View Single Post
Old 28th May 2009
Calderon's Avatar
Calderon Calderon is offline
Real Name: Patrick Lindholm
Fdisk Soldier
 
Join Date: May 2008
Location: Finland
Posts: 60
Default

Hmm.. some question. NAT is not involved in this one (i think)

Now i have 2 "external" nic's. I want sshd to listen on bfe0 port 22 and rl0 on port 8081 (university line has only this port open for remote cons). I have sshd configured for that and i think it´s fine.

Here´s the ruleset. I think the Bold one most relevant.

Code:
bsdkone# pfctl -s rules
scrub in all no-df fragment reassemble
block return log all
block return in quick on bfe0 proto tcp from <sshguard> to any port = ssh label "ssh bruteforce"
block drop in on ! lo0 inet6 from ::1 to any
block drop in on ! lo0 inet from 127.0.0.0/8 to any
anchor "ftp-proxy/*" all
pass out proto ipv6 all keep state
pass in proto ipv6 all keep state
pass out on xl0 inet from any to 192.168.133.0/24 flags S/SA keep state
pass out on xl0 inet6 from any to 2001:14b8:125::/64 flags S/SA keep state
pass in quick on xl0 inet from 192.168.133.0/24 to 192.168.133.1 flags S/SA keep state
pass in quick on xl0 inet6 from 2001:14b8:125::/64 to fe80::250:4ff:feaf:97b0 flags S/SA keep state
pass in quick on xl0 inet6 from 2001:14b8:125::/64 to 2001:14b8:125::10 flags S/SA keep state
pass in quick on xl0 route-to (rl0 94.237.80.1) inet proto udp from 192.168.133.0/24 port = 28960 to ! 88.192.186.40 keep state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto tcp from 192.168.133.0/24 to any flags S/SA modulate state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto udp from 192.168.133.0/24 to any keep state
pass in on xl0 route-to (bfe0 84.249.128.1) inet proto icmp from 192.168.133.0/24 to any keep state
pass out on bfe0 proto tcp all flags S/SA keep state
pass out on bfe0 proto udp all keep state
pass out on bfe0 proto icmp all keep state
pass out on rl0 proto tcp all flags S/SA keep state
pass out on rl0 proto udp all keep state
pass out on rl0 proto icmp all keep state
pass out on bfe0 route-to (rl0 94.237.80.1) inet from 94.237.82.251 to any flags S/SA keep state
pass out on rl0 route-to (bfe0 84.249.128.1) inet from 88.192.186.40 to any flags S/SA keep state
pass quick on xl0 all flags S/SA keep state


pass in on rl0 inet proto tcp from any to (rl0) port = 8081 flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = http flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = ssh flags S/SA keep state
pass in quick on bfe0 inet proto udp from any to (bfe0) port = 28960 keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = 28960 flags S/SA keep state
pass in quick on bfe0 inet proto tcp from any to (bfe0) port = smtp flags S/SA keep state
I run tcpdump and i see connection coming


Code:
bsdkone# tcpdump -i rl0 | grep 8081
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
02:42:33.136204 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464460900 0,sackOK,eol>
02:42:36.136417 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464463900 0,sackOK,eol>
02:42:39.335786 IP dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.61579 > as82-251.tontut.fi.8081: S 2117910606:2117910606(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 464467100 0,sackOK,eol>
But no answer?

Now when i run tcpdump on another external interface (the one which shouldn´t be any part of this? there goes the answer and it uses rl0 ones IP?)

Code:
bsdkone# tcpdump -i bfe0 | grep 8081
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bfe0, link-type EN10MB (Ethernet), capture size 96 bytes
02:44:18.790543 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464563537>
02:44:18.966214 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464566737>
02:44:21.965584 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,timestamp 545701484 464566737>
02:44:22.166126 IP as82-251.tontut.fi.8081 > dsl-jklbrasgw2-fea6f800-250.dhcp.inet.fi.60800: S 178549870:178549870(0) ack 2933603272 win 65535 <mss 1460,nop,wscale 9,sackOK,eol>

The bfe0 if is the default "gateway" but shouldn't the answering packets go the same way as they came?

EDIT: Answering myself that IN and OUT are 2 different states.

What am I missing here?

Last edited by Calderon; 30th May 2009 at 06:49 PM.
Reply With Quote