Date: Wed, 26 Sep 2007 18:06:50 -0300 From: "David Verzolla" <dverzolla@fcl.com.br> To: <freebsd-pf@freebsd.org> Subject: Trouble with PF Message-ID: <94CADB570ACCB0418E8236C8F24BD95C01469FA6@VIRTUALEXCHANGE.corp.com>
next in thread | raw e-mail | index | archive | help
Hi, =20 I'm working with two firewall box: - Dell poweredge 2950 - First network device BCE0 - Second network device BCE1 =20 - HP ML350 G3 - First network device BGE0 - Second network device XL0 =20 My FreeBSD Box is a: 6.2-STABLE. =20 I'm working with PF Firewall + PFSYNC + VLANS (3 vlans) + CARP. All interfaces is cloned with CARP. =20 The problem is: My network is slow, when I try to connect in a web server, or try pings = from my Firewall to some machine located in DMZ (tests from DMZ -> = Firewall Box have the same result), I get this trouble: =20 The command: while true ; do ping -c 1 DMZ_IP ; done Ping works in the = most of tests, but some tests give me this error: =20 (For security reasons I suppress my original IP, sorry for = inconvenience) =20 --- 201.x.x.x ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip = min/avg/max/stddev =3D 0.194/0.194/0.194/0.000 ms PING 201.x.x.x = (201.x.x.x): 56 data bytes 64 bytes from 201.x.x.x: icmp_seq=3D0 ttl=3D64 time=3D0.197 ms =20 --- 201.x.x.x ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip = min/avg/max/stddev =3D 0.197/0.197/0.197/0.000 ms PING 201.x.x.x = (201.x.x.x): 56 data bytes 64 bytes from 201.x.x.x: icmp_seq=3D0 ttl=3D64 time=3D0.192 ms =20 --- 201.x.x.x ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip = min/avg/max/stddev =3D 0.211/0.211/0.211/0.000 ms PING 201.x.x.x = (201.x.x.x): 56 data bytes ---> ping: sendto: Operation not permitted =20 The ping returns "Operation not permitted". =20 Other command: [root@f1000 /etc/pf]# ping 201.x.x.x PING 201.x.x.x (201.x.x.x): 56 data bytes ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted ping: sendto: Operation not permitted 64 bytes from 201.x.x.x: icmp_seq=3D4 ttl=3D64 time=3D2.636 ms 64 bytes from 201.x.x.x: icmp_seq=3D5 ttl=3D64 time=3D0.210 ms 64 bytes from 201.x.x.x: icmp_seq=3D6 ttl=3D64 time=3D0.136 ms =20 The ping returns "Operation not permitted" too. =20 I have other applications working with Ajax that is broken, the time to = load all the resources is bigger, within this trouble (Ajax) its = possible verify that the problem occur with TCP protocol as well. =20 =20 When I disable PF, all works greatly. =20 Bellow my rules: -- begin # $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp = $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, = filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are = last match. =20 # Macros: define common values, so they can be referenced and changed = easily. =20 ### NET DEVICES ext_if =3D "bce0" dmz_if =3D "vlan20" corp_if =3D "vlan30" ras_if =3D "vlan40" sync_if =3D $ras_if =20 ### ICMP OPTIONS icmp_types=3D"{ echoreq, unreach }" =20 =20 table <impsat> { 200.x.x.0/26 } table <totalrange> { 201.x.x.0/20 } table <dmz> { 201.x.x.0/24 } =20 =20 # Options: tune the behavior of pf, default values are given. set optimization normal #set timeout { tcp.closing 900, tcp.finwait 15, tcp.closed 90 } set = block-policy return set state-policy floating set skip on lo set = loginterface $ext_if set fingerprints "/etc/pf/_pf.os" =20 # Normalization: reassemble fragments and resolve or reduce traffic = ambiguities. scrub in all =20 #### start block in =20 # PFSYNC pass on $sync_if proto pfsync =20 # Permit all out pass out keep state =20 # PERMIT MULTI-CAST (CARP) pass quick on { $dmz_if $corp_if $ras_if $ext_if } inet from any to = 224.0.0.0/4 allow-opts keep state =20 # PERMIT DNS OUT pass in quick on { $dmz_if $corp_if $ras_if } inet proto { udp tcp } = from any to any port 53 keep state =20 # PERMIT DMZ OUT pass in quick on { $dmz_if } inet proto tcp from <dmz> to any \ port 80 flags S/SA keep state =20 # PERMITE SSH pass in quick on { $ext_if } inet proto tcp from <impsat> to any \ port { 22 } flags S/SA keep state =20 # TEMP PERMIT, OLD NET -> NEW NET pass quick inet proto tcp from <totalrange> to <impsat> \ flags S/SA keep state =20 # ME pass in quick on $ext_if inet proto tcp from <impsat> to $ext_if:network = \ port 22 flags S/SA keep state =20 pass in quick on $ext_if inet proto udp from <impsat> to $ext_if:network = \ port snmp keep state =20 pass in quick on $ext_if inet proto tcp from <totalrange> to = $ext_if:network \ port 22 flags S/SA keep state =20 pass in quick on $ext_if inet proto udp from <totalrange> to = $ext_if:network \ port snmp keep state =20 ### GERAL RULES ## NTP pass in quick on { $dmz_if } inet proto udp from 200.x.x.1 port { 123 } = to any \ port { 123 } keep state =20 ### <NS1> pass in quick on { $ext_if $corp_if } inet proto tcp from any port { 53 = } to 200.x.x.2 \ port { 53 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.2 \ port { 53 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto tcp from <impsat> to = 200.x.x.2 \ port { 22 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto udp from any to = 200.x.x.2 \ port { 53 } keep state =20 ### </NS1> =20 ### <HERZOG_NEW> pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.3 \ port { 20 21 80 443 } flags S/SA keep state =20 # RSYNC pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.3 \ port { 873 } flags S/SA keep state =20 # FTP pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.3 \ port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE # FTP = pass in quick on { $dmz_if } inet proto tcp from 200.x.x.3 port 20 to = any \ flags S/SA keep state tag FTP-BACK # ACTIVE MODE ### </HERZOG_NEW> =20 ### <Webtrends teste> # WEB pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.4 \ port { 80 } flags S/SA keep state =20 ### </Webtrends teste> =20 # <WINDOWS MEDIA> pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.5 \ port { 554 1755 } flags S/SA keep state =20 # VNC pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.5 \ port { 5900 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto udp from any to = 200.x.x.5 \ port { 554 1755 } keep state # </WINDOWS MEDIA> =20 # TEST NOTEBOOK - HOLYDAY pass in quick on { $ext_if $dmz_if } inet proto tcp from any to = 200.x.x.6 \ port { 22 80 } flags S/SA keep state # </TESTE COM NOTEBOOK - HOLYDAY> =20 # TEST WITH CISNET pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.7 \ port { 21 22 } flags S/SA keep state =20 pass in quick on { $ext_if $corp_if } inet proto tcp from any to = 200.x.x.7 \ port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE =20 pass in quick on { $dmz_if } inet proto tcp from 200.x.x.7 port 20 to = any \ flags S/SA keep state tag FTP-BACK # ACTIVE MODE # </TESTE COM = CISNET> =20 # PING pass log inet proto icmp all icmp-type $icmp_types keep state =20 # TRACEROUTE pass inet proto udp from any to any \ port 33433 >< 33626 keep state =20 -- end =20 Thanks in advance. =20 =20 David Verzolla Administrador de Redes Funda=E7=E3o C=E1sper L=EDbero - FCLNet Tel: +55 11 3170.5937 =20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94CADB570ACCB0418E8236C8F24BD95C01469FA6>