From owner-freebsd-questions@FreeBSD.ORG Thu Aug 4 16:58:30 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D323F16A420 for ; Thu, 4 Aug 2005 16:58:30 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3810E43D4C for ; Thu, 4 Aug 2005 16:58:30 +0000 (GMT) (envelope-from slapinid@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so239007nzd for ; Thu, 04 Aug 2005 09:58:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=msgjukjtlswdz/FQf3XAp5PdgxMLj056tWqD/E+va0OoLWEnl5T1zCmxTrF1NLZyDNLMLWAtbxaltdRNX0jd0H4xYqqaz1orSxNOtWO4cOYVdKSy+p9ffExCG237M6H4Ko4lsShWcrQ7WZEGVjpXpjSWNrfWBu6dcEygBoYKRSA= Received: by 10.36.247.20 with SMTP id u20mr626629nzh; Thu, 04 Aug 2005 09:58:29 -0700 (PDT) Received: by 10.36.33.4 with HTTP; Thu, 4 Aug 2005 09:58:29 -0700 (PDT) Message-ID: <48239d390508040958265ce62@mail.gmail.com> Date: Thu, 4 Aug 2005 20:58:29 +0400 From: Sergey Lapin To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: pf problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Sergey Lapin List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2005 16:58:31 -0000 Hi, all: Configuration: (all addresses fake, 1.1.1.x - from ISP1, 2.2.2 - from ISP2) # grep ifconfig /etc/rc.conf ifconfig_xl0=3D"inet 1.1.1.254 netmask 255.255.255.128" ifconfig_xl0_alias0=3D"inet 2.2.2.2 netmask 255.255.255.128" ifconfig_xl1=3D"inet 192.168.255.1 netmask 255.255.255.255" ifconfig_vlan0=3D"inet 1.1.1.3 netmask 255.255.255.0 vlan 1001 vlandev xl1 mtu 1496" ifconfig_vlan1=3D"inet 2.2.2.174 netmask 255.255.255.252 vlan 1004 vlandev xl1 mtu 1496" # grep defaultrouter /etc/rc.conf defaultrouter=3D"62.152.84.1" # cat /etc/pf.conf # $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier Exp = $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last m= atch. ext_if1 =3D "vlan0" ext_if2 =3D "vlan1" dmz_if =3D "xl0" ext_gw1 =3D "1.1.1.1" ext_gw2 =3D "2.2.2.173" lan_net =3D "192.168.0.0/16" dmz_net1 =3D "1.1.1.128/25" dmz_net2 =3D "2.2.2.0/25" table const { $dmz_net1, $dmz_net2, $lan_net } set block-policy drop set state-policy floating # Normalize all incoming streams scrub in on $ext_if1 scrub in on $ext_if2 ###########################################################################= ###### # NAT =20 # ###########################################################################= ###### # nat outgoing connections on each internet interface nat on $ext_if1 from { $lan_net $dmz_net2 } to any -> ($ext_if1) nat on $ext_if2 from { $lan_net $dmz_net1 } to any -> ($ext_if2) ###########################################################################= ###### # Block everything by default =20 # ###########################################################################= ###### # default deny silently block drop all # block IDENT notifying sender to prevent sendmail and the like from # wasting time waiting for timeout block return in on { $ext_if1 $ext_if2 } proto { tcp, udp } to port =3D aut= h block drop log on xl0 all ###########################################################################= ###### # Traffic to gateway itself =20 # ###########################################################################= ###### # pass in quick any packets destined for the gateway itself pass in quick on $dmz_if proto tcp from any to $dmz_if flags S/SA keep stat= e pass in quick on $dmz_if inet proto { udp, icmp } from any to $dmz_if keep = state # pass multicast and IGMP traffic pass quick on $dmz_if inet from any to 224.0.0.0/4 allow-opts keep state pass quick on lo0 ###########################################################################= ###### # Classify traffic from DMZ =20 # ###########################################################################= ###### # pass traffic from DMZ to Internet pass in on $dmz_if proto udp from $dmz_net1 to any port =3D 53 keep state tag DMZ_TO_EXT1 pass in on $dmz_if proto udp from $dmz_net2 to any port =3D 53 keep state tag DMZ_TO_EXT2 # Allow all outgoing connections from DMZ pass in on $dmz_if inet proto tcp from $dmz_net1 to any flags S/SA keep state tag DMZ_TO_EXT1 pass in on $dmz_if inet proto { udp, icmp } from $dmz_net1 to any keep state tag DMZ_TO_EXT1 pass in on $dmz_if inet proto tcp from $dmz_net2 to any flags S/SA keep state tag DMZ_TO_EXT2 pass in on $dmz_if inet proto { udp, icmp } from $dmz_net2 to any keep state tag DMZ_TO_EXT2 # Allow gateway to route between different networks on the DMZ # DMZ nets -> DMZ nets pass in on $dmz_if inet proto tcp from { $dmz_net1, $dmz_net2 } to { $dmz_net1, $dmz_net2 } flags S/SA keep state tag DMZ_TO_DMZ pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to { $dmz_net1, $dmz_net2 } keep state tag DMZ_TO_DMZ # DMZ nets -> LAN net pass in on $dmz_if inet proto tcp from { $dmz_net1, $dmz_net2 } to $lan_net flags S/SA keep state tag DMZ_TO_LAN pass in on $dmz_if inet from { $dmz_net1, $dmz_net2 } to $lan_net keep state tag DMZ_TO_LAN # LAN net -> DMZ nets pass in on $dmz_if inet proto tcp from $lan_net to { $dmz_net1, $dmz_net2 } flags S/SA keep state tag LAN_TO_DMZ pass in on $dmz_if inet from $lan_net to { $dmz_net1, $dmz_net2 } keep state tag LAN_TO_DMZ ###########################################################################= ###### # Allow classified traffic from DMZ =20 # ###########################################################################= ###### # Allow incoming packets from DMZ one more time and route them appropriate= ly # This must be done to IN packets because if we only do it for OUT packets, it happens to late - # packet is routed appropriately, but NAT rule for wrong interface gets fi= red pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) proto tcp tagged DMZ_TO_EXT1 flags S/SA modulate state pass in quick on $dmz_if route-to ($ext_if1 $ext_gw1) proto { udp, icmp } tagged DMZ_TO_EXT1 keep state pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) proto tcp tagged DMZ_TO_EXT2 flags S/SA modulate state pass in quick on $dmz_if route-to ($ext_if2 $ext_gw2) proto { udp, icmp } tagged DMZ_TO_EXT2 keep state # Allow OUT traffic pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) proto tcp tagged DMZ_TO_EXT2 flags S/SA modulate state pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) proto { udp, icmp } tagged DMZ_TO_EXT2 keep state pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) proto tcp tagged DMZ_TO_EXT1 flags S/SA modulate state pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) proto { udp, icmp } tagged DMZ_TO_EXT1 keep state ###########################################################################= ###### # Clasify traffic from Internet to DMZ =20 # ###########################################################################= ###### # WHISKEY pass in on vlan0 proto tcp from any to 1.1.1.144/32 port =3D 22 flags S/SA keep state tag EXT1_TO_DMZ pass in on vlan1 proto tcp from any to 2.2.2.2/32 port =3D 22 flags S/SA keep state tag EXT2_TO_DMZ ###########################################################################= ###### # Allow classified traffic from Internet to DMZ =20 # ###########################################################################= ###### # Pass to DMZ traffic already approved by earlier rules # and route replies to corresponding interface # EXT1 pass out quick on $dmz_if reply-to ($ext_if1 $ext_gw1) proto tcp tagged EXT1_TO_DMZ flags S/SA keep state pass out quick on $dmz_if reply-to ($ext_if1 $ext_gw1) tagged EXT1_TO_DMZ keep state # EXT2 pass out quick on $dmz_if reply-to ($ext_if2 $ext_gw2) proto tcp tagged EXT2_TO_DMZ flags S/SA keep state pass out quick on $dmz_if reply-to ($ext_if2 $ext_gw2) tagged EXT2_TO_DMZ keep state ###########################################################################= ###### # Other traffic =20 # ###########################################################################= ###### # general "pass out" rules for external interfaces pass out on { $ext_if1, $ext_if2, $dmz_if } proto tcp from any to any flags S/SA modulate state pass out on { $ext_if1, $ext_if2, $dmz_if } proto { udp, icmp } from any to any keep state # Zebra uses IGMP so let it work on DMZ interface pass out on $dmz_if proto igmp from any to any allow-opts Test case: (done from Linix machine from 1.1.1.128/25) tcpreplay -e 1.1.1.133:255.255.255.255 -i eth0 packet (where packet is random captured UDP packet using tcpdump -peni) or tcpreplay -e 1.1.1.133:10.2.2.2 -i eth0 packet (where packet is random captured UDP packet) kills machine. Machine hangs and doesn't react on keyboard, whatever. Only reset helps. Directly blocking addresses in pf.conf help and normal connections with UDP disabled work well. Any ideas? Thanks a lot! Sergey Lapin System Administrator