From owner-freebsd-pf@FreeBSD.ORG Fri Feb 7 13:16:47 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C240A259 for ; Fri, 7 Feb 2014 13:16:47 +0000 (UTC) Received: from mailstore06.sysedata.no (b.mail.tornado.no [195.159.29.130]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5672E1AE7 for ; Fri, 7 Feb 2014 13:16:46 +0000 (UTC) Received: from [195.159.29.130] (helo=www.eposttjener.no) by mailstore06.sysedata.no with esmtpa (Exim 4.71) (envelope-from ) id 1WBlIR-0003U9-Ic for freebsd-pf@freebsd.org; Fri, 07 Feb 2014 14:16:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 07 Feb 2014 14:16:43 +0100 From: Daniel Engberg To: freebsd-pf@freebsd.org Subject: pf + NAT + ICMP =?UTF-8?Q?issues=3F?= Message-ID: X-Sender: daniel.engberg.lists@pyret.net User-Agent: Roundcube Webmail/0.9.4 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 13:16:47 -0000 Hi, I've been tearing my hair on this one, this ruleset worked fine on 9.1 and 9-STABLE around the same time but doesn't on HEAD (most recent box I have is running r261486 (AMD64). I might be missing something obvious so I guess I need a another pair of eyes. Anyhow, the issue is pretty simple, for some reason on clients behind ping and tracert doesn't work as they did before. Using ping (Windows 7) the first packet always gets a timeout and tracert doesn't work except at the end hop. Here's a sample: ping ping.sunet.se Pinging ping.sunet.se [192.36.125.18] with 32 bytes of data: Request timed out. Reply from 192.36.125.18: bytes=32 time=5ms TTL=244 Reply from 192.36.125.18: bytes=32 time=5ms TTL=244 Reply from 192.36.125.18: bytes=32 time=5ms TTL=244 Ping statistics for 192.36.125.18: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 5ms, Average = 5ms However running the same command directly after there's no timeouts, if you wait about 3-4 sec you'll get the same results (ie timeout). Running tracert results in the following: tracert ping.sunet.se Tracing route to ping.sunet.se [192.36.125.18] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.1.1 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. 8 * * * Request timed out. 9 * * * Request timed out. 10 * * * Request timed out. 11 5 ms 5 ms 5 ms ping.sunet.se [192.36.125.18] I've tested this on 3 different connections and they all have the same issues (different boxes although all are running -HEAD). Running ping (ICMP) and traceroute (ICMP) works fine on the firewall itself which makes me a bit puzzled. Here's the ruleset: ################################ ### Packet Firewall Ruleset #### ################################ ################### #### Variables #### ################### # External interface ext_if="em1" # Internal interface int_if="em0" # Follow RFC1918 and don't route to non-routable IPs # http://www.iana.org/assignments/ipv4-address-space # http://rfc.net/rfc1918.html nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3, 255.255.255.255 }" # Set allowed ICMP types icmp_types = "{ 0, 3, 4, 8, 11, 12 }" #################################### #### Options and optimizations ##### #################################### # Set interface for logging (statistics) set loginterface $ext_if # Drop states as fast as possible without having excessively low timeouts set optimization aggressive # Block policy, either silently drop packets or tell sender that request is blocked set block-policy return # Don't bother to process (filter) following interfaces such as loopback: set skip on lo0 # Scrub traffic scrub on $ext_if all ####################### #### NAT & Proxies #### ####################### # Enable NAT and tell pf not to change ports nat on $ext_if from $int_if:network to any -> ($ext_if) # Redirect ftp connections to ftp-proxy rdr pass on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 # Enable ftp-proxy (active connections) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # Anchors needs to be set after nat/rdr-anchor anchor "ftp-proxy/*" ################################ #### Rules inbound (int_if) #### ################################ # Pass on everything pass in quick on $int_if inet all keep state ################################# #### Rules outbound (int_if) #### ################################# # Pass on everything pass out quick on $int_if inet all keep state ################################ #### Rules inbound (ext_if) #### ################################ # Drop packets from non-routable addresses directly block drop in quick on $ext_if from $nonroute to any # Allow DHCP pass in quick on $ext_if inet proto udp to ($ext_if) port { 67, 68 } # Allow ICMP pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types # Allow FTPs to connect to our FTP-proxy pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user proxy # Block everything else block in on $ext_if all ################################# #### Rules outbound (ext_if) #### ################################# # Drop packets to non-routable addresses directly block drop out quick on $ext_if from any to $nonroute pass out on $ext_if all Hopefully someone can figure out what's going on... Best regards, Daniel