Date: Tue, 12 Apr 2005 09:51:56 +0200 From: stephen <dinzdale@gmail.com> To: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: pflog and traffic via gif_if Message-ID: <ee918c7805041200513d8f36a@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I'm not sure what I'm not doing wrong, but I can't seem to send any traffi= c=20 via gif3 ($gif_if).. The rule I had have in place is a working rule from=20 previous conf, but in my wisdom in rewriting conf from scratch yesterday I= =20 managed to overwrite the previous conf. The only different thing I had whic= h=20 may have come into play was a pass out all on ext_if rule which I no longer= =20 want.=20 I tried having a look at pflog0 with tcpdump, but it doesnt seem to show= =20 any traffic at all nevermind just the blocked traffic (I would like to know= =20 if there is a way to log all? all examples I've seen online say 'block log= =20 all'). I made sure I did 'ifconfig pflog0 up' before attempting to run=20 tcpdump on it. /etc/pf.conf: ##### macros int_if =3D "rl0" ext_if =3D "tun0" gif_if =3D "gif3" icmp_types =3D "echoreq" -list of ports/hosts here- ##### aliases bi =3D "block in" bo =3D "block out" bq =3D "block quick" biq =3D "block in quick" boq =3D "block out quick" bd =3D "block drop" pi =3D "pass in" po =3D "pass out" pq =3D "pass quick" piq =3D "pass in quick" poq =3D "pass out quick" ks =3D "keep state" ms =3D "modulate state" ss =3D "synproxy state" l =3D "label" int_net =3D "{" $int_if:network "}" ##### behavior options set block-policy return set loginterface $ext_if ##### scrub scrub in all ##### nat/rdr nat on $ext_if from $int_net to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1<http://127.0.0.1>port 3128 ##### anti spoofing protection #antispoof quick for $int_if inet #antispoof quick for $ext_if inet #antispoof quick for lo0 #$bd in on $ext_if from $priv_nets to any #$bd out on $ext_if from any to $priv_nets #####filter rules ###default block and log all block log all #$pi inet proto icmp all icmp-type $icmp_types $ks #$po inet proto icmp all icmp-type $icmp_types $ks $pq on lo0 all ###filter rules for $int_if inbound $bi on $int_if all $pi on $int_if inet proto tcp from any to $int_if port 2222 $ks $pi on $int_if proto { udp,tcp } from $int_net to any port 53 $ks $pi on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks $l "http= =20 : $srcaddr " $pi on $int_if proto tcp from $soh to any port 443 flags S/SA $ks $l "ssl := =20 $srcaddr " $pi on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks $pi on $int_if proto tcp from $soh to $int_if port 25 $ks $l "smtp :=20 $srcaddr " $pi on $int_if proto tcp from $soh to $int_if port 110 $ks $l "pop3 :=20 $srcaddr " $pi on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } $ks=20 $pi on $int_if proto tcp from $sh to any port { 6667,6668,7000 } $ks=20 ###filter rules for $int_if outbound $bo on $int_if all $po on $int_if inet proto tcp from $int_if to $int_net port 20 $ks ###filter rules for $ext_if inbound $bi on $ext_if all $pi on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks $pi on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks $pi on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks $pi on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks ###filter rules for $ext_if outbound $bo on $ext_if all $po on $ext_if from any to $dns $ks $po on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA $ks $po on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks $po on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks $po on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks $l "tota= l=20 smtp (storm) : " $po on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks $l=20 "total pop3 (storm) : " $po on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks $l "tota= l=20 smtp (saix) : " $po on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks $l "total= =20 http : "=20 $po on $ext_if inet proto tcp from ($ext_if) to any port { 6667,6668,7000 }= =20 $ks $pi inet proto icmp all icmp-type $icmp_types $ks $po inet proto icmp all icmp-type $icmp_types $ks ###filter to pass all tunnel traffic $pi on $gif_if all=20 $po on $gif_if all -eof- I also added a rule: $po on $ext_if from ($ext_if) to $gif_if $ks as well as $po on $ext_if from ($ext_if) to 10.0.89.0/24 <http://10.0.89.0/24> $ks but neither seem to help much... (they shouldn't be necessary because I said pass in/out all on $gif?? It would be a lot easier if I could decipher what is going on via=20 pflog0, but when i do: tcpdump -n -e -ttt -vv -i pflog0 all I get is: tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture= =20 size 96 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel What confuses me is that even though I have a specific pass in/out rule= =20 for icmp, a pass out rule after that for $gif_if, and no rules after that= =20 (so there are no more block matches)... I still can't ping or send/recv=20 traffic via $gif_if to 10.0.89.0 <http://10.0.89.0> but can ping other=20 hosts: Tue Apr 12 09:31:45 root@bollox:~# ping -c 3 www.iol.co.za<http://www.iol.co.za/> PING www.iol.co.za <http://www.iol.co.za/> (196.30.168.79<http://196.30.168.79>): 56 data bytes 64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=3D0 ttl=3D58 t= ime=3D 45.315 ms 64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=3D1 ttl=3D58 t= ime=3D 47.876 ms 64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=3D2 ttl=3D58 t= ime=3D 54.126 ms =20 --- www.iol.co.za <http://www.iol.co.za/> ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev =3D 45.315/49.106/54.126/3.701 ms Tue Apr 12 09:31:59 root@bollox:~# ifconfig gif3 gif3: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet x.x.y.123 --> x.x.z.96 inet 10.0.88.254 <http://10.0.88.254> --> 10.0.89.254 <http://10.0.89.254>netmask 0xffffff00 inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7 Tue Apr 12 09:32:08 root@bollox:~# ping -c 3 10.0.89.254<http://10.0.89.254= > PING 10.0.89.254 <http://10.0.89.254> (10.0.89.254 <http://10.0.89.254>): 5= 6=20 data bytes ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted --- 10.0.89.254 <http://10.0.89.254> ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss I may be doing something stupid in either of the two problems, but perhaps= =20 a look from someone else will spot something I have not noticed.. Thanks in advance, Stephen.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ee918c7805041200513d8f36a>