From owner-freebsd-pf@FreeBSD.ORG  Thu Jun  3 15:16:13 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DFB76106564A
	for <freebsd-pf@freebsd.org>; Thu,  3 Jun 2010 15:16:13 +0000 (UTC)
	(envelope-from gdoe6545@yahoo.it)
Received: from smtp104.plus.mail.re1.yahoo.com
	(smtp104.plus.mail.re1.yahoo.com [69.147.102.67])
	by mx1.freebsd.org (Postfix) with SMTP id 8A61A8FC18
	for <freebsd-pf@freebsd.org>; Thu,  3 Jun 2010 15:16:13 +0000 (UTC)
Received: (qmail 55909 invoked from network); 3 Jun 2010 14:49:33 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.it;
	h=DKIM-Signature:Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:From:Content-Type:Content-Transfer-Encoding:Subject:Date:Message-Id:To:Mime-Version:X-Mailer;
	b=dDIjZRMdd8BLGe1sGh1+BzyijZ2bhbfD/DEACLIDcQZ8Su9d6aWYHdyvNh7EAo75T/b8t668ZTRwLlK2o+1AJVOhhHUge7QJSpktSD9HoLD/qr8WkkXyWuY22W9g4D+q7gy4enPsG9ugWkJJZm2KpRsKu48s7u26WkPzqJks1JA=
	; 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.it; s=s1024;
	t=1275576573; bh=Y7Oxb1B+t68PiZsBS2xJ1qpHNSJJlUaqlGziU+yJsOs=;
	h=Received:X-Yahoo-SMTP:X-YMail-OSG:X-Yahoo-Newman-Property:From:Content-Type:Content-Transfer-Encoding:Subject:Date:Message-Id:To:Mime-Version:X-Mailer;
	b=tnrXrLwNBKI74hqKyIiNemjfvkZTqBgBI5ysKlEvYPNXQfCIFbuei/i6tbxLQL1uuiwSlrY5iklT1dziFfnSFs5r8jX5DpRALSiufvraX9QFWanmyYvs8QCeMWAv7IIPN+TIGfFX+GVdKApOxzN0X6LkPOZ3GFadDQVOOhPWqPA=
Received: from zao.smersh.casa (gdoe6545@81.174.13.193 with plain)
	by smtp104.plus.mail.re1.yahoo.com with SMTP;
	03 Jun 2010 07:49:32 -0700 PDT
X-Yahoo-SMTP: Ldxj1OSswBDyaOddJO96A9qtUCYq
X-YMail-OSG: 2tmgL10VM1k.0eC4EwhuSfYSTqtnf0qdnBHAyjr0kisUr7x
	Utk6Y9zSMDtR8d6pAw8nB5UjxqtQvsqx.9wKkdDbS6gZnQen0sbsOn6a3MG9
	dTaW1gfnf1iTBz7SnahbfFchN7uMEzv56CSETVuLBV8jXa089dE_Gpf0okCh
	ITGUE5NlA502T8QaKKXDYtZBfNnThpM6GtSx.OatWcOtDJzDg_44Il8lzgUs
	.0BKv77HlXeOeECsAs3dv5E2F_kK6Ucty8PMEEduBL5y0aCK6J.YV.g5QJ4x
	khFQ1MjZC.hFHhG8DmWpN7Sb_BvjrYCL_KEZ8zcBSh.JXW1gvptfhX23eioc
	TUg11hL5TZT.03Im5zv6lNz3.C60jJ9r5ql_xo3xfLdmF2k1mgajWKa0GhHd
	mAlixb.OqnVTMz_Y91875nSeLLTlTZhvB
X-Yahoo-Newman-Property: ymail-3
From: Gianni <gdoe6545@yahoo.it>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Thu, 3 Jun 2010 16:49:30 +0200
Message-Id: <A587AC01-D0C4-452A-8DE4-5A657E604C6E@yahoo.it>
To: freebsd-pf@freebsd.org
Mime-Version: 1.0 (Apple Message framework v1078)
X-Mailer: Apple Mail (2.1078)
Subject: udp redirect problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jun 2010 15:16:14 -0000

I'm redirecting incoming requests to tcp/udp port 5080 to an internal =
host with the following rule:
rdr on $ext_if2 proto { tcp, udp } from any to $ext_if2 port 5080 -> =
$pbx_host

The problem is that the udp packets never seem to reach the destined =
host, I've checked with tcpdump and incoming TCP packets are accepted by =
the filter and passed out of the internal interface (vr0) to go to the =
intended destination.

7. 725492 rule 51/0(match): pass in on tun1: x.x.x.x.58770 > =
192.168.200.42.5080:  tcp 32 [bad hdr length 8 - too short, < 20]
000144 rule 19/0(match): pass out on vr0: x.x.x.x.58770 > =
192.168.200.42.5080:  tcp 32 [bad hdr length 8 - too short, < 20]

For UDP the packets seem to be accepted by the filter but not passed on =
to the destination, there's no log entry to show them leaving the =
internal interface or messages to say they are getting dropped.

000000 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > =
192.168.200.42.5080: SIP, length: 1207
529850 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > =
192.168.200.42.5080: SIP, length: 1207
2. 028043 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > =
192.168.200.42.5080: SIP, length: 1207
4. 048524 rule 65/0(match): pass in on tun1: x.x.x.x.5060 > =
192.168.200.42.5080: SIP, length: 1207

I'm a bit puzzled as I can't see any difference between the tcp and udp =
rules (complete ruleset below).
Any suggestions would be greatly appreciated.


# PF ruleset
loopback_if =3D "lo0"

int_if =3D "vr0"
localnet =3D "192.168.200.0/24"

pbx_host =3D "192.168.200.42"
mx_host =3D "192.168.200.41"

ext_if1 =3D "tun0"
ext_if2 =3D "tun1"
ext_ifs =3D "{ tun0, tun1 }"

vpn_if =3D "tun2"
vpn_nets =3D "{ 192.168.0.0/24 }"

icmp_in_types =3D "{ unreach,echoreq }"

table <bruteforce> persist
table <martians> persist { 127.0.0.0/8, 172.16.0.0/12 \
          			   10.0.0.0/8, 169.254.0.0/16, =
192.0.2.0/24, \
            			   0.0.0.0/8, 240.0.0.0/4 }

set block-policy return

set skip on { $loopback_if, vr1, vr2 }

#scrub in all
scrub log all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment =
reassemble

tcp_services =3D "{ 2525, ssh, smtp, smtps, domain, https, imaps, sip, =
1194, 5080 }"
udp_services =3D "{ domain, sip, 4569, 1194, 5080 }"

tcp_client =3D "{ ssh, domain, pop3, pop3s, imap, imaps, smtp, smtps, =
auth, ntp,\
		http, https, 8080, sip, 5080, cvsup, postgresql, 3306, =
8180, 1863, 444, 1194 }"

udp_client =3D "{ domain, sip, 5080, ntp, 4569, 1194, 5222 }"

# NAT
no nat on $ext_if1 from $localnet to $vpn_nets=20
nat on $ext_if1 from $localnet to any -> ($ext_if1)
no nat on $ext_if2 from $localnet to $vpn_nets=20
nat on $ext_if2 from $localnet to any -> ($ext_if2)

rdr on $ext_if1 proto tcp from any to $ext_if1 port 222 -> =
192.168.200.40 port 22
rdr on $ext_if1 proto tcp from any to $ext_if1 port 25 -> $mx_host=20
rdr on $ext_if1 proto tcp from any to $ext_if1 port 2525 -> $mx_host=20
rdr on $ext_if1 proto tcp from any to $ext_if1 port 993 -> $mx_host=20
rdr on $ext_if1 proto tcp from any to $ext_if1 port 465 -> $mx_host=20

rdr on $ext_if2 proto tcp from any to $ext_if2 port 222 -> =
192.168.200.40 port 22
rdr on $ext_if2 proto tcp from any to $ext_if2 port 25 -> $mx_host=20
rdr on $ext_if2 proto tcp from any to $ext_if2 port 2525 -> $mx_host=20
rdr on $ext_if2 proto tcp from any to $ext_if2 port 993 -> $mx_host=20
rdr on $ext_if2 proto tcp from any to $ext_if2 port 465 -> $mx_host=20

# SIP
#rdr pass log on $int_if proto udp from $localnet to any port 5060 -> =
127.0.0.1 port 5060
rdr on $ext_if1 proto { tcp, udp } from any to $ext_if1 port 5080 -> =
$pbx_host=20
rdr on $ext_if2 proto { tcp, udp } from any to $ext_if2 port 5080 -> =
$pbx_host

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $localnet to any port 21 -> 127.0.0.1 =
port 8021

antispoof log for $ext_ifs
antispoof log for $int_if

block log all
block log quick from <bruteforce>
block drop in log quick on $ext_ifs from <martians> to any
block drop out log quick on $ext_ifs from any to <martians>

pass log from { $loopback_if, $localnet } to any

pass in log on $int_if=20
pass out log on $int_if
pass out log on $ext_ifs

pass out log quick on $ext_ifs proto udp from any to $pbx_host port 5080


# Client
pass out log quick on $ext_if1 route-to ($ext_if2 ($ext_if2:peer)) from =
$ext_if2 to any=20
pass out log quick on $ext_if2 route-to ($ext_if1 ($ext_if1:peer)) from =
$ext_if1 to any=20

# ICMP
pass in log inet proto icmp all icmp-type $icmp_in_types

pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto =
icmp all icmp-type $icmp_in_types
pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto =
icmp all icmp-type $icmp_in_types

# Public services=20
pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto =
tcp \
    from any to any port $tcp_services \
    #synproxy state \
    (max-src-conn 100, max-src-conn-rate 50/5, \
    overload <bruteforce> flush global)
pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto =
tcp \
    from any to any port $tcp_services \
    #synproxy state \
    (max-src-conn 100, max-src-conn-rate 50/5, \
    overload <bruteforce> flush global)

pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto =
tcp \
    from any to any port { ssh, 222 } \
    #synproxy state \
    (max-src-conn 10, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)
pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto =
tcp \
    from any to any port { ssh, 222 } \
    #synproxy state \
    (max-src-conn 10, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)

pass in log on $ext_if1 reply-to ($ext_if1 ($ext_if1:peer)) inet proto =
udp \
    from any to any port $udp_services
pass in log on $ext_if2 reply-to ($ext_if2 ($ext_if2:peer)) inet proto =
udp \
    from any to any port $udp_services

# VPN
pass in log on $ext_ifs inet proto icmp from $vpn_nets to $localnet
pass out log on $vpn_if from any to any keep state=20

# FTP-proxy
anchor "ftp-proxy/*"=20
pass out log proto tcp from ($ext_if1) to any port 21
pass out log proto tcp from ($ext_if2) to any port 21

-Gianni