pflog and traffic via gif_if

stephen dinzdale at gmail.com
Tue Apr 12 00:51:58 PDT 2005 

Hi,
 I'm not sure what I'm not doing wrong, but I can't seem to send any traffic 
via gif3 ($gif_if).. The rule I had have in place is a working rule from 
previous conf, but in my wisdom in rewriting conf from scratch yesterday I 
managed to overwrite the previous conf. The only different thing I had which 
may have come into play was a pass out all on ext_if rule which I no longer 
want. 
 I tried having a look at pflog0 with tcpdump, but it doesnt seem to show 
any traffic at all nevermind just the blocked traffic (I would like to know 
if there is a way to log all? all examples I've seen online say 'block log 
all'). I made sure I did 'ifconfig pflog0 up' before attempting to run 
tcpdump on it.
  /etc/pf.conf:
 ##### macros
int_if = "rl0"
ext_if = "tun0"
gif_if = "gif3"
icmp_types = "echoreq"

-list of ports/hosts here-

##### aliases
bi = "block in"
bo = "block out"
bq = "block quick"
biq = "block in quick"
boq = "block out quick"
bd = "block drop"
pi = "pass in"
po = "pass out"
pq = "pass quick"
piq = "pass in quick"
poq = "pass out quick"
ks = "keep state"
ms = "modulate state"
ss = "synproxy state"
l = "label"
int_net = "{" $int_if:network "}"

##### behavior options
set block-policy return
set loginterface $ext_if

##### scrub
scrub in all

##### nat/rdr
nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 80 ->
127.0.0.1<http://127.0.0.1>port 3128

##### anti spoofing protection
#antispoof quick for $int_if inet
#antispoof quick for $ext_if inet
#antispoof quick for lo0

#$bd in on $ext_if from $priv_nets to any
#$bd out on $ext_if from any to $priv_nets

#####filter rules
###default block and log all
block log all
#$pi inet proto icmp all icmp-type $icmp_types $ks
#$po inet proto icmp all icmp-type $icmp_types $ks
$pq on lo0 all

###filter rules for $int_if inbound
$bi on $int_if all
$pi on $int_if inet proto tcp from any to $int_if port 2222 $ks
$pi on $int_if proto { udp,tcp } from $int_net to any port 53 $ks
$pi on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks $l "http 
: $srcaddr "
$pi on $int_if proto tcp from $soh to any port 443 flags S/SA $ks $l "ssl : 
$srcaddr "
$pi on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks
$pi on $int_if proto tcp from $soh to $int_if port 25 $ks $l "smtp : 
$srcaddr "
$pi on $int_if proto tcp from $soh to $int_if port 110 $ks $l "pop3 : 
$srcaddr "

$pi on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } $ks 
$pi on $int_if proto tcp from $sh to any port { 6667,6668,7000 } $ks 

###filter rules for $int_if outbound
$bo on $int_if all
$po on $int_if inet proto tcp from $int_if to $int_net port 20 $ks

###filter rules for $ext_if inbound
$bi on $ext_if all
$pi on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks
$pi on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks
$pi on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks
$pi on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks

###filter rules for $ext_if outbound
$bo on $ext_if all
$po on $ext_if from any to $dns $ks
$po on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA $ks
$po on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks
$po on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks
$po on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks $l "total 
smtp (storm) : "
$po on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks $l 
"total pop3 (storm) : "
$po on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks $l "total 
smtp (saix) : "
$po on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks $l "total 
http : " 
$po on $ext_if inet proto tcp from ($ext_if) to any port { 6667,6668,7000 } 
$ks

$pi inet proto icmp all icmp-type $icmp_types $ks
$po inet proto icmp all icmp-type $icmp_types $ks
 ###filter to pass all tunnel traffic
$pi on $gif_if all 
$po on $gif_if all
 -eof-
 I also added a rule:
 $po on $ext_if from ($ext_if) to $gif_if $ks
 as well as
 $po on $ext_if from ($ext_if) to 10.0.89.0/24 <http://10.0.89.0/24> $ks
but neither seem to help much...
 (they shouldn't be necessary because I said pass in/out all on $gif??
    It would be a lot easier if I could decipher what is going on via 
pflog0, but when i do:
 tcpdump -n -e -ttt -vv -i pflog0
 all I get is:
 tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture 
size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
  What confuses me is that even though I have a specific pass in/out rule 
for icmp, a pass out rule after that for $gif_if, and no rules after that 
(so there are no more block matches)... I still can't ping or send/recv 
traffic via $gif_if to 10.0.89.0 <http://10.0.89.0> but can ping other 
hosts:
 Tue Apr 12 09:31:45 root at bollox:~# ping -c 3
www.iol.co.za<http://www.iol.co.za/>
PING www.iol.co.za <http://www.iol.co.za/>
(196.30.168.79<http://196.30.168.79>):
56 data bytes
64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=0 ttl=58 time=
45.315 ms
64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=1 ttl=58 time=
47.876 ms
64 bytes from 196.30.168.79 <http://196.30.168.79>: icmp_seq=2 ttl=58 time=
54.126 ms
 
--- www.iol.co.za <http://www.iol.co.za/> ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 45.315/49.106/54.126/3.701 ms

Tue Apr 12 09:31:59 root at bollox:~# ifconfig gif3
gif3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet x.x.y.123 --> x.x.z.96
inet 10.0.88.254 <http://10.0.88.254> --> 10.0.89.254
<http://10.0.89.254>netmask 0xffffff00
inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7

Tue Apr 12 09:32:08 root at bollox:~# ping -c 3 10.0.89.254<http://10.0.89.254>
PING 10.0.89.254 <http://10.0.89.254> (10.0.89.254 <http://10.0.89.254>): 56 
data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted

--- 10.0.89.254 <http://10.0.89.254> ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

 I may be doing something stupid in either of the two problems, but perhaps 
a look from someone else will spot something I have not noticed..

 Thanks in advance,

Stephen.

More information about the freebsd-pf mailing list