PF 'traceroute -I host' 'tracert host' problem

2010-08-18 Thread Атанас Владимиров 
Hi
I move from 4.6 to 4.7, rewrite my pf.conf rules to match new style.
Everything works fine, but when I try to traceroute a host with -I flag
(force to use icmp) on my obsd fw
I got Request time out on all hops exclude the last one, which I was my
target to traceroute. Here is an example:

[ns]~$ traceroute -I data.bg
traceroute to data.bg (195.149.248.130), 64 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  web.data.bg (195.149.248.130)  0.740 ms  0.707 ms  0.733 ms

As you can see only the last hop is present.
Example without -I flag (using udp);

[ns]~$ traceroute data.bg
traceroute to data.bg (195.149.248.130), 64 hops max, 40 byte packets
 1  gw.tbc.bg (94.26.7.33)  0.591 ms  0.462 ms  0.443 ms
 2  peer.tbc.bg (94.26.50.2)  0.961 ms  1.317 ms  1.965 ms
 3  85.91.141.65 (85.91.141.65)  0.866 ms  0.905 ms  1.93 ms
 4  web.data.bg (195.149.248.130)  0.847 ms  0.732 ms  0.712 ms

When I use 'tracert host' on MS Windows box behind my obsd fw, I got a same
behavior

 C:\Users\Administratortracert data.bg
Tracing route to data.bg [195.149.248.130]
over a maximum of 30 hops:
  11 ms1 ms1 ms  ns.bsdbg.net [192.168.1.1]
  2 *** Request timed out.
  3 *** Request timed out.
  4 *** Request timed out.
  51 ms 1 ms 1 ms  web.data.bg [195.149.248.130]
Trace complete.

Here first hop is my obsd fw. I use tcpdump to see what actually happens:

[ns]~# tcpdump -nettti pflog0 host vlado and icmp
tcpdump: listening on pflog0, link-type PFLOG
Aug 19 02:29:32.165656 rule 85/(match) pass in on em1: 192.168.1.2 
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168104 rule 120/(match) pass out on em0: 192.168.1.2 
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168117 rule 17/(match) match out on em0: 192.168.1.2 
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168128 rule 16/(match) match out on em0: 192.168.1.2 
195.149.248.130: icmp: echo request [ttl 1]
Aug 19 02:29:33.168593 rule 120/(match) pass in on em0: 94.26.7.33 
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:33.168613 rule 14/(match) block out on em1: 94.26.7.33 
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:36.960715 rule 120/(match) pass in on em0: 94.26.7.33 
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:40.960831 rule 120/(match) pass in on em0: 94.26.7.33 
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:44.962196 rule 120/(match) pass in on em0: 94.26.50.2 
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:48.961438 rule 120/(match) pass in on em0: 94.26.50.2 
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:52.961678 rule 120/(match) pass in on em0: 94.26.50.2 
192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
Aug 19 02:29:56.960795 rule 120/(match) pass in on em0: 85.91.141.65 
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:00.960785 rule 120/(match) pass in on em0: 85.91.141.65 
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:05.002249 rule 120/(match) pass in on em0: 85.91.141.65 
192.168.1.2: icmp: time exceeded in-transit
Aug 19 02:30:08.960640 rule 120/(match) pass in on em0: 195.149.248.130 
192.168.1.2: icmp: echo reply
Aug 19 02:30:08.961639 rule 120/(match) pass in on em0: 195.149.248.130 
192.168.1.2: icmp: echo reply
Aug 19 02:30:08.962888 rule 120/(match) pass in on em0: 195.149.248.130 
192.168.1.2: icmp: echo reply

When I turn off pf (pfctl -d) 'traceroute -I' work as it should.
I really don't know what happen.
Thanks in advance,
Atanas

Here is my pf.conf
##
pf.conf
##

 Macros ##

### Interfaces ###
 ExtIf =em0
 IntIf =em1

### Hosts ###
 vl=192.168.1.2
 jl=192.168.1.3
 ve=192.168.1.4
 ntp=192.168.1.5

### Queues, States and Types ###
 IcmpType =icmp-type 8 code 0
 SynState =flags S/SAFR synproxy state
 TcpState =flags S/SAFR modulate state
 UdpState =keep state

### Ports ###
# Squid
 squid=2020

# Remote Desktop Connection
 rdc_int=3389
 rdc_ext=4000

# Skype
 vl_skype=30001
 jl_skype=30002
 ve_skype=30003

# uTorrent
 vl_torrent=30004
 jl_torrent=30005
 ve_torrent=30006
 urange=30004:30006

# HFS
 vl_hfs=8080

# VsFTP
 ftprange=55000:6
 FtpPort =8021

# Symux
 symux=2100

# Battle.net
 bnet=6112

# Ssh
 ssh_ext=443

### Stateful Tracking Options (STO) ###
 ExtIfSTO  =(max 9000, source-track rule, max-src-conn 2000, max-src-nodes
254)
 IntIfSTO  =(max 250,  source-track rule, max-src-conn 100,  max-src-nodes
254, max-src-conn-rate 75/20)
 PostfxSTO =(max 100,  source-track rule, max-src-states 5,
max-src-nodes 30,  max-src-conn-rate 10/300, overload BLACKLIST flush
global, tcp.established 45)
 SpamdSTO  =(max 500,  source-track rule, max-src-conn 10,   max-src-nodes
300, max-src-conn-rate 2/300, tcp.established 10)
 SshSTO=(max 10,   source-track rule, max-src-conn 10,   max-src-nodes

Re: PF 'traceroute -I host' 'tracert host' problem

2010-08-18 Thread David Hill 
This has been fixed 4.8

On Thu, Aug 19, 2010 at 03:08:23AM +0300, ?? ?? wrote:
 Hi
 I move from 4.6 to 4.7, rewrite my pf.conf rules to match new style.
 Everything works fine, but when I try to traceroute a host with -I flag
 (force to use icmp) on my obsd fw
 I got Request time out on all hops exclude the last one, which I was my
 target to traceroute. Here is an example:
 
 [ns]~$ traceroute -I data.bg
 traceroute to data.bg (195.149.248.130), 64 hops max, 60 byte packets
  1  * * *
  2  * * *
  3  * * *
  4  web.data.bg (195.149.248.130)  0.740 ms  0.707 ms  0.733 ms
 
 As you can see only the last hop is present.
 Example without -I flag (using udp);
 
 [ns]~$ traceroute data.bg
 traceroute to data.bg (195.149.248.130), 64 hops max, 40 byte packets
  1  gw.tbc.bg (94.26.7.33)  0.591 ms  0.462 ms  0.443 ms
  2  peer.tbc.bg (94.26.50.2)  0.961 ms  1.317 ms  1.965 ms
  3  85.91.141.65 (85.91.141.65)  0.866 ms  0.905 ms  1.93 ms
  4  web.data.bg (195.149.248.130)  0.847 ms  0.732 ms  0.712 ms
 
 When I use 'tracert host' on MS Windows box behind my obsd fw, I got a same
 behavior
 
  C:\Users\Administratortracert data.bg
 Tracing route to data.bg [195.149.248.130]
 over a maximum of 30 hops:
   11 ms1 ms1 ms  ns.bsdbg.net [192.168.1.1]
   2 *** Request timed out.
   3 *** Request timed out.
   4 *** Request timed out.
   51 ms 1 ms 1 ms  web.data.bg [195.149.248.130]
 Trace complete.
 
 Here first hop is my obsd fw. I use tcpdump to see what actually happens:
 
 [ns]~# tcpdump -nettti pflog0 host vlado and icmp
 tcpdump: listening on pflog0, link-type PFLOG
 Aug 19 02:29:32.165656 rule 85/(match) pass in on em1: 192.168.1.2 
 195.149.248.130: icmp: echo request [ttl 1]
 Aug 19 02:29:33.168104 rule 120/(match) pass out on em0: 192.168.1.2 
 195.149.248.130: icmp: echo request [ttl 1]
 Aug 19 02:29:33.168117 rule 17/(match) match out on em0: 192.168.1.2 
 195.149.248.130: icmp: echo request [ttl 1]
 Aug 19 02:29:33.168128 rule 16/(match) match out on em0: 192.168.1.2 
 195.149.248.130: icmp: echo request [ttl 1]
 Aug 19 02:29:33.168593 rule 120/(match) pass in on em0: 94.26.7.33 
 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
 Aug 19 02:29:33.168613 rule 14/(match) block out on em1: 94.26.7.33 
 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
 Aug 19 02:29:36.960715 rule 120/(match) pass in on em0: 94.26.7.33 
 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
 Aug 19 02:29:40.960831 rule 120/(match) pass in on em0: 94.26.7.33 
 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
 Aug 19 02:29:44.962196 rule 120/(match) pass in on em0: 94.26.50.2 
 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
 Aug 19 02:29:48.961438 rule 120/(match) pass in on em0: 94.26.50.2 
 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
 Aug 19 02:29:52.961678 rule 120/(match) pass in on em0: 94.26.50.2 
 192.168.1.2: icmp: time exceeded in-transit [tos 0xc0]
 Aug 19 02:29:56.960795 rule 120/(match) pass in on em0: 85.91.141.65 
 192.168.1.2: icmp: time exceeded in-transit
 Aug 19 02:30:00.960785 rule 120/(match) pass in on em0: 85.91.141.65 
 192.168.1.2: icmp: time exceeded in-transit
 Aug 19 02:30:05.002249 rule 120/(match) pass in on em0: 85.91.141.65 
 192.168.1.2: icmp: time exceeded in-transit
 Aug 19 02:30:08.960640 rule 120/(match) pass in on em0: 195.149.248.130 
 192.168.1.2: icmp: echo reply
 Aug 19 02:30:08.961639 rule 120/(match) pass in on em0: 195.149.248.130 
 192.168.1.2: icmp: echo reply
 Aug 19 02:30:08.962888 rule 120/(match) pass in on em0: 195.149.248.130 
 192.168.1.2: icmp: echo reply
 
 When I turn off pf (pfctl -d) 'traceroute -I' work as it should.
 I really don't know what happen.
 Thanks in advance,
 Atanas
 
 Here is my pf.conf
 ##
 pf.conf
 ##
 
  Macros ##
 
 ### Interfaces ###
  ExtIf =em0
  IntIf =em1
 
 ### Hosts ###
  vl=192.168.1.2
  jl=192.168.1.3
  ve=192.168.1.4
  ntp=192.168.1.5
 
 ### Queues, States and Types ###
  IcmpType =icmp-type 8 code 0
  SynState =flags S/SAFR synproxy state
  TcpState =flags S/SAFR modulate state
  UdpState =keep state
 
 ### Ports ###
 # Squid
  squid=2020
 
 # Remote Desktop Connection
  rdc_int=3389
  rdc_ext=4000
 
 # Skype
  vl_skype=30001
  jl_skype=30002
  ve_skype=30003
 
 # uTorrent
  vl_torrent=30004
  jl_torrent=30005
  ve_torrent=30006
  urange=30004:30006
 
 # HFS
  vl_hfs=8080
 
 # VsFTP
  ftprange=55000:6
  FtpPort =8021
 
 # Symux
  symux=2100
 
 # Battle.net
  bnet=6112
 
 # Ssh
  ssh_ext=443
 
 ### Stateful Tracking Options (STO) ###
  ExtIfSTO  =(max 9000, source-track rule, max-src-conn 2000, max-src-nodes
 254)
  IntIfSTO  =(max 250,  source-track rule, max-src-conn 100,  max-src-nodes
 254, max-src-conn-rate 75/20)
  PostfxSTO =(max 100,  source-track rule, max-src-states 5,
 max-src-nodes 30,  max-src-conn-rate 10/300, overload