routing LAN traffic through/around a pf gateway

Kristof Provost kristof at sigsegv.be
Fri Jan 25 00:32:02 UTC 2019 


On 25 Jan 2019, at 9:37, James B. Byrne via freebsd-pf wrote:

> I have limited knowledge of PF being in the process of transitioning
> from 20+ years of RHEL/CentOS to FreeBSD.  Neither do I possess a
> great fund of knowledge respecting IP routing.  That said this is my
> problem:
>
> On a small test LAN I have three hosts, W44, W4 and G5:
>
> network layout, gateway address 216.185.71.5
>
>      W44                 G5                  w4
> 216.185.71.44 ----> 216.185.71.5        216.185.71.4   int_if IP
> 192.168.150.44      192.168.150.5 ----> 192.168.150.4  int_if IP alias
>
> Using ssh and with PF running on the gateway, when I connect from
> 216.185.71.44 to 216.185.71.4 then the ssh session operates normally.
> However, if instead I connect from 216.185.71.44 to 192.168.150.4 then
> the initial connection is made but the ssh session remains responsive
> for a brief time before it becomes non-responsive.  If I terminate the
> PF running on the gateway the ssh session again becomes responsive.
> If I do not terminate PF then eventually the ssh session client
> disconnects with a timeout error.
>
> Besides macros the entire active contents of pf.conf on G5 are:
>
> scrub         in        all no-df max-mss 1440 fragment reassemble
>
> block return  out log   all
>
> block drop    in  log   all
>
> pass              log   on $int_if
>
> pass                    inet proto icmp all \
>                         icmp-type $icmp_types keep state
>
> pass          out       quick on $ext_if inet proto udp \
>                   from  any \
>                   to    any         port  33433 >< 33626 keep state
>
> Which results in these rules when PF is running:
>
> @0 scrub in all no-df max-mss 1440 fragment reassemble
> @1 block return out log all
> @2 block drop in log all
> @3 pass log on em0 all flags S/SA keep state
> @4 pass inet proto icmp all icmp-type echoreq keep state
> @5 pass inet proto icmp all icmp-type unreach keep state
> @6 pass out quick on em1 inet proto udp from any to any port 33433 ><
> 33626 keep state
>
You don’t appear to have a rule permitting the SSH traffic to pass 
through your router.
I’m a more than little surprised you manage to establish a connection 
in the first place.
Unless the connection existed before you started pf, of course.

Try adding something like:
pass inet porto tcp port 22

Regards,
Kristof

More information about the freebsd-pf mailing list