From owner-freebsd-pf@FreeBSD.ORG Thu Sep 4 18:30:23 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CF321065676 for ; Thu, 4 Sep 2008 18:30:23 +0000 (UTC) (envelope-from schaman@sch.bme.hu) Received: from balu.sch.bme.hu (balu.sch.bme.hu [152.66.208.40]) by mx1.freebsd.org (Postfix) with ESMTP id CEBCE8FC19 for ; Thu, 4 Sep 2008 18:30:22 +0000 (UTC) (envelope-from schaman@sch.bme.hu) Received: from sch.bme.hu ([152.66.208.35]) by balu.sch.bme.hu (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0K6O0055KLXX2G80@balu.sch.bme.hu> for freebsd-pf@freebsd.org; Thu, 04 Sep 2008 19:29:57 +0200 (CEST) Received: from [212.24.177.100] by messenger.sch.bme.hu (mshttpd); Thu, 04 Sep 2008 19:29:57 +0200 Date: Thu, 04 Sep 2008 19:29:57 +0200 From: =?iso-8859-2?Q?=22Kiss_Zolt=E1n=22?= To: freebsd-pf@freebsd.org Message-id: <770fd2282951.48c03735@sch.bme.hu> MIME-version: 1.0 X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.05 (built Sep 5 2006) Content-type: text/plain; charset=windows-1252 Content-language: hu Content-transfer-encoding: quoted-printable Content-disposition: inline X-Accept-Language: hu Priority: normal Subject: pf fails to create state entries to OpenVPN-initiated sessions X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Sep 2008 18:30:23 -0000 Hi=2C My company has a strange problem with OpenVPN under FreeBSD 7=2E0=2E The= configuration is the following=3A Our central NAT firewall/VPN endpoint has two physical interfaces=2C one= for the public Internet (called ext)=2C and one for our intranet (int=2C= 192=2E168=2E1=2E0/24)=2E On ext there are IPSec tunnels to remote offic= es through gif interfaces=2C and int is bridged to tap0=2C which is used= by OpenVPN=2E Users can seamlessly login=2C and access the central subn= et=2C but there are strange effects when someone wants to access branch = office networks=2E Note=2C that pf has =93set skip=94 options on all gif= interface=2C on the bridge0 if and on tap0=2C to avoid on this side=2E = So as I mentioned=2C OpenVPN users can access the 192=2E168=2E1=2E0/24 n= etwork=2C but when they send a packet to a remote subnet (e=2Eg=2E 192=2E= 168=2E2=2E0/24)=2C sometimes the firewall isn=92t create a state entry=2C= and so TCP sessions cannot be established=2E See this example=3A 2008-09-03 19=3A03=3A35=2E919390 rule 41/0(match)=3A pass out on int=3A = 192=2E168=2E1=2E100=2E55754 =3E 192=2E168=2E1=2E1=2E53=3A 61937+=5B=7Cdo= main=5D 2008-09-03 19=3A03=3A36=2E147102 rule 0/0(match)=3A block out on int=3A = 192=2E168=2E2=2E1=2E3389 =3E 192=2E168=2E1=2E100=2E38289=3A S 1952258627= =3A1952258627(0) ack 479606554 win 16384 =3Cmss 1460=2Cnop=2Cwscale 0=2C= nop=2Cnop=2Ctimestamp=5B=7Ctcp=5D=3E 2008-09-03 19=3A03=3A38=2E682145 rule 0/0(match)=3A block out on int=3A = 192=2E168=2E2=2E1=2E3389 =3E 192=2E168=2E1=2E100=2E38289=3A S 1952258627= =3A1952258627(0) ack 479606554 win 16384 =3Cmss 1460=2Cnop=2Cwscale 0=2C= nop=2Cnop=2Ctimestamp=5B=7Ctcp=5D=3E =2E1=2E100 is an OpenVPN client=2C as you see it passes pf to central su= bnet=2E But on next two row=2C where =2E2=2E1 is a terminal server=2C yo= u can see only answer packets to TCP session initiation=2C which are blo= cked in the lack of state entry=2E But what=92s more strange=2C when I w= ant to start an RDP session again to the same server 2 minutes later=2C = it works properly! =3A 2008-09-03 19=3A05=3A28=2E237872 rule 7/0(match)=3A pass in on int=3A 19= 2=2E168=2E1=2E100=2E38293 =3E 192=2E168=2E2=2E1=2E3389=3A S 2231405925=3A= 2231405925(0) win 5840 =3Cmss 1336=2CsackOK=2Ctimestamp 236974897=5B=7Ct= cp=5D=3E And I didn=92t make any change on the firewall in this 2 minute! And thi= s happens quite randomly=2C so I=92m quite confused why it happens=2E Th= e related firewall rules=3A =407 pass in log on int inet from 192=2E168=2E1=2E0/24 to any flags S/SA= keep state =4041 pass out log on inet inet from 192=2E168=2E1=2E0/24 to any flags S= /SA keep state =4042 pass in log on int inet from any to 192=2E168=2E16=2E0/24 flags S/= SA keep state I tried to let it as permissive as possible=2E There isn=92t any dynamic= routing on this intranet=2C and inside the physical networks of our off= ices anybody can access anybody without any problem=2E My expectation=2C= that if a packet comes from VPN client=2C it goes through tap0=2C bridg= e0=2C where it=92s not filtered=2C pass in on int=2C and create a state = entry=2C but somehow it doesn=92t happens always=2E Do you have any idea= how can I investigate this problem=3F Any suggestions are welcomed=2E Regards=2C Zolt=E1n=2C Kiss