PF rules not allowing certain traffic to pass

E

enslaved

Hi

I am sure there is a very simple explanation as to what I am getting wrong, dealing with various versions of freebsd FreeBSD means that the rules for pf vary from version to version. I am currently dealing with a pair of freebsd FreeBSD 8.2 routers configured to connect two LANs together. To save bandwidth I am only allowing certain traffic through. I'm not using NAT in this case because all hosts on both LANs need to be aware of each other.

Code: 
#interfaces
wan_if=""fxp0"
lan_if="em0"
#networks 
rocko="10.0.252.0/28"
penrith="192.168.13.0/24"
viiresss="192.168.13.1"
block out log label "Block Out"
block in log label "Block In"

#viress
pass in on $lan_if inet proto tcp from $viiresss to $rocko port 700
pass out on $wan_if inet proto tcp from $viiresss to $rocko port 700

When running tcpdump to troubleshoot the connection I am still getting it blocked even though I have allowed it to pass. Is it possible this is because I'm not using NAT?

[CMD=]tcpdump"]per-roc-wa-gw# tcpdump -nettti pflog0 port 700[/cmd]
Code: 
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
00:00:00.000000 rule 18/0(match): block in on fxp0: 10.0.252.3.4596 > 192.168.13.1.700:  tcp 28 [bad hdr length 0 - too short, < 20]
00:00:06.015672 rule 18/0(match): block in on fxp0: 10.0.252.3.4596 > 192.168.13.1.700:  tcp 28 [bad hdr length 0 - too short, < 20]

I have read several examples and I know this will work with the block all removed, any help or suggestions would be appreciated.
 
Traffic is coming in on fxp0 ($wan_if) not on em0 ($lan_if).

In other words, your pass rules are the wrong way around.
 
Thanks for the prompt response SirDice. I have reversed the rules as per suggestion. However I still get the
Code: 
 block in on fxp0: 10.0.252.3.4596 > 192.168.13.1.700:
when checking the logs via [cmd=]tcdump -nettti pflog0 port 700[/cmd]
 
What traffic do you want to allow and where does it come in?
 
Sir Dice Thank you for your time and assistance.
The problem was in the way the question was asked. I actually had the rule mixed up in the original post. Just to correct the original posting. I have two lans Perth and Rocko which are connected via a fibre link. The perth lan is the lan where the services are located and connections from the rocko lan need to be made to the various servers in perth network. I have the service working fine without putting a block in the /etc/pf.conf rule set. When I add the block rule I see traffic getting to the perth wan interface and getting dropped. Here are the macro's defining networks and the interfaces
Code: 
#interfaces
lan_if="em0"
wan_if="fxp0"
#networks
rocko="10.222.252.0/28"
perth="192.168.1.0/24"
voipnet="10.222.253.0/28"
Followed by the block statement
Code: 
block in log label "block in"
block out log label "block out"
And finally the rule to exclude traffic from the 10.222.252.0/28 network on port 700
Code: 
pass in log on $wan_if inet proto tcp from any  to $iress port 700 queue trade
pass in log on $lan_if inet proto tcp from $iress to any  port 700
Now when I check perth end using tcpdump -s 256 -nettti pflog0 port 700
Code: 
00:00:00.000000 rule 0/0(match): block in on fxp0: 10.222.252.3.1352 > 192.168.1.1.700: Flags [S], seq 3010816873, win 65535, options [mss 1460,nop,nop,sackOK], length 0
It was suggested that the I needed to include scrub below the macro definitions as the packets needed to be reassembled before they would pass through the filter. I have made that change and have connectivity to the router from the perth network when the block rule is activated.
 
Which network is connected to em0 and which network is connected to fxp0?
 
Code: 
pass in log on $wan_if inet proto tcp from any  to $iress port 700 queue trade

should be changed to:

Code: 
pass in log on $wan_if inet proto tcp from any  to $[B]perth[/B] port 700 queue trade

if you want to allow this traffic.

It is in your logs:

Code: 
00:00:00.000000 rule 0/0(match): block in on fxp0: 10.222.252.3.1352 > [B]192.168.1.1[/B].700:
 
You can simplify the rules further by using interface:network syntax:

Code: 
pass in log on $wan_if inet proto tcp from any  to $lan_if:network port 700 queue trade
 
You must log in or register to reply here.
Back
Top