pflog and traffic via gif_if

Vlad GALU vladgalu at gmail.com
Wed Apr 13 12:47:54 PDT 2005 

On 4/13/05, stephen <dinzdale at gmail.com> wrote:
> Hi again,
> 
> After some pondering over my problem re: gif traffic not being able to
> be sent/received, I've concluded that because gif is tunneled via tun0
>  (my $ext_if), I need to somehow permit gif traffic via $ext_if.  I've
> tried a couple of things but neither seem to help.
> 
> The local network address is 10.0.88.0 and the other end of tunnel is 10.0.89.0
> Local side of tunnel is 10.0.88.254 and remote end is 10.0.89.254 as
> shown below:
> 
> Wed Apr 13 16:53:19 root at bollox:~# ifconfig gif3
> gif3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>         tunnel inet x.x.y.199 --> x.x.z.214
>         inet 10.0.88.254 --> 10.0.89.254 netmask 0xffffff00
>         inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7
> 
> I've pasted my pf.conf again, and cleaned it up a bit by replacing all
> the variables I made with what they stand for (ie: '$po' become 'pass
> out')
> 
> /etc/pf.conf:
> 
> ##### macros
> int_if = "rl0"
> ext_if = "tun0"
> gif_if = "gif3"
> icmp_types = "echoreq"
> 
> -hosts here-
> 
> ##### aliases
> ks = "keep state"
> ms = "modulate state"
> ss = "synproxy state"
> int_net = "{" $int_if:network "}"
> 
> ##### behavior options
> set block-policy return
> set loginterface $ext_if
> 
> ##### scrub
> scrub in all
> 
> ##### nat/rdr
> nat on $ext_if from $int_net to any -> ($ext_if)
> rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128
> 
> ##### anti spoofing protection
> #antispoof quick for $int_if inet
> #antispoof quick for $ext_if inet
> #antispoof quick for lo0
> 
>  block drop in on $ext_if from $priv_nets to any
>  block drop out on $ext_if from any to $priv_nets
> 
> #####filter rules
> ###default block and log all
>  block log all
> #pass in inet proto icmp all icmp-type $icmp_types $ks
> #pass out inet proto icmp all icmp-type $icmp_types $ks
>  pass quick on lo0 all
> 
> ###filter rules for $int_if inbound
>  $bi on $int_if all
>  pass in on $int_if inet proto tcp from any to $int_if port 2222 $ks
>  pass in on $int_if proto { udp,tcp } from $int_net to any port 53 $ks
>  pass in on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks
>  pass in on $int_if proto tcp from $soh to any port 443 flags S/SA $ks
>  pass in on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks
>  pass in on $int_if proto tcp from $soh to $int_if port 25 $ks
>  pass in on $int_if proto tcp from $soh to $int_if port 110 $ks
> 
>  pass in on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } $ks
> 
> ###filter rules for $int_if outbound
>  block out on $int_if all
>  pass out on $int_if inet proto tcp from $int_if to $int_net port 20 $ks
> 
> ###filter rules for $ext_if inbound
>  block in on $ext_if all
>  pass in on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks
>  pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks
>  pass in on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks
>  pass in on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks
> 
> ###filter rules for $ext_if outbound
>  block in on $ext_if all
>  pass out on $ext_if from any to $dns $ks
>  pass out on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA $ks
>  pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks
>  pass out on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks
>  pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks
>  pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks
>  pass out on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks
>  pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks
> 
>  pass in inet proto icmp all icmp-type $icmp_types $ks
>  pass out inet proto icmp all icmp-type $icmp_types $ks
> 
> ###filter to pass all tunnel traffic
>  pass in on $gif_if all
>  pass out on $gif_if all
> 
> I've had to specify the ports/ hosts seperately for labelling purposes
> incase anyone wonders why I written it how I have.
> 
> I'm also struggling to get pflog to show anything (I want it to show
> everything, not just the blocked traffic, would this implying having
> 'log' in every rule I have?)... left it running for a while and it
> showed nothing, even with myself purposely trying to connect to
> blocked ports (and ofcourse trying to ping via my gif iface)
> 
   You're not allowing any ipencap traffic on your tun interface. One
more thing: you have "block in on $ext_if all" twice.

> Thanks in advance,
> 
> 
> Stephen
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> 


-- 
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, and you can't see it, it's transparent.
If it's not there, and you can't see it, you erased it.

More information about the freebsd-pf mailing list