Date: Mon, 6 Aug 2007 15:10:59 -0300 From: "Gilberto Villani Brito" <linux@giboia.org> To: "FreeBSD (PF)" <freebsd-pf@freebsd.org> Subject: Re: PF and proxytunnel Message-ID: <6e6841490708061110y1be829dbwf17424beb588492e@mail.gmail.com> In-Reply-To: <46B2DB78.7090001@ch-st-julien.fr> References: <46B2DB78.7090001@ch-st-julien.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/08/07, nicolas.cornu <nicolas.cornu@ch-st-julien.fr> wrote: > Hi, > > > I'm quite new in the PF experience. I'm trying to set a rule which can > permit me to log on my home machine from work by using ssh and > proxytunnel (http://proxytunnel.sourceforge.net/) > > I can't make it work. Each time the firewall is up, my ssh connection is > broken. I think it's a flag problem but I can't make it work. > > > So, this is my rule (And I'm blocking everuthing by default) : > > " pass in quick log on $ext_if proto tcp from <work> to $ext_if port 443 > flags S/SA keep state " > > The thing is in a forum, a guy asked me to try with the flag S/SA but it > doesn't work. i tried some other fags without any succes. > > I also got a log of the packets which are blocked : > > > > > 16:10:12.437424 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 0:112(112) ack 1 win > 32844 <nop,nop,timestamp 1876831905 597750028> > 16:10:12.437433 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 1:112(111) ack 1 win > 32844 <nop,nop,timestamp 1876831905 597750028> > 16:10:12.497175 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: . ack 4294967056 win > 32767 <nop,nop,timestamp 597750123 1876831872> > 16:10:12.506673 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: . ack 4294967104 win > 32767 <nop,nop,timestamp 597750133 1876831886> > 16:10:12.516765 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: . ack 4294967200 win > 32767 <nop,nop,timestamp 597750143 1876831896> > 16:10:12.524137 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: . ack 0 win 32767 > <nop,nop,timestamp 597750150 1876831901> > 16:10:12.698154 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876832166 5 > 97750028> > 16:10:12.879724 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 <nop,nop,timestamp 597750505 1876831901> > 16:10:13.086087 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876832554 5 > 97750028> > 16:10:13.174156 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 <nop,nop,timestamp 597750799 1876831901> > 16:10:13.661987 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876833130 5 > 97750028> > 16:10:13.761762 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 <nop,nop,timestamp 597751387 1876831901> > 16:10:14.613849 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876834082 5 > 97750028> > 16:10:14.937784 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 <nop,nop,timestamp 597752563 1876831901> > 16:10:16.317606 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876835786 5 > 97750028> > 16:10:17.289307 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 <nop,nop,timestamp 597754915 1876831901> > 16:10:17.381429 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876836850 5 > 97750028> > 16:10:19.309147 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876838778 5 > 97750028> > 16:10:21.992459 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 <nop,nop,timestamp 597759619 1876831901> > 16:10:22.964584 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876842434 5 > 97750028> > 16:10:29.280630 rule 0/0(match): block in on tun0: > [work_ip_address].58926 > [home_ip_address].443: S > 3840383586:3840383586(0) win 5840 <mss 1440,sackOK,timestamp 59776690 > 8 0,nop,wscale 0> > 16:10:30.075509 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876849546 5 > 97750028> > 16:10:31.399531 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 <nop,nop,timestamp 597769027 1876831901> > 16:10:32.279624 rule 0/0(match): block in on tun0: > [work_ip_address].58926 > [home_ip_address].443: S > 3840383586:3840383586(0) win 5840 <mss 1440,sackOK,timestamp 59776990 > 8 0,nop,wscale 0> > 16:10:38.278752 rule 0/0(match): block in on tun0: > [work_ip_address].58926 > [home_ip_address].443: S > 3840383586:3840383586(0) win 5840 <mss 1440,sackOK,timestamp 59777590 > 8 0,nop,wscale 0> > 16:10:44.097373 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876863570 5 > 97750028> > 16:10:50.211598 rule 0/0(match): block in on tun0: > [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win > 32767 <nop,nop,timestamp 597787843 1876831901> > 16:10:50.277124 rule 0/0(match): block in on tun0: > [work_ip_address].58926 > [home_ip_address].443: S > 3840383586:3840383586(0) win 5840 <mss 1440,sackOK,timestamp 59778790 > 8 0,nop,wscale 0> > 16:10:51.796096 rule 0/0(match): block in on tun0: > [work_ip_address].58951 > [home_ip_address].443: S > 3848980265:3848980265(0) win 5840 <mss 1440,sackOK,timestamp 59778942 > 6 0,nop,wscale 0> > 16:10:54.795329 rule 0/0(match): block in on tun0: > [work_ip_address].58951 > [home_ip_address].443: S > 3848980265:3848980265(0) win 5840 <mss 1440,sackOK,timestamp 59779242 > 6 0,nop,wscale 0> > 16:10:58.119242 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) > ack 1 win 32844 <nop,nop,timestamp 1876877594 5 > 97750028> > 16:14:05.064569 rule 0/0(match): block out on tun0: > [home_ip_address].443 > [work_ip_address].58951: P > 939245923:939246035(112) ack 3848991638 win 32844 <nop,nop,timestamp > 1877064567 597982693> > > > > > > > > > I hope someone can help me. > > > > Regards, > > Nicolas > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > I think you have a rule like: block out $ext_if all Try add other rule like: pass out quick log on $ext_if proto tcp from $ext_if port 443 to <work> flags S/SA keep state -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6e6841490708061110y1be829dbwf17424beb588492e>