OS: FreeBSD-12.0-RELEASE
Switch: Cisco SLM 2024
We are setting up a new multi-homed gateway host with a PF firewall. We desire that LAN to LAN traffic not be filtered by the PF FW but that LAN to WAN traffic is. Our LAN contains hosts with public and private ipv4 addresses, hosts with public addresses only, and hosts private addresses only. We use NAT for internal workstations requiring external resources. I am unable to come up with a working set of rules that permit unrestricted LAN to LAN communication and still filter on the internal i/f.
The example case is a host with a public ipv4 connecting vis ssh to a host having a private ipv4 address. The ssh session is established and works for a brief time, but then becomes non-responsive. In the pflog we can see traffic from the first host to the second host being blocked by the default
rule.
The abbreviated rule set in use is:
I do not understand why the second rule does not override the first. Why is this happening? What rule(s) will allow LAN to LAN traffic to be unfiltered?
Switch: Cisco SLM 2024
We are setting up a new multi-homed gateway host with a PF firewall. We desire that LAN to LAN traffic not be filtered by the PF FW but that LAN to WAN traffic is. Our LAN contains hosts with public and private ipv4 addresses, hosts with public addresses only, and hosts private addresses only. We use NAT for internal workstations requiring external resources. I am unable to come up with a working set of rules that permit unrestricted LAN to LAN communication and still filter on the internal i/f.
The example case is a host with a public ipv4 connecting vis ssh to a host having a private ipv4 address. The ssh session is established and works for a brief time, but then becomes non-responsive. In the pflog we can see traffic from the first host to the second host being blocked by the default
Code:
block in all
Code:
00:00:00.061438 rule 241/0(match): pass in on em0:
216.185.71.44.17457 > 192.168.216.31.22: Flags [S], seq 3972256681,
win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 670920488
ecr 0], length 0
00:00:00.000028 rule 241/0(match): pass out on em0:
216.185.71.44.17457 > 192.168.216.31.22: Flags [S], seq 3972256681,
win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 670920488
ecr 0], length 0
. . .
00:00:00.023502 rule 499/0(match): block in on em0:
216.185.71.44.17457 > 192.168.216.31.22: Flags [P.], seq 108:144,
ack 1, win 1030, options [nop,nop,TS val 670996382 ecr 2400903835],
length 36
00:00:00.099675 rule 499/0(match): block in on em0:
216.185.71.44.17457 > 192.168.216.31.22: Flags [P.], seq 0:144, ack 1,
win 1030, options [nop,nop,TS val 671001431 ecr 2400903835],
length 144
The abbreviated rule set in use is:
Code:
. . .
### set default action to block everything
block return out log all
block drop in log all
. . .
pass log quick on $int_if \
from { self $int_if:network } \
to { self $int_if:network }
. . .
I do not understand why the second rule does not override the first. Why is this happening? What rule(s) will allow LAN to LAN traffic to be unfiltered?