Problem? With PF
David Verzolla
dverzolla at fcl.com.br
Wed Sep 26 13:53:08 PDT 2007
Hello,
I'm not sure about if this trouble must be posted in this list. BTW.
I'm working with two firewall box:
- Dell poweredge 2950
- First network device BCE0
- Second network device BCE1
- HP ML350 G3
- First network device BGE0
- Second network device XL0
I'm working with PF Firewall + PFSYNC + VLANS (3 vlans) + CARP.
All interfaces is cloned with CARP.
The problem is:
My network is slow, when I try to connect in a web server, or try pings from my Firewall to some machine located in DMZ (tests from DMZ -> Firewall Box have the same result), I get this trouble:
The command: while true ; do ping -c 1 DMZ_IP ; done
Ping works in the most of tests, but some tests give me this error:
(For security reasons I suppress my original IP, sorry for inconvenience)
--- 201.x.x.x ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.194/0.194/0.194/0.000 ms
PING 201.x.x.x (201.x.x.x): 56 data bytes
64 bytes from 201.x.x.x: icmp_seq=0 ttl=64 time=0.197 ms
--- 201.x.x.x ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.197/0.197/0.197/0.000 ms
PING 201.x.x.x (201.x.x.x): 56 data bytes
64 bytes from 201.x.x.x: icmp_seq=0 ttl=64 time=0.192 ms
--- 201.x.x.x ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.211/0.211/0.211/0.000 ms
PING 201.x.x.x (201.x.x.x): 56 data bytes
---> ping: sendto: Operation not permitted
The ping returns "Operation not permitted".
Other command:
[root at f1000 /etc/pf]# ping 201.x.x.x
PING 201.x.x.x (201.x.x.x): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
64 bytes from 201.x.x.x: icmp_seq=4 ttl=64 time=2.636 ms
64 bytes from 201.x.x.x: icmp_seq=5 ttl=64 time=0.210 ms
64 bytes from 201.x.x.x: icmp_seq=6 ttl=64 time=0.136 ms
The ping returns "Operation not permitted" too.
I have other applications working with Ajax that is broken, the time to load all the resources is bigger, within this trouble (Ajax) its possible verify that the problem occur with TCP protocol as well.
When I disable PF, all works greatly.
Bellow my rules:
-- begin
# $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
### NET DEVICES
ext_if = "bce0"
dmz_if = "vlan20"
corp_if = "vlan30"
ras_if = "vlan40"
sync_if = $ras_if
### ICMP OPTIONS
icmp_types="{ echoreq, unreach }"
table <impsat> { 200.x.x.0/26 }
table <totalrange> { 201.x.x.0/20 }
table <dmz> { 201.x.x.0/24 }
# Options: tune the behavior of pf, default values are given.
set optimization normal
#set timeout { tcp.closing 900, tcp.finwait 15, tcp.closed 90 }
set block-policy return
set state-policy floating
set skip on lo
set loginterface $ext_if
set fingerprints "/etc/pf/_pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
#### start
block in
# PFSYNC
pass on $sync_if proto pfsync
# Permit all out
pass out keep state
# PERMIT MULTI-CAST (CARP)
pass quick on { $dmz_if $corp_if $ras_if $ext_if } inet from any to 224.0.0.0/4 allow-opts keep state
# PERMIT DNS OUT
pass in quick on { $dmz_if $corp_if $ras_if } inet proto { udp tcp } from any to any port 53 keep state
# PERMIT DMZ OUT
pass in quick on { $dmz_if } inet proto tcp from <dmz> to any \
port 80 flags S/SA keep state
# PERMITE SSH
pass in quick on { $ext_if } inet proto tcp from <impsat> to any \
port { 22 } flags S/SA keep state
# TEMP PERMIT, OLD NET -> NEW NET
pass quick inet proto tcp from <totalrange> to <impsat> \
flags S/SA keep state
# ME
pass in quick on $ext_if inet proto tcp from <impsat> to $ext_if:network \
port 22 flags S/SA keep state
pass in quick on $ext_if inet proto udp from <impsat> to $ext_if:network \
port snmp keep state
pass in quick on $ext_if inet proto tcp from <totalrange> to $ext_if:network \
port 22 flags S/SA keep state
pass in quick on $ext_if inet proto udp from <totalrange> to $ext_if:network \
port snmp keep state
### GERAL RULES
## NTP
pass in quick on { $dmz_if } inet proto udp from 200.x.x.1 port { 123 } to any \
port { 123 } keep state
### <NS1>
pass in quick on { $ext_if $corp_if } inet proto tcp from any port { 53 } to 200.x.x.2 \
port { 53 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.2 \
port { 53 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto tcp from <impsat> to 200.x.x.2 \
port { 22 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto udp from any to 200.x.x.2 \
port { 53 } keep state
### </NS1>
### <HERZOG_NEW>
pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.3 \
port { 20 21 80 443 } flags S/SA keep state
# RSYNC
pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.3 \
port { 873 } flags S/SA keep state
# FTP
pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.3 \
port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE
# FTP
pass in quick on { $dmz_if } inet proto tcp from 200.x.x.3 port 20 to any \
flags S/SA keep state tag FTP-BACK # ACTIVE MODE
### </HERZOG_NEW>
### <Webtrends teste>
# WEB
pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.4 \
port { 80 } flags S/SA keep state
### </Webtrends teste>
# <WINDOWS MEDIA>
pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.5 \
port { 554 1755 } flags S/SA keep state
# VNC
pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.5 \
port { 5900 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto udp from any to 200.x.x.5 \
port { 554 1755 } keep state
# </WINDOWS MEDIA>
# TEST NOTEBOOK - HOLYDAY
pass in quick on { $ext_if $dmz_if } inet proto tcp from any to 200.x.x.6 \
port { 22 80 } flags S/SA keep state
# </TESTE COM NOTEBOOK - HOLYDAY>
# TEST WITH CISNET
pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.7 \
port { 21 22 } flags S/SA keep state
pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.7 \
port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE
pass in quick on { $dmz_if } inet proto tcp from 200.x.x.7 port 20 to any \
flags S/SA keep state tag FTP-BACK # ACTIVE MODE
# </TESTE COM CISNET>
# PING
pass log inet proto icmp all icmp-type $icmp_types keep state
# TRACEROUTE
pass inet proto udp from any to any \
port 33433 >< 33626 keep state
-- end
Thanks in advance.
David Verzolla
Administrador de Redes
Fundação Cásper Líbero - FCLNet
Tel: +55 11 3170.5937
More information about the freebsd-bugs
mailing list