On Wednesday 14 February 2007 1:29 pm, Stuart Henderson wrote:
> On 2007/02/14 11:47, Tim Kuhlman wrote:
> > So what is happening? It seems to me that either pf is broken or his
> > linux kernel is broken and pf is catching it. Any ideas as to which is
> > the cause?
>
> Ruleset more likely. If you post it, people can make suggestions.
> Might be useful to capture a SYN with tcpdump and post any state entries
> relating to it, too (the relevant parts of pfctl -ss -v).
So my ruleset has some problems. I took some time to work through my rules and
re-read the state tracking section of the pf faq (which by the way is well
done, thanks). I found what I think are a couple of problems, I needed to
have the flags S/SA so that it paid attention to the syn packet and for some
reason I had the state policy globally set to if-bound rather than floating.
When I change both of those a new problem appears, routing between my
internal network and DMZ's doesn't work.
The syn packet goes through and appears to create state but the Syn/Ack packet
isn't let back through. I thought that was it created state one way it was
supposed to allow it back the other. Surely I am missing something simple.
Here is the state as it appears with the new rules from a "pfctl -vvss", I
also attached a tcpdump capture from both interfaces on the router.
all tcp 10.10.10.150:49516 -> 10.11.0.5:80 ESTABLISHED:SYN_SENT
[573330559 + 16385](+3517130307) wscale 2 [3039928992 + 5840](+146001125)
wscale 0 age 00:00:02, expires in 00:00:28, 2:1 pkts, 116:64 bytes, rule
135 id: 45c74dc600234f51 creatorid: b3647a00
The router has 5 interfaces and 10 ip addresses associated with it so I will
spare you the full ruleset but here are the ones that are relevant. I copied
the rules as they are including the extra interfaces and such.
$DMZ_production_if is the 10.11.0.0/24 network
$int_if is the 10.10.8.0/21 network
table <int_net> const { 10.10.8.0/21, 10.8.0.0/24, 172.16.1.0/24 }
pass in on { $int_if $vpn_if } proto {tcp udp icmp} from <int_net> to \
{ $DMZ_production_if:network, $DMZ_proto_if:network }
pass out on { $int_if $vpn_if $ext_if $dsl_if $DMZ_production_if
$DMZ_proto_if } proto \
{tcp udp icmp} flags S/SA modulate state
Thanks again.
--
Tim Kuhlman
Network Administrator
ColoradoVnet.com
[demime 1.01d removed an attachment of type application/octet-stream which had
a name of dmz_production_if-side]
[demime 1.01d removed an attachment of type application/octet-stream which had
a name of int_if-side]
