>>> xl1 ===>>> 10/100 Mbps switch ===>>> > several Windows PC are connected to the switch > ===>>> xl2 ===>>> Windows PC (via x-over cable). > This is the FTP server. > I have an FTP server running in a windows box with IP = 192.168.2.2 > here's a snippet of my rules > ========== > ext_if = "tun0" > elayne_ftp_service = "19985:19989" > elayne = "192.168.2.2/32" > rdr on $ext_if proto tcp from any to ($ext_if) port > $elayne_ftp_service -> $elayne > block log all #This is the very first rule after the nat/rdr rules > pass in quick on $ext_if inet proto tcp from any to $elayne port { > $elayne_ftp_service } flags S/SA keep state > ============ > Looking at the PF FAQ in openbsd.org, this seem to be correct. > But when I try to connect from work to the FTP, I get the following > tcpdump entries: > ===================== > 15:44:38.009604 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 > > TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win > 49640 > 15:44:41.423697 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 > > TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win > 49640 > =================== > If I change the last rule in the snippet to: > =========== > pass in quick inet proto tcp from any to $elayne port { > $elayne_ftp_service } flags S/SA keep state > =========== > it works. > Well I thought that having "on $ext_if" is correctly as well as the > traffic from work to home FTP server must pass thru $ext_if. > Any ideas for this behavior? > Thanks --------------------------------------------- Guessing I would say that: The traffic comes in on $ext_if a state for it is created and it then tries to leave over $int_if. At that point it is catched by "block log all #This is the very first rule after the nat/rdr rules" as obviously "on $ext_if" in the pass rule. Is not true for a packet traversing $int_if. Imho a rule alog the lines of "pass on $int_if from any to $elayne port { $elayne_ftp_service } keep state" should fix the problem. Try it I am not dead sure. Regards Hexren