Routing public to priviate IP addresses on the same interface through PF

James B. Byrne byrnejb at harte-lyne.ca
Mon Jan 28 14:24:54 UTC 2019 

I send this message to the freebsd-pf mailing list last week and the
only reply or comment I received did not address the question.  Can
anyone here help me with this?


-------------------------- Original Message --------------------------
Subject: routing LAN traffic through/around a pf gateway
From:    "James B. Byrne" <byrnejb at harte-lyne.ca>
Date:    Thu, January 24, 2019 15:37
To:      freebsd-pf at freebsd.org
----------------------------------------------------------------------



I have limited knowledge of PF being in the process of transitioning
from 20+ years of RHEL/CentOS to FreeBSD.  Neither do I possess any
great fund of knowledge respecting IP routing.  That said this is my
problem:

On a small test LAN I have three hosts, W44, W4 and G5:

network layout, gateway address 216.185.71.5

     W44                 G5                  w4
216.185.71.44 ----> 216.185.71.5        216.185.71.4   int_if IP
192.168.150.44      192.168.150.5 ----> 192.168.150.4  int_if IP aliases

Using ssh and with PF running on the gateway, when I connect from
216.185.71.44 to 216.185.71.4 then the ssh session operates normally.
However, if instead I connect from 216.185.71.44 to 192.168.150.4 then
the initial connection is made but the ssh session remains responsive
only for a brief time before it becomes non-responsive.  If I
terminate the PF running on the gateway the ssh session again becomes
responsive.  If I do not terminate PF then eventually the ssh session
client disconnects with a timeout error.

Besides macros the entire active contents of pf.conf on G5 are:

scrub         in        all no-df max-mss 1440 fragment reassemble

block return  out log   all

block drop    in  log   all

pass              log   on $int_if

pass                    inet proto icmp all \
                        icmp-type $icmp_types keep state

pass          out       quick on $ext_if inet proto udp \
                  from  any \
                  to    any         port  33433 >< 33626 keep state

Which results in these rules when PF is running:

@0 scrub in all no-df max-mss 1440 fragment reassemble
@1 block return out log all
@2 block drop in log all
@3 pass log on em0 all flags S/SA keep state
@4 pass inet proto icmp all icmp-type echoreq keep state
@5 pass inet proto icmp all icmp-type unreach keep state
@6 pass out quick on em1 inet proto udp from any to any port 33433 ><
33626 keep state

When the ssh session is non-responsive PF records like this are logged:

rule 1/0(match): block in on em0: 216.185.71.44.63394 >
192.168.150.4.22: Flags [P.], seq 2664:2952, ack 6041, win 1030,
options [nop,nop,TS val 263607703 ecr 653371936], length 288

My question is: What filter rules will permit the ssh session
established as above to remain responsive with PF running on the
gateway while maintaining the default block directive for everything
else?

I am looking for the general case where hosts on the LAN that have
multiple IP addresses can communicate with each other using any
assigned IP without having PF involved at all, but which are filtered
when passing through the gateway or natted to the WAN.

Thanks,

--->

What I need is some way to tell PF to ignore LAN to LAN traffic
altogether and only consider traffic targetting the PF host itself or
crossing from one interface to another.  What is the way to do this?


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-questions mailing list