Packet Filter blocking

[ddclxvi]

Currently 7.2 PF under BSD under a firewall traditional C class the nattolás works perfectly inside an IP province. But present LAN 169.254.182.0/24 An IP works on a province, the nattolás is out of order however on this !

Ahead thank you for the help!

Németh Attila Péter

 

[mk]

Please make your post more clear. You have some problem with C class network? What problem?

 

[SirDice]

What the heck is a nattolas and an IP province?!?

Please don't use a translator program to translate your native language into English. Most of them are crap, especially when it comes to "technical" terms. This makes it really, really hard to understand.

 

[ddclxvi]

Nat problem

The nat in FreeBSD 7.2 don't work 169.254.182.0/24 !
But C classes 192.168.1.0/24 OK...

Why ?

Németh Attila Péter

 

[DutchDaemon]

Post your [cmd=]ifconfig -a[/cmd] and your /etc/pf.conf (or the NAT rules from it).

 

[ddclxvi]

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:1d:0f:ff:ae:15
	inet 169.254.182.251 netmask 0xffffff00 broadcast 169.254.182.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:1d:0f:ff:9d:cd
	inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204

# macros
ext_if="rl1"
int_if="rl0"
lo_if="lo0"

# SAMBA 137,138,139,445
# SSH   22
# DNS   53
# RNDC 953

tcp_services="{ 22, 53, 113, 137, 138, 139, 445, 953 }"
icmp_types="echoreq"

# comp3="192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)

# nat-anchor "ftp-proxy/*"
# rdr-anchor "ftp-proxy/*"

#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules
block in
pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# pass in on $ext_if inet proto tcp from any to $comp3 port 80 \

# synproxy state
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state

My interfaces and pf.conf

Németh Attila Péter

 

[DutchDaemon]

Also post the output of [cmd=]pfctl -s nat[/cmd] and [cmd=]pfctl -s rules[/cmd]. Please post the output in

 tags[/url]. Oh, and I don't need a PM ..

 

[ddclxvi]

#----------------------- PF RULES ----------------------
scrub in all fragment reassemble
block return in all
pass out all flags S/SA keep state
anchor "ftp-proxy/*" all
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! rl0 inet from 169.254.182.0/24 to any
block drop in quick inet from 169.254.182.251 to any
pass in on rl1 inet proto tcp from any to (rl1) port = ssh flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = domain flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = auth flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-ns flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-dgm flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-ssn flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = microsoft-ds flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = rndc flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass quick on rl0 all no state

#----------------------- NAT ----------------------
nat on rl1 from ! (rl1) to any -> (rl1:0)

 

[SirDice]

169.254.182.0/24 is a link-local IPv4 address (RFC-3927) and non-routable. Use RFC-1918 addresses.

 

[DutchDaemon]

You'd expect a complaint from either pfctl or ifconfig for that ..

 

[SirDice]

You'd expect a complaint from either pfctl or ifconfig for that ..

It is a valid IP address but I'm not sure how PF would handle it.

 

[CmdLnKid]

Not enough information disclosed.

 

[mecano]

could that mean that his rtl0 interface was not "explicitly" set and get a dumb IP by default ?

 

[DutchDaemon]

As far as I know only Windows PCs do something like that (saddle you with a link-local adress when you boot without a network).

 

[mecano]

inet6 on lo and not on real interfaces maybe ?