Re: pf on FreeBSD

2006-12-19 Thread Travis H. 
On Wed, Dec 13, 2006 at 06:31:10PM +0100, Daniel Hartmeier wrote:
  pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state

 The point of this is that you can control _which_ interface(s) a
 connection must flow through, instead of granting a permission to pass
 any and all interfaces.

Or, you can specify no interfaces, which is okay to do _if_:

1) Both interfaces have only directly attached networks (that are static)
2) antispoof is on for both interfaces

Some guy's guide out there for pf fails to take this into account.
If there's a static default route on an interface, you really can't
omit that interface from any rules, because both conditions are false.
-- 
A: No.
Q: Should I include quotations after my reply?
URL:http://www.subspacefield.org/~travis/ --


pgpoWglC5yYBe.pgp
Description: PGP signature

Re: pf on FreeBSD

2006-12-15 Thread Albert Shih 
 Le 13/12/2006  18:31:10+0100, Daniel Hartmeier a ?crit
 On Wed, Dec 13, 2006 at 05:52:03PM +0100, Albert Shih wrote:
 
  It's a problem with FreeBSD or it's with pf ?
 
 With neither, you're assuming a state entry has the same effect in pf as
 in ipfw, which is not the case.
 
  For example I've put this kind of rule
  
  pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state
  
  When I try to connect from IP-A to IP-B using ssh the connection don't
  work. And I've got 
  
  self tcp IP-B:22 - IP-A:56906   CLOSED:SYN_SENT
  self tcp IP-B:22 - IP-A:59496   CLOSED:SYN_SENT
  
  in my pfctl -s state
  
  and got deny for outgoing packet from IP-B to IP-A
 
 That is expected with pf. A state entry created for an incoming packet
 on one interface does not allow the same packet to go out through
 another interface, it merely allows further packets through the same
 interface and _replies_ back out through the same interface.

Thanks for all.

Everything work fine now.

Regards.

--
Albert SHIH
Universite de Paris 7 (Denis DIDEROT)
U.F.R. de Mathematiques.
7 i?me ?tage, plateau D, bureau 10
Heure local/Local time:
Fri Dec 15 22:00:53 CET 2006

Re: pf on FreeBSD

2006-12-13 Thread Daniel Hartmeier 
On Wed, Dec 13, 2006 at 05:52:03PM +0100, Albert Shih wrote:

 It's a problem with FreeBSD or it's with pf ?

With neither, you're assuming a state entry has the same effect in pf as
in ipfw, which is not the case.

 For example I've put this kind of rule
 
   pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state
 
 When I try to connect from IP-A to IP-B using ssh the connection don't
 work. And I've got 
 
 self tcp IP-B:22 - IP-A:56906   CLOSED:SYN_SENT
 self tcp IP-B:22 - IP-A:59496   CLOSED:SYN_SENT
 
 in my pfctl -s state
 
 and got deny for outgoing packet from IP-B to IP-A

That is expected with pf. A state entry created for an incoming packet
on one interface does not allow the same packet to go out through
another interface, it merely allows further packets through the same
interface and _replies_ back out through the same interface.

If you do want to allow the packets to pass through another interface
(as is usually the case with legitimate forwarded connections), you have
to add

  pass out on $second-nic proto tcp from IP-A to IP-B port 22 keep state

which will then create a _second_ state entry for the same connection.

The point of this is that you can control _which_ interface(s) a
connection must flow through, instead of granting a permission to pass
any and all interfaces.

This may seem pointless to want to control in a simple setup which only
forwards between two NICs, but it isn't in a more complex case with
multiple NICs and routing tables dynamically updated and/or not trusted.

 On my old FreeBSD I'm using something like
 
   ipfw add permit any to any established.

The pf counterpart would be

  pass from any to any keep state

i.e. leaving out the 'on $if' part makes the rule apply to all
interfaces, and leaving out the 'out' or 'in' direction makes it apply
to both directions.

Daniel

Re: pf on FreeBSD + WCCP + Squid

2005-04-04 Thread Daniel Hartmeier 
On Fri, Apr 01, 2005 at 02:37:00AM +0800, Francis Vidal wrote:

 rdr on em0 inet proto tcp from any to any port www - 127.0.0.1 port 3128

You probably need to use 'on gre0' here. On em0, the packets are still
encapsulated, and don't match the 'proto tcp' criterion.

pf does never looks inside encapsulated packets, it uses the outer-most
interpretation of what it sees ('proto gre' in this case). But it will
be called for each packet once on em0 and then (after the stack
decapsulates the packet) on gre0. So to hit the right level of
decapsulation, put the rule on the right interface, which should be gre0
here.

Daniel