PF PF equivalent for iptables "tee" ? dup-to?

[vajonam]

I am trying to replicate this iptables rule after moving from a tomato based router to pfSense router.

iptables -t mangle -A POSTROUTING -p udp -d 192.168.1.0/23 -m string --string "INVITE sip:" --algo kmp -j ROUTE --tee --gw 192.168.1.2

This basically duplicates or "tees up" sends SIP invite packets to a specific host. I know the string matching might be harder to do (should still be possible using an L7 pattern, will get there in a bit)
for the moment I will edit the rules.debug and reload the filter to test out the rule. If I can duplicate all the packets I am okay, I will ignore the non INVITE packets at the client.

So far I have got this.

pass in log on pppoe0 dup-to 192.168.100.252  inet proto udp from 54.225.88.244 port 5060

But I think I am lacking an understanding of how to do this on *bsd because I don't seem to understand what "in" and "out" mean on an interface, from what perspective is it in or out.. help

I have tried both the pfSense forums and lists with no success.. help me freebsd forum you my only hope..

 

[vajonam]

If it help my state table has a connection like this

HOMEVLAN udp 54.225.88.244:5060 <- 192.168.100.249:5060 MULTIPLE:MULTIPLE
WAN udp 76.10.170.91:11432 (192.168.100.249:5060) -> 54.225.88.244:5060 MULTIPLE:MULTIPLE

.249 is my ATA

Also this is the traffic via TCP dump on the LAN side of my pfSense box. So I can see it there traversing. Just cant come up with a rule to target it!

784.328435000    54.225.88.244    5060    192.168.100.249    5060    SIP/SDP    908        Request: INVITE sip:4169074446@192.168.100.249:5060 |

 

[junovitch@]

This basically duplicates or "tees up" sends SIP invite packets to a specific host. I know the string matching might be harder to do (should still be possible using an L7 pattern, will get there in a bit)
for the moment I will edit the rules.debug and reload the filter to test out the rule. If I can duplicate all the packets I am okay, I will ignore the non INVITE packets at the client.

Here's some discussion from the OpenBSD devs relevant here. Bottom line is string matching and understanding complex layer 7 protocols in the kernel is unsafe and it seems doubtful it would every be implemented in PF. This is the reason for user-land programs like ftp-proxy(8) and tftp-proxy(8) so that if or when a vulnerability is discovered the impact is minimal.

http://openbsd.7691.n7.nabble.com/Ways-to-handle-DNS-amplification-attacks-with-OpenBSD-td97784.html

But I think I am lacking an understanding of how to do this on *bsd because I don't seem to understand what "in" and "out" mean on an interface, from what perspective is it in or out.. help

The perspective is the system. So "in" is packets coming into the system and "out" is packets leaving the system. The firewall is stateful so there is an implied "RELATED,ESTABLISHED" where even if you drop all inbound traffic replies from services that initiated a connected and created a state entry will automatically work.

*EDIT*
Fix the bad explanation as the RELATED is handled by the user-land helpers I mentioned. The stateful part of PF is equivalent to ESTABLISHED in IPTables.

 

[kpa]

The firewall is stateful so there is an implied "RELATED,ESTABLISHED" where even if you drop all inbound traffic replies from services that initiated a connected and created a state entry will automatically work.

Unfortunately PF doesn't do RELATED, it does only ESTABLISHED. Having RELATED would be very nice because you could then create in-kernel helpers for FTP and other "borked" protocols that now require a userland proxy to pass the firewall.

 

[vajonam]

Thanks the explanation. In the end I left my tomato router in the network for wifi ap duties so I was able to router packets that I needed to inspect to that router and then copy them off to the examination machine. Not the cleanest solution but works for now.