On 5/20/05, Adam Papai <[EMAIL PROTECTED]> wrote:
> I have a problem with pf synproxy.
To add to the other report on pf's synproxy fules, this may be
another instance of the same problem.
Running -current (built this morning, but my -current of 2 days ago
suffered the same problem), it seems I cannot get pf to work with
synproxy rules for my SSH connections. At first I thought this had to
do with the pf diff Henning sent out a few days ago. Unfortunately,
both with or without the patch, I see the same problem.
Upon connecting, I get a matching rule (as logged by pflogd), and a
PROXY:DST state entry for the connection attempt. Beyond that point,
nothing happens. If I change the
I checked the CVS, but I didn't find any changes to the synproxy magic
in the last few days (nothing before April 22nd, according to the CVS
commit list).
I'll be happy to test suggestions, including those provided by cluebat.
Cheers,
Rogier
My (partial) pfctl output:
# pfctl -s state | grep self
self tcp 172.20.80.70:22 <- 172.20.80.64:22824 PROXY:DST
self tcp 172.20.80.70:22 <- 172.20.80.64:6548 PROXY:DST
My tcpdump log output:
# tcpdump -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
10:49:13.007218 valhalla.wep.local.1118 > test.iverdahl.local.ssh: S
747995367:747995367(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
10:49:16.838887 valhalla.wep.local.1119 > test.iverdahl.local.ssh: S
3830581541:3830581541(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
10:49:48.314524 B2.wep.local.8655 > test.iverdahl.local.ssh: SWE
1399202162:1399202162(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]>
(DF)
10:50:23.325549 B2.wep.local.28287 > test.iverdahl.local.ssh: SWE
1110916736:1110916736(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]>
(DF)
10:50:44.500474 B52.wep.local.38297 > test.iverdahl.local.ssh: SWE
2153855513:2153855513(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]>
(DF)
10:51:05.586309 B52.wep.local.30409 > test.iverdahl.local.ssh: SWE
3863890171:3863890171(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]>
(DF)
10:53:56.933918 B52.wep.local.6548 > test.iverdahl.local.ssh: SWE
2493733226:2493733226(0) win 16384 <mss 1460,nop,nop,sackOK,[|tcp]>
(DF)
My /etc/pf.conf:
# cat /etc/pf.conf
# Interface definitions
ext_if="pppoe0"
int_if="fxp0"
# Scrub rules
scrub in
scrub out on pppoe0 max-mss 1440
# Default deny stance
block in all
block out all
# Allow for some traffic
pass out on {$int_if,$ext_if} proto tcp all flags S/SA keep state
pass out on {$int_if,$ext_if} proto {udp, icmp} all keep state
# Keep the local loop unfiltered
pass quick on lo0
# Apply anti-spoofing rules for our local interfaces
antispoof quick for {lo0 $int_if}
# Allow local SSH traffic, while blocking remote SSH traffic gracefully
pass in log on $int_if proto tcp to ($int_if) port ssh flags S/SA synproxy state
pass in on $int_if proto tcp to 172.20.80.71 port ssh flags S/SA keep state
block return in quick on $ext_if proto tcp to ($ext_if) port ssh flags S/SA
# Allow UDP streams coming in from OLI
pass in on $ext_if proto udp from 130.161.x.y to ($ext_if)
# Allow incoming ICMP
pass in on {$int_if $ext_if} proto icmp
# Allow incoming CARP on the local LAN
pass in on $int_if proto carp
My dmesg:
# dmesg
OpenBSD 3.7-current (GENERIC) #0: Fri May 20 05:19:19 CEST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,PNI,MWAIT,CNXT-ID
real mem = 534548480 (522020K)
avail mem = 480948224 (469676K)
using 4278 buffers containing 26828800 bytes (26200K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 09/29/04, BIOS32 rev. 0 @ 0xf0010
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3d00/224 (12 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xa200!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82865G/PE/P CPU-I/0-1" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02: aperture
at 0xf0000000, size 0x8000000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: irq 10
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: irq 11
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB" rev 0x02: irq 9
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
ppb0 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xc2
pci1 at ppb0 bus 1
hifn0 at pci1 dev 4 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES
ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 10
fxp0 at pci1 dev 8 function 0 "Intel PRO/100 VE" rev 0x01: irq 11,
address 00:11:11:9d:0a:de
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02:
DMA, channel 0 configured to compatibility, channel 1 configured to
compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <PHILIPS, CDD3610 CD-R/RW, 3.01> SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 0, DMA mode 1
wd0 at pciide0 channel 1 drive 0: <HDS722516VLAT80>
wd0: 16-sector PIO, LBA48, 157066MB, 321672960 sectors
wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5
pciide1 at pci0 dev 31 function 2 "Intel 82801EB SATA" rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 10 for native-PCI interrupt
"Intel 82801EB/ER SMBus" rev 0x02 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ff6d netmask ff6d ttymask ffef
pctr: user-level cycle counter enabled
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
pppoe0: phase establish
pppoe0: phase authenticate
pppoe0: phase network
--
If you don't know where you're going, any road will get you there.
