pf between two lans

Sun Jul 12 14:20:52 UTC 2009

Hi all.

I've got two networks setup.  192.168.0.x and 192.168.2.x and I have an freebsd firewall between the two.

Problem is people on the 192.168.0.x and 192.168.2.x. cant talk to each other. 

tzarlazar at 192.168.2.248 $ ssh -p 22 -l tzarlazar 192.168.0.246

[root at 192.168.0.1 ~]# tcpdump -n -e -vv -i pflog0 port 22
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
15:49:54.633735 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 18042, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047:  tcp 40 [bad hdr length 0 - too short, < 20]
15:50:00.632597 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 27911, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047:  tcp 40 [bad hdr length 0 - too short, < 20]
15:50:12.832179 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 36732, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047:  tcp 40 [bad hdr length 0 - too short, < 20]
15:50:36.828468 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 27440, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047:  tcp 40 [bad hdr length 0 - too short, < 20]
15:51:05.754673 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 40476, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22:  tcp 16 [bad hdr length 16 - too short, < 20]
15:51:05.956165 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 2615, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22:  tcp 32 [bad hdr length 0 - too short, < 20]
15:51:06.362872 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 21085, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22:  tcp 16 [bad hdr length 16 - too short, < 20]
15:51:07.176242 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 59723, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22:  tcp 32 [bad hdr length 0 - too short, < 20]
15:51:08.803001 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 25347, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22:  tcp 16 [bad hdr length 16 - too short, < 20]
15:51:12.056479 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 57211, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22:  tcp 16 [bad hdr length 16 - too short, < 20]
15:51:18.563581 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 64430, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22:  tcp 16 [bad hdr length 16 - too short, < 20]
15:51:25.021046 rule 0/0(match): block in on vr1: (tos 0x0, ttl 64, id 4002, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.246.22 > 192.168.2.248.53047:  tcp 24 [bad hdr length 16 - too short, < 20]
15:51:31.577586 rule 0/0(match): block out on vr1: (tos 0x0, ttl 63, id 65157, offset 0, flags [DF], proto TCP (6), length 52) 192.168.2.248.53047 > 192.168.0.246.22:  tcp 16 [bad hdr length 16 - too short, < 20]

Does anyone have any ideas why this is happening? And how to fix it?
I've attached my pf.conf.  If you need more info, please let me know as I'm new to playing with pf and the like. 

intIF = "vr0"
intIF2 = "vr1"
extIF = "sk0"

tcpPubServices = "{ 22, 80 }"
torrentPort = "57277"
IcmpTypes = "echoreq"
myNet       = "192.168.0.0/16"
myLaptop    = "192.168.2.248"

table <ssh-bruteforce> persist 
table <perm-ban> persist file "/etc/pf.blocked.sites.conf"

set block-policy drop 
set skip on lo0
scrub in all fragment reassemble random-id

no nat on $extIF inet proto {tcp, udp} from $intIF:network to $intIF2:network
no nat on $extIF inet proto {tcp, udp} from $intIF2:network to $intIF:network

nat on $extIF inet proto {tcp, udp} from $intIF:network to any -> (sk0) port 1024:32255
nat on $extIF inet proto {tcp, udp} from $intIF2:network to any -> (sk0) port 32255:65535

rdr on $extIF proto { tcp, udp } from any to any port $torrentPort -> $myLaptop

block log (all, to pflog0) all
block drop out log (all) quick on $extIF from any to <perm-ban>
block drop in log (all) quick on $extIF from <ssh-bruteforce> to any

pass in on $extIF inet proto { tcp, udp } from any to $myLaptop port $torrentPort  
pass out on $extIF proto { udp, tcp } from $myLaptop port $torrentPort  

pass in on $extIF inet proto { udp, tcp } from any to any port 80 

pass quick proto { tcp, udp } from any to any port 22 \
        flags S/SA keep state \
        (max-src-conn 100, max-src-conn-rate 10/3, \
        overload <ssh-bruteforce> flush global)

pass out on $extIF proto tcp all modulate state flags S/SA
pass out on $extIF proto { udp, icmp } all keep state
pass out on $extIF proto esp from any to any keep state

pass in on $intIF from $intIF:network to any keep state
pass out on $intIF from any to $intIF:network keep state
pass in on $intIF2 from $intIF2:network to any keep state
pass out on $intIF2 from any to $intIF2:network keep state