pf between two lans

Aleksic Predrag apetar at gmail.com
Tue Jul 14 11:27:16 UTC 2009 

On Tue, 14 Jul 2009 01:22:06 +0100
Peter Maxwell <peter at allicient.co.uk> wrote:

 > Can you post the output of: pfctl -s r

# pfctl -sr
scrub in all random-id fragment reassemble
block drop log (all) all
block drop in on sk0 inet proto icmp all icmp-type echoreq
block drop out log (all) quick on sk0 from any to <perm-ban>
block drop in log (all) quick on sk0 from <ssh-bruteforce> to any
pass in on sk0 inet proto tcp from any to 192.168.2.248 port = 57277 flags S/SA keep state
pass in on sk0 inet proto udp from any to 192.168.2.248 port = 57277 keep state
pass out on sk0 inet proto udp from 192.168.2.248 port = 57277 to any keep state
pass out on sk0 inet proto tcp from 192.168.2.248 port = 57277 to any flags S/SA keep state
pass in on sk0 inet proto udp from any to any port = http keep state
pass in on sk0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on sk0 proto udp from any to any port = 2706 keep state
pass in on sk0 proto tcp from any to any port = 2706 flags S/SA keep state
pass quick proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 1/3, overload <ssh-bruteforce> flush global, src.track 3)
pass quick proto udp from any to any port = ssh keep state (source-track rule, max-src-conn 10, max-src-conn-rate 1/3, overload <ssh-bruteforce> flush global, src.track 3)
pass out on sk0 proto tcp all flags S/SA modulate state
pass out on sk0 proto udp all keep state
pass out on sk0 proto icmp all keep state
pass out on sk0 proto esp all keep state

pass in on vr0 inet from 192.168.2.0/24 to any flags S/SA keep state
pass out on vr0 inet from any to 192.168.2.0/24 flags S/SA keep state
pass in on vr1 inet from 192.168.0.0/24 to any flags S/SA keep state
pass out on vr1 inet from any to 192.168.0.0/24 flags S/SA keep state

Should i replace netmask to /16 in last four rules?

> What happens if you try things without pf loaded
> and with pf loaded but a pass all ruleset?

With pf loaded i can open almost anything but not ssh connection. 
I can ping, browse shares and printers between lans.

Without pf loaded i can do all that and ssh.

Yesterday i changed default ssh port on remote box and it let me in 
with the same pf rules loaded. 

Now, I'm also suspicious about remote box, it is CentOS box with untouched 
config files, maybe SELinux is preventing ssh login.

> Have you got gateway_enable set in your rc.conf (I think it shows as
> net.inet.ip.forwarding being set to 1 in your sysctl)?
 
sysctl -a | grep net.inet.ip.forwarding
net.inet.ip.forwarding: 1

> Can you post the results of the same tcpdump with a larger window size
> ( -s 1024 ) and/or a tcpdump on the network interface itself?

see attachment  
> 
> 
> 
> 
> 
> 
> 2009/7/13 Michael K. Smith - Adhost <mksmith at adhost.com>:
> > Hello Aleksic:
> >>
> >> no nat on $extIF inet proto {tcp, udp} from $intIF:network to
> >> $intIF2:network
> >> no nat on $extIF inet proto {tcp, udp} from $intIF2:network to
> >> $intIF:network
> >>
> > If nothing else, these rules won't match because the traffic isn't
> > traversing the External Interface.
> >
> > no nat on $intIF2 inet proto {tcp, udp} from $intIF:network to
> > $intIF2:network
> > no nat on $intIF inet proto {tcp, udp} from $infIF2:network to
> > $intIF:network
> >
> > Regards,
> >
> > Mike
> > _______________________________________________
> > freebsd-pf at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to
> > "freebsd-pf-unsubscribe at freebsd.org"
> >

-------------- next part --------------
A non-text attachment was scrubbed...
Name: vr1
Type: application/octet-stream
Size: 6290 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090714/5b4ca4ca/vr1.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pflog0
Type: application/octet-stream
Size: 11561 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090714/5b4ca4ca/pflog0.obj

More information about the freebsd-pf mailing list