Problem with PF reply-to

Mario Lobo lobo at bsd.com.br
Wed Jul 13 13:59:37 UTC 2011 

Hi;

I have the following scenario.

FreeBSD 8.2-STABLE FreeBSD 8.2-STABLE #0: Thu May 19 19:53:59 BRT 2011     
i386

I want to be able to connect to any of the 2 external IPs this machine has.

### pf.conf excerpt

ext_if1 = sis0 (1M link. default gateway)
ext_if2 = rl0  (2M link)
aln_if  = dc0  (Internal LAN)

ext_gw1 = A.A.A.A 
ext_gw2 = B.B.B.B

my_ext_ip1 = a.a.a.a
my_ext_ip2 = b.b.b.b


  nat on $ext_if1 from any to any -> $my_ext_ip1 port 1024:65535
  nat on $ext_if2 from any to any -> $my_ext_ip2 port 1024:65535

1) ----------------------------------------- # balance the load

  pass in log quick on $aln_if route-to ($ext_if2 $ext_gw2) from \
  $aln_if:network to any flags S/SA keep state tag to_out probability 70%
 
  pass in log quick on $aln_if route-to ($ext_if1 $ext_gw1) from \
  $aln_if:network to any flags S/SA keep state tag to_out 

2) ----------------------------------------- # allow ssh on ext_ifs

a)pass in log quick on $ext_if1 inet proto tcp from any to any port $SshPort \
  flags S/SA modulate state (max 30, source-track rule, max-src-nodes 10,\
  max-src-states 2, max-src-conn 2, max-src-conn-rate 2/60, overload <banned>)

b)pass in log quick on $ext_if2 reply-to ($ext_if2 $ext_gw2) inet proto tcp \
  from any to any port $SshPort flags S/SA keep state (max 30, source-track \
  rule, max-src-nodes 10, max-src-states 2, max-src-conn 2, max-src-conn-rate\
  2/60, overload <banned>) ( RULE 8 )


[snip][snip]......


3) -----------------------------------------

  pass out quick on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
  pass out quick on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

  Also tried:

  pass out quick on $ext_if1 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any
  pass out quick on $ext_if2 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any

  block log all ( RULE 163 )


### end of pf.conf excerpt


Everything under 1) works fine.

Under 2), a) works, b) not working.

When I try to connect to $SshPort through the 2M link (b.b.b.b). I connect to 
the server, but the return packet neither obeys the reply-to on rule b), nor 
matches any of the pass outs under 3), and goes straight to the block rule.
as you can see bellow.


[$]> tcpdump -n -e -ttt -i pflog0 host 187.113.99.63 (my home IP) 


Packet arrives and matches rule b)/8 and should create a state;

00:00:00.000000 rule 8/0(match): pass in on rl0: 187.113.99.63.25806 > 
b.b.b.b.22: [|tcp]

but...

00:00:00.000108 rule 163/0(match): block out on sis0: a.a.a.a.8947 > 
187.113.99.63.25806: [|tcp]
00:00:03.000057 rule 163/0(match): block out on sis0: a.a.a.a.65060 > 
187.113.99.63.25806: [|tcp]
00:00:03.199931 rule 163/0(match): block out on sis0: a.a.a.a..20213 > 
187.113.99.63.25806: [|tcp]
00:00:03.199618 rule 163/0(match): block out on sis0: a.a.a.a..19748 > 
187.113.99.63.25806: [|tcp]
00:00:03.200044 rule 163/0(match): block out on sis0: a.a.a.a..1600 > 
187.113.99.63.25806: [|tcp]
00:00:03.199767 rule 163/0(match): block out on sis0: a.a.a.a..45513 > 
187.113.99.63.25806: [|tcp]
00:00:06.205048 rule 163/0(match): block out on sis0: a.a.a.a..17925 > 
187.113.99.63.25806: [|tcp]

it tries to go back to me on the wrong interface (sis0 and NOT rl0), 
wrong ip (a.a.a.a and NOT b.b.b.b), and from several wrong port numbers, not 
port 22.

Questions:

1) sshd is listening on *.22. I know that the default gateway is not on rl0 
but isn't that what reply-to is supposed to beat? If I understood correctly, 
wasn't the reply-to supposed to make the packet go back throught the specified 
($ext_if2 $ext_gw2)?

2) Wasn't a state created when the pass rule b)/8 matched? if so, where is it?

Where am I doing wrong here?

Thanks for any hints.

-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)

More information about the freebsd-pf mailing list