Date: Tue, 12 Apr 2005 09:51:56 +0200 From: stephen <dinzdale@gmail.com> To: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: pflog and traffic via gif_if Message-ID: <ee918c7805041200513d8f36a@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi,
I'm not sure what I'm not doing wrong, but I can't seem to send any traffi=
c=20
via gif3 ($gif_if).. The rule I had have in place is a working rule from=20
previous conf, but in my wisdom in rewriting conf from scratch yesterday I=
=20
managed to overwrite the previous conf. The only different thing I had whic=
h=20
may have come into play was a pass out all on ext_if rule which I no longer=
=20
want.=20
I tried having a look at pflog0 with tcpdump, but it doesnt seem to show=
=20
any traffic at all nevermind just the blocked traffic (I would like to know=
=20
if there is a way to log all? all examples I've seen online say 'block log=
=20
all'). I made sure I did 'ifconfig pflog0 up' before attempting to run=20
tcpdump on it.
/etc/pf.conf:
##### macros
int_if =3D "rl0"
ext_if =3D "tun0"
gif_if =3D "gif3"
icmp_types =3D "echoreq"
-list of ports/hosts here-
##### aliases
bi =3D "block in"
bo =3D "block out"
bq =3D "block quick"
biq =3D "block in quick"
boq =3D "block out quick"
bd =3D "block drop"
pi =3D "pass in"
po =3D "pass out"
pq =3D "pass quick"
piq =3D "pass in quick"
poq =3D "pass out quick"
ks =3D "keep state"
ms =3D "modulate state"
ss =3D "synproxy state"
l =3D "label"
int_net =3D "{" $int_if:network "}"
##### behavior options
set block-policy return
set loginterface $ext_if
##### scrub
scrub in all
##### nat/rdr
nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 80 ->
127.0.0.1<http://127.0.0.1>port 3128
##### anti spoofing protection
#antispoof quick for $int_if inet
#antispoof quick for $ext_if inet
#antispoof quick for lo0
#$bd in on $ext_if from $priv_nets to any
#$bd out on $ext_if from any to $priv_nets
#####filter rules
###default block and log all
block log all
#$pi inet proto icmp all icmp-type $icmp_types $ks
#$po inet proto icmp all icmp-type $icmp_types $ks
$pq on lo0 all
###filter rules for $int_if inbound
$bi on $int_if all
$pi on $int_if inet proto tcp from any to $int_if port 2222 $ks
$pi on $int_if proto { udp,tcp } from $int_net to any port 53 $ks
$pi on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks $l "http=
=20
: $srcaddr "
$pi on $int_if proto tcp from $soh to any port 443 flags S/SA $ks $l "ssl :=
=20
$srcaddr "
$pi on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks
$pi on $int_if proto tcp from $soh to $int_if port 25 $ks $l "smtp :=20
$srcaddr "
$pi on $int_if proto tcp from $soh to $int_if port 110 $ks $l "pop3 :=20
$srcaddr "
$pi on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } $ks=20
$pi on $int_if proto tcp from $sh to any port { 6667,6668,7000 } $ks=20
###filter rules for $int_if outbound
$bo on $int_if all
$po on $int_if inet proto tcp from $int_if to $int_net port 20 $ks
###filter rules for $ext_if inbound
$bi on $ext_if all
$pi on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks
$pi on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks
$pi on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks
$pi on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks
###filter rules for $ext_if outbound
$bo on $ext_if all
$po on $ext_if from any to $dns $ks
$po on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA $ks
$po on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks
$po on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks
$po on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks $l "tota=
l=20
smtp (storm) : "
$po on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks $l=20
"total pop3 (storm) : "
$po on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks $l "tota=
l=20
smtp (saix) : "
$po on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks $l "total=
=20
http : "=20
$po on $ext_if inet proto tcp from ($ext_if) to any port { 6667,6668,7000 }=
=20
$ks
$pi inet proto icmp all icmp-type $icmp_types $ks
$po inet proto icmp all icmp-type $icmp_types $ks
###filter to pass all tunnel traffic
$pi on $gif_if all=20
$po on $gif_if all
-eof-
I also added a rule:
$po on $ext_if from ($ext_if) to $gif_if $ks
as well as
$po on $ext_if from ($ext_if) to 10.0.89.0/24 <http://10.0.89.0/24>; $ks
but neither seem to help much...
(they shouldn't be necessary because I said pass in/out all on $gif??
It would be a lot easier if I could decipher what is going on via=20
pflog0, but when i do:
tcpdump -n -e -ttt -vv -i pflog0
all I get is:
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture=
=20
size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
What confuses me is that even though I have a specific pass in/out rule=
=20
for icmp, a pass out rule after that for $gif_if, and no rules after that=
=20
(so there are no more block matches)... I still can't ping or send/recv=20
traffic via $gif_if to 10.0.89.0 <http://10.0.89.0>; but can ping other=20
hosts:
Tue Apr 12 09:31:45 root@bollox:~# ping -c 3
www.iol.co.za<http://www.iol.co.za/>;
PING www.iol.co.za <http://www.iol.co.za/>;
(196.30.168.79<http://196.30.168.79>):
56 data bytes
64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=3D0 ttl=3D58 t=
ime=3D
45.315 ms
64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=3D1 ttl=3D58 t=
ime=3D
47.876 ms
64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=3D2 ttl=3D58 t=
ime=3D
54.126 ms
=20
--- www.iol.co.za <http://www.iol.co.za/>; ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev =3D 45.315/49.106/54.126/3.701 ms
Tue Apr 12 09:31:59 root@bollox:~# ifconfig gif3
gif3: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet x.x.y.123 --> x.x.z.96
inet 10.0.88.254 <http://10.0.88.254>; --> 10.0.89.254
<http://10.0.89.254>netmask 0xffffff00
inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7
Tue Apr 12 09:32:08 root@bollox:~# ping -c 3 10.0.89.254<http://10.0.89.254=
>
PING 10.0.89.254 <http://10.0.89.254>; (10.0.89.254 <http://10.0.89.254>): 5=
6=20
data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
--- 10.0.89.254 <http://10.0.89.254>; ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
I may be doing something stupid in either of the two problems, but perhaps=
=20
a look from someone else will spot something I have not noticed..
Thanks in advance,
Stephen.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ee918c7805041200513d8f36a>