Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Sep 2007 18:06:50 -0300
From:      "David Verzolla" <dverzolla@fcl.com.br>
To:        <freebsd-pf@freebsd.org>
Subject:   Trouble with PF
Message-ID:  <94CADB570ACCB0418E8236C8F24BD95C01469FA6@VIRTUALEXCHANGE.corp.com>

next in thread | raw e-mail | index | archive | help
Hi,

=20

I'm working with two firewall box:

      - Dell poweredge 2950

            - First  network device BCE0

            - Second network device BCE1

=20

      - HP ML350 G3

            - First network device BGE0

            - Second network device XL0

=20

My FreeBSD Box is a: 6.2-STABLE.

=20

I'm working with PF Firewall + PFSYNC + VLANS (3 vlans) + CARP.

All interfaces is cloned with CARP.

=20

The problem is:

My network is slow, when I try to connect in a web server, or try pings =
from my Firewall to some machine located in DMZ (tests from DMZ -> =
Firewall Box have the same result), I get this trouble:

=20

The command: while true ; do ping -c 1 DMZ_IP ; done Ping works in the =
most of tests, but some tests give me this error:

=20

(For security reasons I suppress my original IP, sorry for =
inconvenience)

=20

--- 201.x.x.x ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss round-trip =
min/avg/max/stddev =3D 0.194/0.194/0.194/0.000 ms PING 201.x.x.x =
(201.x.x.x): 56 data bytes

64 bytes from 201.x.x.x: icmp_seq=3D0 ttl=3D64 time=3D0.197 ms

=20

--- 201.x.x.x ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss round-trip =
min/avg/max/stddev =3D 0.197/0.197/0.197/0.000 ms PING 201.x.x.x =
(201.x.x.x): 56 data bytes

64 bytes from 201.x.x.x: icmp_seq=3D0 ttl=3D64 time=3D0.192 ms

=20

--- 201.x.x.x ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss round-trip =
min/avg/max/stddev =3D 0.211/0.211/0.211/0.000 ms PING 201.x.x.x =
(201.x.x.x): 56 data bytes

---> ping: sendto: Operation not permitted

=20

The ping returns "Operation not permitted".

=20

Other command:

[root@f1000 /etc/pf]# ping 201.x.x.x

PING 201.x.x.x (201.x.x.x): 56 data bytes

ping: sendto: Operation not permitted

ping: sendto: Operation not permitted

ping: sendto: Operation not permitted

ping: sendto: Operation not permitted

64 bytes from 201.x.x.x: icmp_seq=3D4 ttl=3D64 time=3D2.636 ms

64 bytes from 201.x.x.x: icmp_seq=3D5 ttl=3D64 time=3D0.210 ms

64 bytes from 201.x.x.x: icmp_seq=3D6 ttl=3D64 time=3D0.136 ms

=20

The ping returns "Operation not permitted" too.

=20

I have other applications working with Ajax that is broken, the time to =
load all the resources is bigger, within this trouble (Ajax) its =
possible verify that the problem occur with TCP protocol as well. =20

=20

When I disable PF, all works greatly.

=20

Bellow my rules:

-- begin

#     $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp =
$

#     $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $

#

# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.

# Required order: options, normalization, queueing, translation, =
filtering.

# Macros and tables may be defined and used anywhere.

# Note that translation rules are first match while filter rules are =
last match.

=20

# Macros: define common values, so they can be referenced and changed =
easily.

=20

### NET DEVICES

ext_if            =3D     "bce0"

dmz_if            =3D     "vlan20"

corp_if           =3D     "vlan30"

ras_if            =3D     "vlan40"

sync_if           =3D     $ras_if

=20

### ICMP OPTIONS

icmp_types=3D"{ echoreq, unreach }"

=20

=20

table <impsat>    { 200.x.x.0/26   }

table <totalrange> { 201.x.x.0/20   }

table <dmz>        { 201.x.x.0/24   }

=20

=20

# Options: tune the behavior of pf, default values are given.

set optimization normal

#set timeout { tcp.closing 900, tcp.finwait 15, tcp.closed 90 } set =
block-policy return set state-policy floating set skip on lo set =
loginterface $ext_if set fingerprints "/etc/pf/_pf.os"

=20

# Normalization: reassemble fragments and resolve or reduce traffic =
ambiguities.

scrub in all

=20

#### start

block in

=20

# PFSYNC

pass on $sync_if proto pfsync

=20

# Permit all out

pass out keep state

=20

# PERMIT MULTI-CAST (CARP)

pass quick on { $dmz_if $corp_if $ras_if $ext_if } inet from any to =
224.0.0.0/4 allow-opts keep state

=20

# PERMIT DNS OUT

pass in quick on { $dmz_if $corp_if $ras_if } inet proto { udp tcp } =
from any to any port 53 keep state

=20

# PERMIT DMZ OUT

pass in quick on { $dmz_if } inet proto tcp from <dmz> to any \

      port 80 flags S/SA keep state

=20

# PERMITE SSH

pass in quick on { $ext_if } inet proto tcp from <impsat> to any \

      port { 22 } flags S/SA keep state

=20

# TEMP PERMIT, OLD NET -> NEW NET

pass quick inet proto tcp from <totalrange> to <impsat> \

      flags S/SA keep state

=20

# ME

pass in quick on $ext_if inet proto tcp from <impsat> to $ext_if:network =
\

   port 22 flags S/SA keep state

=20

pass in quick on $ext_if inet proto udp from <impsat> to $ext_if:network =
\

   port snmp keep state

=20

pass in quick on $ext_if inet proto tcp from <totalrange> to =
$ext_if:network \

   port 22 flags S/SA keep state

=20

pass in quick on $ext_if inet proto udp from <totalrange> to =
$ext_if:network \

   port snmp keep state

=20

### GERAL RULES

## NTP

pass in quick on { $dmz_if } inet proto udp from 200.x.x.1 port { 123 } =
to any \

      port { 123 } keep state

=20

### <NS1>

pass in quick on { $ext_if $corp_if } inet proto tcp from any port { 53 =
} to 200.x.x.2 \

      port { 53 } flags S/SA keep state

=20

pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.2 \

      port { 53 } flags S/SA keep state

=20

pass in quick on { $ext_if $corp_if } inet proto tcp from <impsat> to =
200.x.x.2 \

      port { 22 } flags S/SA keep state

=20

pass in quick on { $ext_if $corp_if } inet proto udp from any to =
200.x.x.2 \

      port { 53 } keep state

=20

### </NS1>

=20

### <HERZOG_NEW>

pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.3 \

      port { 20 21 80 443 } flags S/SA keep state

=20

# RSYNC

pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.3 \

      port { 873 } flags S/SA keep state

=20

# FTP

pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.3 \

      port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE # FTP =
pass in quick on { $dmz_if } inet proto tcp from 200.x.x.3 port 20 to =
any \

      flags S/SA keep state tag FTP-BACK # ACTIVE MODE ### </HERZOG_NEW>

=20

### <Webtrends teste>

# WEB

pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.4 \

      port { 80 } flags S/SA keep state

=20

### </Webtrends teste>

=20

# <WINDOWS MEDIA>

pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.5 \

      port { 554 1755 } flags S/SA keep state

=20

# VNC

pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.5 \

      port { 5900 } flags S/SA keep state

=20

pass in quick on { $ext_if $corp_if } inet proto udp from any to =
200.x.x.5 \

      port { 554 1755 } keep state

# </WINDOWS MEDIA>

=20

# TEST NOTEBOOK - HOLYDAY

pass in quick on { $ext_if $dmz_if } inet proto tcp from any to =
200.x.x.6 \

      port { 22 80 } flags S/SA keep state

# </TESTE COM NOTEBOOK - HOLYDAY>

=20

# TEST WITH CISNET

pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.7 \

      port { 21 22 } flags S/SA keep state

=20

pass in quick on { $ext_if $corp_if } inet proto tcp from any to =
200.x.x.7 \

      port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE

=20

pass in quick on { $dmz_if } inet proto tcp from 200.x.x.7 port 20 to =
any \

      flags S/SA keep state tag FTP-BACK # ACTIVE MODE # </TESTE COM =
CISNET>

=20

# PING

pass log inet proto icmp all icmp-type $icmp_types keep state

=20

# TRACEROUTE

pass inet proto udp from any to any \

      port 33433 >< 33626 keep state

=20

-- end

=20

Thanks in advance.

=20

=20

David Verzolla

Administrador de Redes

Funda=E7=E3o C=E1sper L=EDbero - FCLNet

Tel: +55 11 3170.5937

=20




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94CADB570ACCB0418E8236C8F24BD95C01469FA6>