pf + NAT + ICMP issues?

Daniel Engberg daniel.engberg.lists at pyret.net
Fri Feb 7 13:16:47 UTC 2014 

Hi,

I've been tearing my hair on this one, this ruleset worked fine on 9.1 
and 9-STABLE around the same time but doesn't on HEAD (most recent box I 
have is running r261486 (AMD64). I might be missing something obvious so 
I guess I need a another pair of eyes. Anyhow, the issue is pretty 
simple, for some reason on clients behind ping and tracert doesn't work 
as they did before.

Using ping (Windows 7) the first packet always gets a timeout and 
tracert doesn't work except at the end hop.

Here's a sample:

ping ping.sunet.se

Pinging ping.sunet.se [192.36.125.18] with 32 bytes of data:
Request timed out.
Reply from 192.36.125.18: bytes=32 time=5ms TTL=244
Reply from 192.36.125.18: bytes=32 time=5ms TTL=244
Reply from 192.36.125.18: bytes=32 time=5ms TTL=244

Ping statistics for 192.36.125.18:
     Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
     Minimum = 5ms, Maximum = 5ms, Average = 5ms

However running the same command directly after there's no timeouts, if 
you wait about 3-4 sec you'll get the same results (ie timeout).

Running tracert results in the following:

tracert ping.sunet.se

Tracing route to ping.sunet.se [192.36.125.18]
over a maximum of 30 hops:

   1    <1 ms    <1 ms    <1 ms  192.168.1.1
   2     *        *        *     Request timed out.
   3     *        *        *     Request timed out.
   4     *        *        *     Request timed out.
   5     *        *        *     Request timed out.
   6     *        *        *     Request timed out.
   7     *        *        *     Request timed out.
   8     *        *        *     Request timed out.
   9     *        *        *     Request timed out.
  10     *        *        *     Request timed out.
  11     5 ms     5 ms     5 ms  ping.sunet.se [192.36.125.18]

I've tested this on 3 different connections and they all have the same 
issues (different boxes although all are running -HEAD). Running ping 
(ICMP) and traceroute (ICMP) works fine on the firewall itself which 
makes me a bit puzzled.

Here's the ruleset:

################################
### Packet Firewall Ruleset ####
################################

###################
#### Variables ####
###################

# External interface
ext_if="em1"

# Internal interface
int_if="em0"

# Follow RFC1918 and don't route to non-routable IPs
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
         172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3,
         255.255.255.255 }"

# Set allowed ICMP types
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"

####################################
#### Options and optimizations #####
####################################

# Set interface for logging (statistics)
set loginterface $ext_if

# Drop states as fast as possible without having excessively low 
timeouts
set optimization aggressive

# Block policy, either silently drop packets or tell sender that request 
is blocked
set block-policy return

# Don't bother to process (filter) following interfaces such as 
loopback:
set skip on lo0

# Scrub traffic
scrub on $ext_if all

#######################
#### NAT & Proxies ####
#######################

# Enable NAT and tell pf not to change ports
nat on $ext_if from $int_if:network to any -> ($ext_if)

# Redirect ftp connections to ftp-proxy
rdr pass on $int_if inet proto tcp from $int_if:network to any port 21 
-> 127.0.0.1 port 8021

# Enable ftp-proxy (active connections)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# Anchors needs to be set after nat/rdr-anchor
anchor "ftp-proxy/*"

################################
#### Rules inbound (int_if) ####
################################

# Pass on everything
pass in quick on $int_if inet all keep state

#################################
#### Rules outbound (int_if) ####
#################################

# Pass on everything
pass out quick on $int_if inet all keep state

################################
#### Rules inbound (ext_if) ####
################################

# Drop packets from non-routable addresses directly
block drop in quick on $ext_if from $nonroute to any

# Allow DHCP
pass in quick on $ext_if inet proto udp to ($ext_if) port { 67, 68 }

# Allow ICMP
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types

# Allow FTPs to connect to our FTP-proxy
pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user 
proxy

# Block everything else
block in on $ext_if all

#################################
#### Rules outbound (ext_if) ####
#################################

# Drop packets to non-routable addresses directly
block drop out quick on $ext_if from any to $nonroute

pass out on $ext_if all

Hopefully someone can figure out what's going on...

Best regards,
Daniel

More information about the freebsd-pf mailing list