From owner-freebsd-pf@FreeBSD.ORG Wed Apr 13 16:06:22 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5DCA16A4CE for ; Wed, 13 Apr 2005 16:06:22 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2FC943D66 for ; Wed, 13 Apr 2005 16:06:21 +0000 (GMT) (envelope-from dinzdale@gmail.com) Received: by rproxy.gmail.com with SMTP id j1so177623rnf for ; Wed, 13 Apr 2005 09:06:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mEw+zNusEe8r8bllsv4fNkG/WPKeS1ZtB27tpY/GM+DyoOHgzAYdNFVC2w2/JrGWnMNMTKUrcS8FX1PnXphGjI0qW1bkzOJ5RrMl0xUkt3rvkfoFfZVxQFX4LeVmRwVO3oZtFOJw3Xe3wYEIZ6MpgPI/hrBBJ7+g69Pd/7+kK4Y= Received: by 10.38.75.21 with SMTP id x21mr724295rna; Wed, 13 Apr 2005 09:06:11 -0700 (PDT) Received: by 10.38.11.55 with HTTP; Wed, 13 Apr 2005 09:06:10 -0700 (PDT) Message-ID: Date: Wed, 13 Apr 2005 18:06:10 +0200 From: stephen To: pf@benzedrine.cx, freebsd-pf@freebsd.org In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: pflog and traffic via gif_if X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: stephen List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Apr 2005 16:06:22 -0000 Hi again, After some pondering over my problem re: gif traffic not being able to be sent/received, I've concluded that because gif is tunneled via tun0 (my $ext_if), I need to somehow permit gif traffic via $ext_if. I've tried a couple of things but neither seem to help. The local network address is 10.0.88.0 and the other end of tunnel is 10.0.= 89.0 Local side of tunnel is 10.0.88.254 and remote end is 10.0.89.254 as shown below: Wed Apr 13 16:53:19 root@bollox:~# ifconfig gif3 gif3: flags=3D8051 mtu 1280 tunnel inet x.x.y.199 --> x.x.z.214 inet 10.0.88.254 --> 10.0.89.254 netmask 0xffffff00 inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7 I've pasted my pf.conf again, and cleaned it up a bit by replacing all the variables I made with what they stand for (ie: '$po' become 'pass out') /etc/pf.conf: ##### macros int_if =3D "rl0" ext_if =3D "tun0" gif_if =3D "gif3" icmp_types =3D "echoreq" -hosts here- ##### aliases ks =3D "keep state" ms =3D "modulate state" ss =3D "synproxy state" int_net =3D "{" $int_if:network "}" ##### behavior options set block-policy return set loginterface $ext_if ##### scrub scrub in all ##### nat/rdr nat on $ext_if from $int_net to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128 ##### anti spoofing protection #antispoof quick for $int_if inet #antispoof quick for $ext_if inet #antispoof quick for lo0 block drop in on $ext_if from $priv_nets to any block drop out on $ext_if from any to $priv_nets #####filter rules ###default block and log all block log all #pass in inet proto icmp all icmp-type $icmp_types $ks #pass out inet proto icmp all icmp-type $icmp_types $ks pass quick on lo0 all ###filter rules for $int_if inbound $bi on $int_if all pass in on $int_if inet proto tcp from any to $int_if port 2222 $ks pass in on $int_if proto { udp,tcp } from $int_net to any port 53 $ks pass in on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks=20 pass in on $int_if proto tcp from $soh to any port 443 flags S/SA $ks=20 pass in on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks pass in on $int_if proto tcp from $soh to $int_if port 25 $ks=20 pass in on $int_if proto tcp from $soh to $int_if port 110 $ks=20 pass in on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } $k= s =20 ###filter rules for $int_if outbound block out on $int_if all pass out on $int_if inet proto tcp from $int_if to $int_net port 20 $ks ###filter rules for $ext_if inbound block in on $ext_if all pass in on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks pass in on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks pass in on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks ###filter rules for $ext_if outbound block in on $ext_if all pass out on $ext_if from any to $dns $ks pass out on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA = $ks pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks pass out on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks=20 pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks= =20 pass out on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks=20 pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks=20 pass in inet proto icmp all icmp-type $icmp_types $ks pass out inet proto icmp all icmp-type $icmp_types $ks ###filter to pass all tunnel traffic pass in on $gif_if all=20 pass out on $gif_if all =20 I've had to specify the ports/ hosts seperately for labelling purposes incase anyone wonders why I written it how I have. I'm also struggling to get pflog to show anything (I want it to show everything, not just the blocked traffic, would this implying having 'log' in every rule I have?)... left it running for a while and it showed nothing, even with myself purposely trying to connect to blocked ports (and ofcourse trying to ping via my gif iface) Thanks in advance, Stephen