Re: Ruleset Problem
On Monday, Jun 2, 2003, at 09:48 US/Pacific, Amir Seyavash Mesry wrote: Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it won't pass the packets out. Ie I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will allow the packet and let it return. I think it is something really simple that I am overlooking but I can't figure it out. Any help is appreciated. # nat rules for both lan segments nat on $eth0 from $lan1 to any - $eth0 nat on $eth0 from $lan2 to any - $eth0 #block all in-out block in log all block out log all You don't have any pass out rules for $eth2, so the packet is never reaching 10.0.4.1 (assuming it's on $eth2; you didn't say). #allow nat for both lan segments only if lan segments initiate request. pass out on $eth0 inet proto tcp from $lan1 to any modulate state pass out on $eth0 inet proto udp from $lan1 to any keep state pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0 keep state pass out on $eth0 inet proto tcp from $lan2 to any modulate state pass out on $eth0 inet proto udp from $lan2 to any keep state pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0 keep state As a side note, these rules should never apply, as nat has already taken effect by the time you get to filter out on $eth0.
Re: Ruleset Problem
Amir Seyavash Mesry wrote:
I am having a odd problem and I am hoping someone one the list can point out
my error,
Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it
won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
allow the packet and let it return. I think it is something really simple
that I am overlooking but I can't figure it out. Any help is appreciated.
Which interface do packets have to exit to reach 10.0.4.1?
#allow outgoing traffic from Internet nic to internet if initiated from
Internet Nic.
pass out on $eth0 inet proto tcp from $eth0 to any modulate state
pass out on $eth0 inet proto udp from $eth0 to any keep state
pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0 keep
state
Translation happens before filtering so you will find that these rules
are passing packets from $lan1, $lan2 as well.
#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to any modulate
state
pass out on $eth0 inet proto udp from $lan1 to any keep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
keep state
pass out on $eth0 inet proto tcp from $lan2 to any modulate
state
pass out on $eth0 inet proto udp from $lan2 to any keep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
keep state
These rules will have no affect because of what I mentioned above.
#allow requests from segment 1 to segment 2 or internet only if segment 1
requests it.
pass in on $eth1 inet proto tcp from $lan1 to any modulate
state
pass in on $eth1 inet proto udp from $lan1 to any keep state
pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0 keep state
#allow requests from segment 2 to segment 1 or internet only if segment 2
requests it.
pass in on $eth2 inet proto tcp from $lan2 to any modulate
state
pass in on $eth2 inet proto udp from $lan2 to any keep state
pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0 keep state
Where are your pass out on { $eth1, $eth2 } rules? Keep state only
tracks state on one interface; you still have to pass the traffic
through any other interface the packets will pass through.
.joel
RE: Ruleset Problem
Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1.
IE machine that pf.conf was given for is doing nat and some small routing.
Machine1(pf.conf given for this one)
Eth0=internetip
Eth1=10.0.0.1 network 10.0.0.0/24
Eth1=10.0.0.2 network 10.0.0.0/24
Machine2
Eth0=internetip
Eth1=10.0.0.2 network 10.0.0.0/24
Eth1=10.0.4.1 network 10.0.4.0/24
If I am reading this right translation takes precendence over filtering,
which means If I have the following after translation, then the packets will
still pass, or do they get blocked after translation on the outbound if.x
block in log all
block out log all
As for the keep state rules, what I was trying to accomplish is passing
packets between eth1 eth2 checking state on each interface. Maybe one 2
revised rules would be
pass in on $eth1 inet proto udp from $lan1 to $lan2 keep state
pass in on $eth2 inet proto udp from $lan1 to $lan2 keep state
Do I need a corresponding one backtracking such as?
pass in on $eth2 inet proto udp from $lan2 to $lan1 keep state
pass in on $eth1 inet proto udp from $lan2 to $lan1 keep state
Amir Seyavash Mesry
[EMAIL PROTECTED]
LSI Logic Corporation
http://www.lsilogic.com/
Raid Support Test Technician
6145-D Northbelt Parkway
Norcross, GA 30071
678-728-1211
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j
knight
Sent: Monday, June 02, 2003 2:42 PM
To: pf
Subject: Re: Ruleset Problem
Amir Seyavash Mesry wrote:
I am having a odd problem and I am hoping someone one the list can
point out my error, Here is my pf.conf, the keepstate on the icmp
doesn't seem to be working, it won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
allow the packet and let it return. I think it is something really simple
that I am overlooking but I can't figure it out. Any help is appreciated.
Which interface do packets have to exit to reach 10.0.4.1?
#allow outgoing traffic from Internet nic to internet if initiated
from Internet Nic.
pass out on $eth0 inet proto tcp from $eth0 to anymodulate state
pass out on $eth0 inet proto udp from $eth0 to anykeep state
pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0
keep
state
Translation happens before filtering so you will find that these rules
are passing packets from $lan1, $lan2 as well.
#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to anymodulate
state
pass out on $eth0 inet proto udp from $lan1 to anykeep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
keep state
pass out on $eth0 inet proto tcp from $lan2 to anymodulate
state
pass out on $eth0 inet proto udp from $lan2 to anykeep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
keep state
These rules will have no affect because of what I mentioned above.
#allow requests from segment 1 to segment 2 or internet only if
segment 1 requests it.
pass in on $eth1 inet proto tcp from $lan1 to any modulate
state
pass in on $eth1 inet proto udp from $lan1 to any keep state
pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0keep state
#allow requests from segment 2 to segment 1 or internet only if
segment 2 requests it.
pass in on $eth2 inet proto tcp from $lan2 to any modulate
state
pass in on $eth2 inet proto udp from $lan2 to any keep state
pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0 keep state
Where are your pass out on { $eth1, $eth2 } rules? Keep state only
tracks state on one interface; you still have to pass the traffic
through any other interface the packets will pass through.
.joel
Re: Ruleset Problem
Amir Seyavash Mesry wrote: Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1. IE machine that pf.conf was given for is doing nat and some small routing. Machine1(pf.conf given for this one) Eth0=internetip Eth1=10.0.0.1 network 10.0.0.0/24 Eth1=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=internetip Eth1=10.0.0.2 network 10.0.0.0/24 Eth1=10.0.4.1 network 10.0.4.0/24 Now I'm really confused :(. Perhaps you could draw a simple diagram? If I am reading this right translation takes precendence over filtering, which means If I have the following after translation, then the packets will still pass, or do they get blocked after translation on the outbound if.x Translated packets still pass through the filter engine and are subject to your filter rules block in log all block out log all ... so this will block translated packets. You'll need to pass out on $ext ... later on. As for the keep state rules, what I was trying to accomplish is passing packets between eth1 eth2 checking state on each interface. Maybe one 2 revised rules would be pass in on $eth1 inet proto udp from $lan1 to $lan2 keep state pass in on $eth2 inet proto udp from $lan1 to $lan2 keep state Is $lan1 connected to $eth1 or $eth2? From what I can tell, $lan1 is on $eth1 so looking for packets from $lan1 on $eth2 isn't necessary. Do I need a corresponding one backtracking such as? pass in on $eth2 inet proto udp from $lan2 to $lan1 keep state pass in on $eth1 inet proto udp from $lan2 to $lan1 keep state Same situation here with $lan2. What you need is a set of rules to pass traffic OUT on $eth1, $eth2. Like I said, keep state only tracks state on one interface, not all of them. pass in on $eth1 from $lan1 to $lan2 keep state pass out on $eth2 from $lan1 to $lan2 keep state .joel
RE: Ruleset Problem
OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol. Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 (routing table) Route Destination Gateway 10.0.0.0 Eth1 10.0.0.2 Eth1 10.0.1.0 Eth2 10.0.4.0 10.0.0.2 BTW, Thanks for working with me on this, and helping me figure where I am going wrong! Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 4:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1. IE machine that pf.conf was given for is doing nat and some small routing. Machine1(pf.conf given for this one) Eth0=internetip Eth1=10.0.0.1 network 10.0.0.0/24 Eth1=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=internetip Eth1=10.0.0.2 network 10.0.0.0/24 Eth1=10.0.4.1 network 10.0.4.0/24 Now I'm really confused :(. Perhaps you could draw a simple diagram? If I am reading this right translation takes precendence over filtering, which means If I have the following after translation, then the packets will still pass, or do they get blocked after translation on the outbound if.x Translated packets still pass through the filter engine and are subject to your filter rules block in log all block out log all ... so this will block translated packets. You'll need to pass out on $ext ... later on. As for the keep state rules, what I was trying to accomplish is passing packets between eth1 eth2 checking state on each interface. Maybe one 2 revised rules would be pass in on $eth1 inet proto udp from $lan1 to $lan2 keep state pass in on $eth2 inet proto udp from $lan1 to $lan2 keep state Is $lan1 connected to $eth1 or $eth2? From what I can tell, $lan1 is on $eth1 so looking for packets from $lan1 on $eth2 isn't necessary. Do I need a corresponding one backtracking such as? pass in on $eth2 inet proto udp from $lan2 to $lan1 keep state pass in on $eth1 inet proto udp from $lan2 to $lan1 keep state Same situation here with $lan2. What you need is a set of rules to pass traffic OUT on $eth1, $eth2. Like I said, keep state only tracks state on one interface, not all of them. pass in on $eth1 from $lan1 to $lan2 keep state pass out on $eth2 from $lan1 to $lan2 keep state .joel
Re: Ruleset Problem
Amir Seyavash Mesry wrote: OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol. I'm sorry, it really doesn't. Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 I don't understand how these machines are connected or which machine is loaded with the pf.conf you gave. You say above the packets are going from 10.0.0.2 to 10.0.4.1 but I don't see how that's possible with a /24 netmask without some intermediate hop. Did you test it with the pass out rules? .joel
RE: Ruleset Problem
Re-attaching pf2.conf, I forgot to add the ip changes. Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: Amir Seyavash Mesry [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 6:50 PM To: 'pf' Subject: RE: Ruleset Problem Yea I added some now it works, this got it all working now, attaching 2 pf.conf's and the diagram is below, lemme know If I still got something amiss, I think I got it all. Eth0(---Internet) | Machine1---Eth1(10.0.0.1,10.0.0.0/24)-| | | Eth2(10.0.1.1,10.0.1.0/24) | | | | Eth0(---Internet) | | | Machine2---Eth1(10.0.0.2,10.0.0.0/24)-| | Eth2(10.0.4.1,10.0.4.0/24) Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 5:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol. I'm sorry, it really doesn't. Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 I don't understand how these machines are connected or which machine is loaded with the pf.conf you gave. You say above the packets are going from 10.0.0.2 to 10.0.4.1 but I don't see how that's possible with a /24 netmask without some intermediate hop. Did you test it with the pass out rules? .joel pf2.conf Description: Binary data
RE: Ruleset Problem
Yea I added some now it works, this got it all working now, attaching 2 pf.conf's and the diagram is below, lemme know If I still got something amiss, I think I got it all. Eth0(---Internet) | Machine1---Eth1(10.0.0.1,10.0.0.0/24)-| | | Eth2(10.0.1.1,10.0.1.0/24) | | | | Eth0(---Internet) | | | Machine2---Eth1(10.0.0.2,10.0.0.0/24)-| | Eth2(10.0.4.1,10.0.4.0/24) Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 5:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol. I'm sorry, it really doesn't. Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 I don't understand how these machines are connected or which machine is loaded with the pf.conf you gave. You say above the packets are going from 10.0.0.2 to 10.0.4.1 but I don't see how that's possible with a /24 netmask without some intermediate hop. Did you test it with the pass out rules? .joel pf1.conf Description: Binary data pf2.conf Description: Binary data
