pf filtering openvpn problem
Maciej Milewski
milu at dat.pl
Sat Jul 31 23:48:17 UTC 2010
Hi All,
I'm trying to setup OpenVPN in non-nat mode and I stopped on something what
I don't understand.
The setup is rather simple:
(internet) -> (nat)->(ovpn gate-10.0.10.4) -> (host-10.0.10.2)
|
vpn client
Routing is set properly on the server otherwise in tcpdump it shouldn't show
returning packets from that host. Firewall on host is disabled.
Ping from client to host is working fine. The problem is connecting to ssh or
http - it's blocked by gate on returning packet. Can someone point me where
is the problem? If ping works then I think tcp should work too. The NAT mode
in the same setup works correctly but I'd like to go without nating. Is it
possible at all?
pf rules are following:
# pfctl -s rules
block drop in log all
pass out log on sk0 inet from (sk0) to any flags S/SA keep state
pass out log on tun0 inet from (tun0) to any flags S/SA keep state
pass in log on sk0 inet proto tcp from any to 10.0.10.4 port = ssh flags S/SA
keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3,
overload <bruteforce> flush global, src.track 3)
pass in log on sk0 inet proto udp from any to 10.0.10.4 port = 1194 keep state
pass log on tun0 inet proto tcp from 10.10.0.0/24 to 10.0.10.2 flags S/SA keep
state
pass log on tun0 inet proto udp from 10.10.0.0/24 to 10.0.10.2 keep state
pass log on tun0 inet proto icmp from 10.10.0.0/24 to 10.0.10.2 keep state
pass log on sk0 inet proto tcp from 10.0.10.2 to 10.10.0.0/24 flags S/SA keep
state
pass log on sk0 inet proto udp from 10.0.10.2 to 10.10.0.0/24 keep state
pass log on sk0 inet proto icmp from 10.0.10.2 to 10.10.0.0/24 keep state
and the tcpdump output from pflog:
# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96
bytes
00:00:00.000259 rule 7/0(match): pass in on tun0: 10.10.0.8 > 10.0.10.2: ICMP
echo request, id 6381, seq 1, length 64
00:00:00.000494 rule 10/0(match): pass in on sk0: 10.0.10.2 > 10.10.0.8: ICMP
echo reply, id 6381, seq 1, length 64
00:00:02.392510 rule 5/0(match): pass in on tun0: 10.10.0.8.33259 >
10.0.10.2.22: [|tcp]
00:00:00.000630 rule 0/0(match): block in on sk0: 10.0.10.2.22 >
10.10.0.8.33259: [|tcp]
00:00:02.997354 rule 0/0(match): block in on sk0: 10.0.10.2.22 >
10.10.0.8.33259: [|tcp]
00:00:02.999400 rule 0/0(match): block in on sk0: 10.0.10.2.22 >
10.10.0.8.33259: [|tcp]
00:00:02.999907 rule 0/0(match): block in on sk0: 10.0.10.2.22 >
10.10.0.8.33259: [|tcp]
Regards,
Maciej
More information about the freebsd-pf
mailing list