Packet Filter blocking [Archive]

View Full Version : Packet Filter blocking

ddclxvi

June 4th, 2009, 08:52

Currently 7.2 PF under BSD under a firewall traditional C class the nattolás works perfectly inside an IP province. But present LAN 169.254.182.0/24 An IP works on a province, the nattolás is out of order however on this !

Ahead thank you for the help!

Németh Attila Péter

June 4th, 2009, 11:07

Please make your post more clear. You have some problem with C class network? What problem?

SirDice

June 4th, 2009, 11:35

What the heck is a nattolas and an IP province?!?

Please don't use a translator program to translate your native language into English. Most of them are crap, especially when it comes to "technical" terms. This makes it really, really hard to understand.

ddclxvi

June 4th, 2009, 13:58

The nat in FreeBSD 7.2 don't work 169.254.182.0/24 !
But C classes 192.168.1.0/24 OK...

Why ?

Németh Attila Péter

DutchDaemon

June 4th, 2009, 14:57

Post your ifconfig -a and your /etc/pf.conf (or the NAT rules from it).

ddclxvi

June 4th, 2009, 15:09

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1d:0f:ff:ae:15
inet 169.254.182.251 netmask 0xffffff00 broadcast 169.254.182.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1d:0f:ff:9d:cd
inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204

# macros
ext_if="rl1"
int_if="rl0"
lo_if="lo0"

# SAMBA 137,138,139,445
# SSH 22
# DNS 53
# RNDC 953

tcp_services="{ 22, 53, 113, 137, 138, 139, 445, 953 }"
icmp_types="echoreq"

# comp3="192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)

# nat-anchor "ftp-proxy/*"
# rdr-anchor "ftp-proxy/*"

#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules
block in
pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# pass in on $ext_if inet proto tcp from any to $comp3 port 80 \

# synproxy state
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state

My interfaces and pf.conf

Németh Attila Péter

DutchDaemon

June 4th, 2009, 15:43

Also post the output of pfctl -s nat and pfctl -s rules. Please post the output in [code] tags (http://forums.freebsd.org/misc.php?do=bbcode#code). Oh, and I don't need a PM ..

ddclxvi

June 4th, 2009, 15:51

#----------------------- PF RULES ----------------------
scrub in all fragment reassemble
block return in all
pass out all flags S/SA keep state
anchor "ftp-proxy/*" all
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! rl0 inet from 169.254.182.0/24 to any
block drop in quick inet from 169.254.182.251 to any
pass in on rl1 inet proto tcp from any to (rl1) port = ssh flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = domain flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = auth flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-ns flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-dgm flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-ssn flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = microsoft-ds flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = rndc flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass quick on rl0 all no state

#----------------------- NAT ----------------------
nat on rl1 from ! (rl1) to any -> (rl1:0)

SirDice

June 4th, 2009, 15:53

169.254.182.0/24 is a link-local IPv4 address (RFC-3927) and non-routable. Use RFC-1918 addresses.

DutchDaemon

June 4th, 2009, 16:11

You'd expect a complaint from either pfctl or ifconfig for that ..

SirDice

June 4th, 2009, 16:18

You'd expect a complaint from either pfctl or ifconfig for that ..

It is a valid IP address but I'm not sure how PF would handle it.

CmdLnKid

July 20th, 2009, 06:03

Not enough information disclosed.

mecano

July 20th, 2009, 17:38

could that mean that his rtl0 interface was not "explicitly" set and get a dumb IP by default ?

DutchDaemon

July 20th, 2009, 17:44

As far as I know only Windows PCs do something like that (saddle you with a link-local adress when you boot without a network).

mecano

July 21st, 2009, 11:06

inet6 on lo and not on real interfaces maybe ?