ping -S appears to use wrong interface and bypass firewall rules

patmaddox

patmaddox

Clearly I lack some understanding in networking...

I have configured a VLAN interface on my router and host. I want the VLAN IP to only access its own subnet, nothing else. ifconfig and pf rules are at the end of the post.

What happens

- ping -c 1 -S 192.168.42.2 192.168.42.1 works as expected. tcpdump -i em0.42 shows the packets
- ping -c 1 -S 192.168.42.2 9.9.9.9 succeeds, but I want it to fail. tcpdump -i em0.42 doesn't show anything. tcpdump -i em0 host 9.9.9.9 shows the packets originating from 192.168.1.126 (the em0 non-VLAN IP)

What I want to happen

ping -c 1 -S 192.168.42.2 9.9.9.9 should send packets out em0.42 and have them be rejected

Why?

That part I don't know... what I think is going on is that route -n get 9.9.9.9 uses the default route, which goes through em0.

I'm not really sure how to test if my firewall config is correct. ping -S appears to not be using my em0.42 interface, even though that's the interface that the source IP is bound to.


router

Code: 
# ifconfig igb1.42
igb1.42: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4600703<RXCSUM,TXCSUM,TSO4,TSO6,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
    ether 64:62:66:21:1c:75
    inet 192.168.42.1 netmask 0xffffff00 broadcast 192.168.42.255
    groups: vlan
    vlan: 42 vlanproto: 802.1q vlanpcp: 0 parent interface: igb1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

# pfctl -s rules
scrub in all fragment reassemble
block drop in all
pass out all flags S/SA keep state
pass in on igb1 proto tcp from any to any port = ssh flags S/SA keep state
pass inet from 192.168.1.0/24 to any flags S/SA keep state
block return inet from 192.168.42.0/24 to any
pass inet from 192.168.42.0/24 to 192.168.42.0/24 flags S/SA keep state

host

Code: 
$ ifconfig em0
em0: flags=8963<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4e504bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
    ether 04:42:1a:ac:f7:1e
    inet 192.168.1.126 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

$ ifconfig em0.42
em0.42: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4600403<RXCSUM,TXCSUM,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
    ether 04:42:1a:ac:f7:1e
    inet 192.168.42.2 netmask 0xffffff00 broadcast 192.168.42.255
    groups: vlan
    vlan: 42 vlanproto: 802.1q vlanpcp: 0 parent interface: em0
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
 
try with -I for interface

ping(8)

man.freebsd.org man.freebsd.org

-I iface
For an IPv4 target, iface is an IP address indentifying an in-
terface from which the packets will be sent. This flag applies
only if the ping target is a multicast address.

For an IPv6 target, iface is a name of an interface (e.g.,
`em0') from which the packets will be sent. This flag applies
if the ping target is a multicast address, or link-local/site-
local unicast address.
Click to expand...
 
patmaddox said:
ping -c 1 -S 192.168.42.2 9.9.9.9 should send packets out em0.42 and have them be rejected
Click to expand...
Check your routing table. Routing works by looking at the destination address, it does not care what the source address is.
 
It fails with:

Code: 
$ ping -I em0.42 9.9.9.9
ping: invalid multicast interface: `em0.42'

I assume because of:

This flag applies only if the ping target is a multicast address.
Click to expand...

but perhaps I am overlooking something.
 
SirDice said:
Check your routing table. Routing works by looking at the destination address, it does not care what the source address is.
Click to expand...

Okay. Well the routing table is what I expect - there's a default gateway. So it seems like there's no point in adding a VLAN interface to my host - or at least, I'm not able to test my firewall rules using that interface.
 
If your gateway is on the 192.168.1.0/24 network, the packet will get send out on em0, regardless of what the source address of the packet is.
 
SirDice said:
If your gateway is on the 192.168.1.0/24 network, the packet will get send out on em0, regardless of what the source address of the packet is.
Click to expand...

Understood... (now)

So, is it possible to configure my host to use a VLAN at all? When I do ifconfig em0 vlan 42 I get ifconfig: both vlan and vlandev must be specified. Doing ifconfig em0 vlan 42 vlandev em0 doesn't seem to make any change. As I understand it, you create a vlan interface that uses a physical interface. But I want to tag all of the traffic on my physical interface with a VLAN.
 
patmaddox said:
is it possible to configure my host to use a VLAN at all?
Click to expand...

Alright I worked it out... part of it was not understanding the layers 2 and 3 configuration involved. It's pretty simple: delete the inet from em0, and create a vlan interface. So vlan uses the layer 2 connection from em0. Delete the layer 3 config from em0 and now the host is VLAN-only.

Code: 
# ifconfig em0 delete
# ifconfig em0.42 create vlan 42 vlandev em0 inet 192.168.42.2/24 up

# ifconfig em0
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4e504bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
    ether 04:42:1a:ac:f7:1e
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

# ifconfig em0.42
em0.42: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=4600403<RXCSUM,TXCSUM,LRO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
    ether 04:42:1a:ac:f7:1e
    inet 192.168.42.2 netmask 0xffffff00 broadcast 192.168.42.255
    groups: vlan
    vlan: 42 vlanproto: 802.1q vlanpcp: 0 parent interface: em0
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

# ping -c 1 192.168.42.1
PING 192.168.42.1 (192.168.42.1): 56 data bytes
64 bytes from 192.168.42.1: icmp_seq=0 ttl=64 time=0.419 ms
 
You must log in or register to reply here.
Back
Top