routing LAN traffic through/around a pf gateway

James B. Byrne byrnejb at harte-lyne.ca
Thu Jan 24 20:37:12 UTC 2019 


I have limited knowledge of PF being in the process of transitioning
from 20+ years of RHEL/CentOS to FreeBSD.  Neither do I possess a
great fund of knowledge respecting IP routing.  That said this is my
problem:

On a small test LAN I have three hosts, W44, W4 and G5:

network layout, gateway address 216.185.71.5

     W44                 G5                  w4
216.185.71.44 ----> 216.185.71.5        216.185.71.4   int_if IP
192.168.150.44      192.168.150.5 ----> 192.168.150.4  int_if IP alias

Using ssh and with PF running on the gateway, when I connect from
216.185.71.44 to 216.185.71.4 then the ssh session operates normally. 
However, if instead I connect from 216.185.71.44 to 192.168.150.4 then
the initial connection is made but the ssh session remains responsive
for a brief time before it becomes non-responsive.  If I terminate the
PF running on the gateway the ssh session again becomes responsive. 
If I do not terminate PF then eventually the ssh session client
disconnects with a timeout error.

Besides macros the entire active contents of pf.conf on G5 are:

scrub         in        all no-df max-mss 1440 fragment reassemble

block return  out log   all

block drop    in  log   all

pass              log   on $int_if

pass                    inet proto icmp all \
                        icmp-type $icmp_types keep state

pass          out       quick on $ext_if inet proto udp \
                  from  any \
                  to    any         port  33433 >< 33626 keep state

Which results in these rules when PF is running:

@0 scrub in all no-df max-mss 1440 fragment reassemble
@1 block return out log all
@2 block drop in log all
@3 pass log on em0 all flags S/SA keep state
@4 pass inet proto icmp all icmp-type echoreq keep state
@5 pass inet proto icmp all icmp-type unreach keep state
@6 pass out quick on em1 inet proto udp from any to any port 33433 ><
33626 keep state

When the ssh session is non-responsive PF records like this are logged:

rule 1/0(match): block in on em0: 216.185.71.44.63394 >
192.168.150.4.22: Flags [P.], seq 2664:2952, ack 6041, win 1030,
options [nop,nop,TS val 263607703 ecr 653371936], length 288

My question is: What filter rules will permit the ssh session
established as above to remain responsive with PF running on the
gateway while maintaining the default block directive for everything
else?

I am looking for the general case where hosts on the LAN that have
multiple IP addresses can communicate with each other using any
assigned IP without having PF involved at all, but which are filtered
when passing through the gateway or natted to the WAN.

Thanks,




-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-pf mailing list