Date: Wed, 15 Jul 2009 00:36:54 +0100 From: Peter Maxwell <peter@allicient.co.uk> To: Aleksic Predrag <apetar@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf between two lans Message-ID: <7731938b0907141636p51a6cb6bp9e6553e494d465d9@mail.gmail.com> In-Reply-To: <20090714132430.75bb46c8@overlord> References: <3228ef7c0907111044i55b965d3me10ad146314517bf@mail.gmail.com> <20090712155707.4925813c@overlord> <17838240D9A5544AAA5FF95F8D520316065A8437@ad-exh01.adhost.lan> <7731938b0907131722v460e5429ve4906ff822b2719@mail.gmail.com> <20090714132430.75bb46c8@overlord>
next in thread | previous in thread | raw e-mail | index | archive | help
Comments inline... 2009/7/14 Aleksic Predrag <apetar@gmail.com>: > On Tue, 14 Jul 2009 01:22:06 +0100 > Peter Maxwell <peter@allicient.co.uk> wrote: > > =A0> Can you post the output of: pfctl -s r > > # pfctl -sr > scrub in all random-id fragment reassemble > block drop log (all) all > block drop in on sk0 inet proto icmp all icmp-type echoreq > block drop out log (all) quick on sk0 from any to <perm-ban> > block drop in log (all) quick on sk0 from <ssh-bruteforce> to any > pass in on sk0 inet proto tcp from any to 192.168.2.248 port =3D 57277 fl= ags S/SA keep state > pass in on sk0 inet proto udp from any to 192.168.2.248 port =3D 57277 ke= ep state > pass out on sk0 inet proto udp from 192.168.2.248 port =3D 57277 to any k= eep state > pass out on sk0 inet proto tcp from 192.168.2.248 port =3D 57277 to any f= lags S/SA keep state > pass in on sk0 inet proto udp from any to any port =3D http keep state > pass in on sk0 inet proto tcp from any to any port =3D http flags S/SA ke= ep state > pass in on sk0 proto udp from any to any port =3D 2706 keep state > pass in on sk0 proto tcp from any to any port =3D 2706 flags S/SA keep st= ate > pass quick proto tcp from any to any port =3D ssh flags S/SA keep state (= source-track rule, max-src-conn 10, max-src-conn-rate 1/3, overload <ssh-br= uteforce> flush global, src.track 3) > pass quick proto udp from any to any port =3D ssh keep state (source-trac= k rule, max-src-conn 10, max-src-conn-rate 1/3, overload <ssh-bruteforce> f= lush global, src.track 3) > pass out on sk0 proto tcp all flags S/SA modulate state > pass out on sk0 proto udp all keep state > pass out on sk0 proto icmp all keep state > pass out on sk0 proto esp all keep state > I'd comment out the two (single rule in the pf.conf) "pass quick" rules with the max-src-conn/max-src-conn-rate and see if it helps. Starting with a simple ruleset which works, then incrementally adding in additional rules is usually a good stategy. I know that others may disagree, but I would also suggest that you avoid using the "quick" keyword unless you *really* need it - most rulesets can be written entirely without it and are easier to debug. > pass in on vr0 inet from 192.168.2.0/24 to any flags S/SA keep state > pass out on vr0 inet from any to 192.168.2.0/24 flags S/SA keep state > pass in on vr1 inet from 192.168.0.0/24 to any flags S/SA keep state > pass out on vr1 inet from any to 192.168.0.0/24 flags S/SA keep state > > Should i replace netmask to /16 in last four rules? > No, you have it right as it is. >> What happens if you try things without pf loaded >> and with pf loaded but a pass all ruleset? > > With pf loaded i can open almost anything but not ssh connection. > I can ping, browse shares and printers between lans. > > Without pf loaded i can do all that and ssh. > > Yesterday i changed default ssh port on remote box and it let me in > with the same pf rules loaded. > > Now, I'm also suspicious about remote box, it is CentOS box with untouche= d > config files, maybe SELinux is preventing ssh login. While ssh can be configured with a tcpwrapper style hosts.allow, I doubt that this is the problem as you'd still not be able to ssh without pf loaded as well if it was the ssh daemon. You can test and make sure by connecting to the remote ssh port with telnet: if you get a normal ssh header returned there isn't any ip filter configured in sshd, if there is you'll get some form of error messge back. It sounds like a problem with the pass quick max-src-conn/max-src-conn-rate rule. > >> Have you got gateway_enable set in your rc.conf (I think it shows as >> net.inet.ip.forwarding being set to 1 in your sysctl)? > > sysctl -a | grep net.inet.ip.forwarding > net.inet.ip.forwarding: 1 > >> Can you post the results of the same tcpdump with a larger window size >> ( -s 1024 ) and/or a tcpdump on the network interface itself? > > see attachment >>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b0907141636p51a6cb6bp9e6553e494d465d9>