From owner-freebsd-pf@FreeBSD.ORG  Mon Aug  6 18:11:03 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2D09016A421
	for <freebsd-pf@freebsd.org>; Mon,  6 Aug 2007 18:11:03 +0000 (UTC)
	(envelope-from linux@giboia.org)
Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187])
	by mx1.freebsd.org (Postfix) with ESMTP id EE61E13C46E
	for <freebsd-pf@freebsd.org>; Mon,  6 Aug 2007 18:11:01 +0000 (UTC)
	(envelope-from linux@giboia.org)
Received: by mu-out-0910.google.com with SMTP id w9so1597091mue
	for <freebsd-pf@freebsd.org>; Mon, 06 Aug 2007 11:11:00 -0700 (PDT)
Received: by 10.82.174.20 with SMTP id w20mr5912070bue.1186423859989;
	Mon, 06 Aug 2007 11:10:59 -0700 (PDT)
Received: by 10.82.136.14 with HTTP; Mon, 6 Aug 2007 11:10:59 -0700 (PDT)
Message-ID: <6e6841490708061110y1be829dbwf17424beb588492e@mail.gmail.com>
Date: Mon, 6 Aug 2007 15:10:59 -0300
From: "Gilberto Villani Brito" <linux@giboia.org>
To: "FreeBSD (PF)" <freebsd-pf@freebsd.org>
In-Reply-To: <46B2DB78.7090001@ch-st-julien.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <46B2DB78.7090001@ch-st-julien.fr>
Subject: Re: PF and proxytunnel
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2007 18:11:03 -0000

On 03/08/07, nicolas.cornu <nicolas.cornu@ch-st-julien.fr> wrote:
> Hi,
>
>
> I'm quite new in the PF experience. I'm trying to set a rule which can
> permit me to log on my home machine from work by using ssh and
> proxytunnel (http://proxytunnel.sourceforge.net/)
>
> I can't make it work. Each time the firewall is up, my ssh connection is
> broken. I think it's a flag problem but I can't make it work.
>
>
> So, this is my rule (And I'm blocking everuthing by default) :
>
> " pass in quick log on $ext_if proto tcp from <work> to $ext_if port 443
> flags S/SA keep state "
>
> The thing is in a forum, a guy asked me to try with the flag S/SA but it
> doesn't work. i tried some other fags without any succes.
>
> I also got a log of the packets which are blocked :
>
>
>
>
> 16:10:12.437424 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 0:112(112) ack 1 win
> 32844 <nop,nop,timestamp 1876831905 597750028>
> 16:10:12.437433 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 1:112(111) ack 1 win
> 32844 <nop,nop,timestamp 1876831905 597750028>
> 16:10:12.497175 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: . ack 4294967056 win
> 32767 <nop,nop,timestamp 597750123 1876831872>
> 16:10:12.506673 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: . ack 4294967104 win
> 32767 <nop,nop,timestamp 597750133 1876831886>
> 16:10:12.516765 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: . ack 4294967200 win
> 32767 <nop,nop,timestamp 597750143 1876831896>
> 16:10:12.524137 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: . ack 0 win 32767
> <nop,nop,timestamp 597750150 1876831901>
> 16:10:12.698154 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876832166 5
> 97750028>
> 16:10:12.879724 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win
> 32767 <nop,nop,timestamp 597750505 1876831901>
> 16:10:13.086087 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876832554 5
> 97750028>
> 16:10:13.174156 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win
> 32767 <nop,nop,timestamp 597750799 1876831901>
> 16:10:13.661987 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876833130 5
> 97750028>
> 16:10:13.761762 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win
> 32767 <nop,nop,timestamp 597751387 1876831901>
> 16:10:14.613849 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876834082 5
> 97750028>
> 16:10:14.937784 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win
> 32767 <nop,nop,timestamp 597752563 1876831901>
> 16:10:16.317606 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876835786 5
> 97750028>
> 16:10:17.289307 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win
> 32767 <nop,nop,timestamp 597754915 1876831901>
> 16:10:17.381429 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876836850 5
> 97750028>
> 16:10:19.309147 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876838778 5
> 97750028>
> 16:10:21.992459 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win
> 32767 <nop,nop,timestamp 597759619 1876831901>
> 16:10:22.964584 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876842434 5
> 97750028>
> 16:10:29.280630 rule 0/0(match): block in on tun0:
> [work_ip_address].58926 > [home_ip_address].443: S
> 3840383586:3840383586(0) win 5840 <mss 1440,sackOK,timestamp 59776690
> 8 0,nop,wscale 0>
> 16:10:30.075509 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876849546 5
> 97750028>
> 16:10:31.399531 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win
> 32767 <nop,nop,timestamp 597769027 1876831901>
> 16:10:32.279624 rule 0/0(match): block in on tun0:
> [work_ip_address].58926 > [home_ip_address].443: S
> 3840383586:3840383586(0) win 5840 <mss 1440,sackOK,timestamp 59776990
> 8 0,nop,wscale 0>
> 16:10:38.278752 rule 0/0(match): block in on tun0:
> [work_ip_address].58926 > [home_ip_address].443: S
> 3840383586:3840383586(0) win 5840 <mss 1440,sackOK,timestamp 59777590
> 8 0,nop,wscale 0>
> 16:10:44.097373 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876863570 5
> 97750028>
> 16:10:50.211598 rule 0/0(match): block in on tun0:
> [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win
> 32767 <nop,nop,timestamp 597787843 1876831901>
> 16:10:50.277124 rule 0/0(match): block in on tun0:
> [work_ip_address].58926 > [home_ip_address].443: S
> 3840383586:3840383586(0) win 5840 <mss 1440,sackOK,timestamp 59778790
> 8 0,nop,wscale 0>
> 16:10:51.796096 rule 0/0(match): block in on tun0:
> [work_ip_address].58951 > [home_ip_address].443: S
> 3848980265:3848980265(0) win 5840 <mss 1440,sackOK,timestamp 59778942
> 6 0,nop,wscale 0>
> 16:10:54.795329 rule 0/0(match): block in on tun0:
> [work_ip_address].58951 > [home_ip_address].443: S
> 3848980265:3848980265(0) win 5840 <mss 1440,sackOK,timestamp 59779242
> 6 0,nop,wscale 0>
> 16:10:58.119242 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400)
> ack 1 win 32844 <nop,nop,timestamp 1876877594 5
> 97750028>
> 16:14:05.064569 rule 0/0(match): block out on tun0:
> [home_ip_address].443 > [work_ip_address].58951: P
> 939245923:939246035(112) ack 3848991638 win 32844 <nop,nop,timestamp
>  1877064567 597982693>
>
>
>
>
>
>
>
>
> I hope someone can help me.
>
>
>
> Regards,
>
> Nicolas
>
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>

I think you have a rule like:
block out $ext_if all

Try add other rule like:
pass out quick log on $ext_if proto tcp from $ext_if port 443 to
<work> flags S/SA keep state


-- 
Gilberto Villani Brito
System Administrator
Londrina - PR
Brazil
gilbertovb(a)gmail.com