On Thursday 15 February 2007 10:12 am, Darren Spruell wrote:
> On 2/15/07, Tim Kuhlman <[EMAIL PROTECTED]> wrote:
> > So my ruleset has some problems. I took some time to work through my
> > rules and re-read the state tracking section of the pf faq (which by the
> > way is well done, thanks). I found what I think are a couple of problems,
> > I needed to have the flags S/SA so that it paid attention to the syn
> > packet and for some reason I had the state policy globally set to
> > if-bound rather than floating. When I change both of those a new problem
> > appears, routing between my internal network and DMZ's doesn't work.
> >
> > The syn packet goes through and appears to create state but the Syn/Ack
> > packet isn't let back through. I thought that was it created state one
> > way it was supposed to allow it back the other. Surely I am missing
> > something simple.
> >
> > Here is the state as it appears with the new rules from a "pfctl -vvss",
> > I also attached a tcpdump capture from both interfaces on the router.
>
> Attachments are stripped by the listserv. Better to paste results in.
>
> > all tcp 10.10.10.150:49516 -> 10.11.0.5:80 ESTABLISHED:SYN_SENT
> > [573330559 + 16385](+3517130307) wscale 2 [3039928992 +
> > 5840](+146001125) wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts,
> > 116:64 bytes, rule 135 id: 45c74dc600234f51 creatorid: b3647a00
> >
> > The router has 5 interfaces and 10 ip addresses associated with it so I
> > will spare you the full ruleset but here are the ones that are relevant.
> > I copied the rules as they are including the extra interfaces and such.
> > $DMZ_production_if is the 10.11.0.0/24 network
> > $int_if is the 10.10.8.0/21 network
> >
> > table <int_net> const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }
> >
> > pass in on { $int_if $vpn_if } proto {tcp udp icmp} from <int_net> to \
> > { $DMZ_production_if:network, $DMZ_proto_if:network }
> >
> > pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if
> > $DMZ_proto_if } proto \
> > {tcp udp icmp} flags S/SA modulate state
>
> IMHO, it's confusing to cram as much logic as you are into this rule;
> your traffic flows from one network to another follow distinct
> directions and crossing of interfaces, yet you've got a bit of a
> convoluted rule handling the 'pass out' for all of those flows on
> different interfaces. For all I know, it might work fine, but just for
> me it's confusing to piece it together and may be the cause of your
> futz.
>
> If you don't have traffic coming into your LAN from the DMZ, you could
> simplify this by having simply a:
>
> - pass in rule on your LAN interface allowing flows from the LAN into
> the remote networks, with keep state and appropriate flags;
> - pass out rule on your DMZ interface or whatever interfaces are
> destinations from the LAN, with keep state and appropriate flags.
>
> You need both; you need to have state built INBOUND on the INSIDE
> interface so that return traffic out that interface passes statefully.
> At the same time, you need state built OUTBOUND on the OUTSIDE
> interface so that return traffic in that interface passes statefully.
The above paragraph explains what my problem was. I was thinking that I simply
needed the state built once and that pf would figure out both directions. I
added state building on the appropriate pass in rules and it is working. This
also solved the original issue of the one gentoo box getting its tcp packets
dropped. I am going to go through my ruleset simplifying and auditing with
this is mind. Thanks again for the help!
--
Tim Kuhlman
Network Administrator
ColoradoVnet.com
