DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
Old 21st September 2009
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default

Vpn is ok, but, factory can't ping or can't access to the ftp.
When i use tcpdump, i can see some packets but nothing is blocked.
Reply With Quote
Old 21st September 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by wesley View Post
Vpn is ok, but, factory can't ping or can't access to the ftp.
Then the VPN is not ok. SAs and Flows might be established, but proper traffic may not be tunneled.
Quote:
When i use tcpdump, i can see some packets but nothing is blocked.
That is insufficient information for any of us to help you. We can't see what device or file you were running tcpdump with, nor have we seen any output that shows us anything.

Note:
You will only see PF logged packets when using tcpdump with pflog0 for real time, or /var/log/pflog* history files.

You will not be able to confirm correct/incorrect tunnel operations unless you use tcpdump with your gateway NIC, and also with enc0. enc0 will show unencrypted packets sent via the tunnel, the gateway NIC should show the ESP packets for traffic destined between your company and the factory, no TCP traffic between your company and the factory, and only UDP for port 500 for IPSec key exchanges and port 4500 for NAT traversal.
Reply With Quote
Old 22nd September 2009
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default no_traffic:single ??

Hello,

VPN is mounted but there's no traffic.
For recall :
Code:
Factory ip : 22.22.22.22 
factory lan : 10.0.0.0/8 --> biNAT--> 192.168.191.0
Our ip : 11.11.11.11
Our lan : 10.0.0.0/24 --> biNAT --> 192.168.192.0
our ftp : 10.0.0.115 --> biNAT --> 192.168.192.115
our OpenBSD Firewal : 10.0.0.113 (ftpproxy) -->biNAT--> 192.168.192.113
In /var/log/daemon and messages, there's no error, so i think that the error comes from my pf.conf file.

You will find my pf.conf and ipsec.conf files attached.

pfctl -s states ::
Code:
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1311       ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1311 -> 10.0.0.114:25       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1316       ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1316 -> 10.0.0.114:25       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.100.193:1320       ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1320 -> 10.0.0.114:110       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1328       ESTABLISHED:ESTABLISHED
all tcp 193.253.100.193:1328 -> 10.0.0.114:25       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.99.118:2600       FIN_WAIT_2:FIN_WAIT_2
all tcp 193.253.99.118:2600 -> 10.0.0.114:110       FIN_WAIT_2:FIN_WAIT_2
all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.99.118:2979       FIN_WAIT_2:FIN_WAIT_2
all tcp 193.253.99.118:2979 -> 10.0.0.114:110       FIN_WAIT_2:FIN_WAIT_2
all esp 11.11.11.11 <- 22.22.22.22       NO_TRAFFIC:SINGLE
tcpdump -nettti pflog0 ::
Code:
Sep 22 09:10:15.348127 rule 0/(match) block in on bge0: 192.168.0.13.138 > 192.168.0.255.138: udp 201
Sep 22 09:10:16.268114 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:16.270094 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:19.442729 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:19.442782 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:21.744797 rule 0/(match) block in on bge0: 10.0.0.114.138 > 10.0.0.255.138: udp 204
Sep 22 09:10:26.004802 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:26.004856 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:10:55.980627 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:55.987199 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.055641 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.132420 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.177171 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:10:56.347699 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
Sep 22 09:11:00.759127 rule 0/(match) block in on bge0: 192.168.0.92.138 > 192.168.0.255.138: udp 201
Sep 22 09:11:09.724487 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:09.724542 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:11.743450 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:12.925128 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:12.927137 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:13.743026 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:13.743317 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:15.742900 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
Sep 22 09:11:15.743629 rule 0/(match) block in on bge0: 10.0.0.115.138 > 10.0.0.255.138: udp 183 (DF)
Sep 22 09:11:19.487204 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:11:19.489208 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:02.397661 rule 0/(match) block out on rl0: 192.168.191.254.20978 > 192.168.192.113.21: S 313707294:313707294(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:02.399746 rule 0/(match) block out on rl0: 192.168.191.254.21081 > 192.168.192.115.21: S 32318798:32318798(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:05.642545 rule 0/(match) block out on rl0: 192.168.191.254.20978 > 192.168.192.113.21: S 313707294:313707294(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
Sep 22 09:12:05.644562 rule 0/(match) block out on rl0: 192.168.191.254.21081 > 192.168.192.115.21: S 32318798:32318798(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
tcpdump -i enc0 ::
Code:
09:04:06.296541 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:06.296601 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:09.541372 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:09.543372 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:16.103470 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:16.103526 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:59.771111 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:04:59.772896 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:03.025847 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:03.025899 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:09.587923 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:09.587980 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:52.420076 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:52.420132 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:55.632782 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:05:55.634783 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:02.196911 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:02.196973 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:45.908543 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:45.908595 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.10421 > 192.168.192.115.ftp: S 1560911767:1560911767(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:49.117237 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:49.119247 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.10421 > 192.168.192.115.ftp: S 1560911767:1560911767(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
09:06:55.679310 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
If someone can help me please ...
Attached Files
File Type: conf pf.conf (1.3 KB, 10 views)
File Type: conf ipsec.conf (203 Bytes, 9 views)

Last edited by Carpetsmoker; 22nd September 2009 at 09:32 AM. Reason: Add [code] tags
Reply With Quote
Old 22nd September 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

There is traffic on enc0, so there is traffic on the tunnel. What it is, I have no idea, because you were only using -i. -neti would provide additional protocol information.

e.g.:

# tcpdump -neti enc0
# tcpdump -neti pflog0 action block
# tcpdump -neti <gateway nic> net 192.168.1.0/24
Reply With Quote
Old 22nd September 2009
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default

Here additional protocol information :

tcpdump -neti enc0 :
-----------------------
(authentic,confidential): SPI 0x01112673: 192.168.191.254.30740 > 192.168.192.113.21: S 2719148255:2719148255(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.29712 > 192.168.192.115.21: S 26857501:26857501(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.29712 > 192.168.192.115.21: S 26857501:26857501(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.30740 > 192.168.192.113.21: S 2719148255:2719148255(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.29712 > 192.168.192.115.21: S 26857501:26857501(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.30740 > 192.168.192.113.21: S 2719148255:2719148255(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.27440 > 192.168.192.113.21: S 3748804944:3748804944(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.7600 > 192.168.192.115.21: S 2048028966:2048028966(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.27440 > 192.168.192.113.21: S 3748804944:3748804944(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.7600 > 192.168.192.115.21: S 2048028966:2048028966(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.27440 > 192.168.192.113.21: S 3748804944:3748804944(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.7600 > 192.168.192.115.21: S 2048028966:2048028966(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.6478 > 192.168.192.113.21: S 208296092:208296092(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.11298 > 192.168.192.115.21: S 3712341480:3712341480(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.11298 > 192.168.192.115.21: S 3712341480:3712341480(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.6478 > 192.168.192.113.21: S 208296092:208296092(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.11298 > 192.168.192.115.21: S 3712341480:3712341480(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)
(authentic,confidential): SPI 0x01112673: 192.168.191.254.6478 > 192.168.192.113.21: S 208296092:208296092(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap)

tcpdump -neti pflog0 action block :
-----------------------------------

rule 0/(match) block out on rl0: 192.168.191.254.26486 > 192.168.192.115.21: S 4267692740:4267692740(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.22980 > 192.168.192.113.21: S 3045080857:3045080857(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.26486 > 192.168.192.115.21: S 4267692740:4267692740(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.22980 > 192.168.192.113.21: S 3045080857:3045080857(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.26486 > 192.168.192.115.21: S 4267692740:4267692740(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 192.168.0.90.137 > 192.168.0.255.137: udp 50
rule 0/(match) block out on rl0: 192.168.191.254.24461 > 192.168.192.113.21: S 2995623372:2995623372(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.32214 > 192.168.192.115.21: S 2747258712:2747258712(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.24461 > 192.168.192.113.21: S 2995623372:2995623372(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.32214 > 192.168.192.115.21: S 2747258712:2747258712(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.24461 > 192.168.192.113.21: S 2995623372:2995623372(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.32214 > 192.168.192.115.21: S 2747258712:2747258712(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 192.168.0.90.138 > 192.168.0.255.138: udp 201
rule 0/(match) block out on rl0: 192.168.191.254.28033 > 192.168.192.113.21: S 144558888:144558888(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.22274 > 192.168.192.115.21: S 1192551097:1192551097(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.22274 > 192.168.192.115.21: S 1192551097:1192551097(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.28033 > 192.168.192.113.21: S 144558888:144558888(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.22274 > 192.168.192.115.21: S 1192551097:1192551097(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.28033 > 192.168.192.113.21: S 144558888:144558888(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 192.168.0.13.138 > 192.168.0.255.138: udp 201
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block out on rl0: 192.168.191.254.20032 > 192.168.192.113.21: S 627212253:627212253(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.8843 > 192.168.192.115.21: S 3116891829:3116891829(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.8843 > 192.168.192.115.21: S 3116891829:3116891829(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.20032 > 192.168.192.113.21: S 627212253:627212253(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.8843 > 192.168.192.115.21: S 3116891829:3116891829(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.20032 > 192.168.192.113.21: S 627212253:627212253(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 192.168.0.106.138 > 192.168.0.255.138: udp 201 (DF)
rule 0/(match) block in on bge0: 192.168.0.106.138 > 192.168.0.255.138: udp 204 (DF)
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68
rule 0/(match) block in on bge0: 192.168.0.93.138 > 192.168.0.255.138: udp 201
rule 0/(match) block in on bge0: 192.168.0.96.138 > 192.168.0.255.138: udp 201
rule 0/(match) block in on bge0: 192.168.0.96 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.96 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block out on rl0: 192.168.191.254.26415 > 192.168.192.113.21: S 2708323010:2708323010(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.24441 > 192.168.192.115.21: S 3574680055:3574680055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
rule 0/(match) block out on rl0: 192.168.191.254.24441 > 192.168.192.115.21: S 3574680055:3574680055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.26415 > 192.168.192.113.21: S 2708323010:2708323010(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF)
rule 0/(match) block in on bge0: 10.0.0.115.138 > 10.0.0.255.138: udp 183 (DF)
rule 0/(match) block in on bge0: 10.0.0.114.137 > 10.0.0.255.137: udp 50
rule 0/(match) block in on bge0: 10.0.0.114.137 > 10.0.0.255.137: udp 50
rule 0/(match) block out on rl0: 192.168.191.254.24441 > 192.168.192.115.21: S 3574680055:3574680055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.26415 > 192.168.192.113.21: S 2708323010:2708323010(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 10.0.0.114.137 > 10.0.0.255.137: udp 50
rule 0/(match) block in on rl0: 222.186.24.88.6000 > 11.11.11.11.2967: S 424673280:424673280(0) win 16384
rule 0/(match) block in on bge0: 192.168.0.96.138 > 192.168.0.255.138: udp 201
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50
rule 0/(match) block out on rl0: 192.168.191.254.22620 > 192.168.192.113.21: S 1458540138:1458540138(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.5512 > 192.168.192.115.21: S 1144270903:1144270903(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.5512 > 192.168.192.115.21: S 1144270903:1144270903(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.22620 > 192.168.192.113.21: S 1458540138:1458540138(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.5512 > 192.168.192.115.21: S 1144270903:1144270903(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.21194 > 192.168.192.113.21: S 2050700805:2050700805(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.10586 > 192.168.192.115.21: S 2056532055:2056532055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 192.168.0.96.138 > 192.168.0.255.138: udp 174
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 50
rule 0/(match) block out on rl0: 192.168.191.254.21194 > 192.168.192.113.21: S 2050700805:2050700805(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.10586 > 192.168.192.115.21: S 2056532055:2056532055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.21194 > 192.168.192.113.21: S 2050700805:2050700805(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.10586 > 192.168.192.115.21: S 2056532055:2056532055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 192.168.0.144.138 > 192.168.0.255.138: udp 201
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.90.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.90.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.90.137 > 192.168.0.255.137: udp 50
rule 0/(match) block in on bge0: 192.168.0.96.138 > 192.168.0.255.138: udp 201
rule 0/(match) block out on rl0: 192.168.191.254.23460 > 192.168.192.113.21: S 2343404651:2343404651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.2484 > 192.168.192.115.21: S 194258043:194258043(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.23460 > 192.168.192.113.21: S 2343404651:2343404651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.2484 > 192.168.192.115.21: S 194258043:194258043(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.23460 > 192.168.192.113.21: S 2343404651:2343404651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.2484 > 192.168.192.115.21: S 194258043:194258043(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1]
rule 0/(match) block out on rl0: 192.168.191.254.22382 > 192.168.192.113.21: S 939136304:939136304(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.4963 > 192.168.192.115.21: S 118026792:118026792(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.4963 > 192.168.192.115.21: S 118026792:118026792(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
rule 0/(match) block out on rl0: 192.168.191.254.

If you can help me please.?.

Last edited by wesley; 22nd September 2009 at 12:33 PM. Reason: there was an error
Reply With Quote
Old 22nd September 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

The very first pflog0 entry is:
Code:
rule 0/(match) block out on rl0: 192.168.191.254.26486 > 192.168.192.115.21:
Rule #0 is your first filter rule: "block log all". This is traffic from a high number, random port from a computer at the factory, destined to port 21, the FTP control port, on your FTP server at 192.168.192.115.

There is no pass rule matching this traffic.
Reply With Quote
Old 22nd September 2009
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default

Ok, i will add this line :
pass on egress proto tcp from 192.168.191.0/24 to 192.168.192.115 port 21

Last edited by wesley; 22nd September 2009 at 07:11 PM. Reason: correction line
Reply With Quote
Old 22nd September 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Be sure to read the Issues with FTP section of the PF Users Guide: http://www.openbsd.org/faq/pf/ftp.html -- it is available in French, if you prefer:

Gestion du Protocole FTP
Reply With Quote
Old 23rd September 2009
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default ftpproxy

ftproxy functions seen well that outside, at home, I can reach the nas.
Reply With Quote
Old 23rd September 2009
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default

i ve added these lines :

pass in on egress inet proto tcp to 192.168.192.113 port 21 \
flags S/SA keep state
pass out on $int_if inet proto tcp to 192.168.192.115 port 21 \
user proxy flags S/SA keep state
pass out on egress proto tcp from 192.168.191.254 to 192.168.192.115 port 21
pass out on egress proto tcp from 192.168.191.254 to 192.168.192.113 port 21
Reply With Quote
Old 23rd September 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,675
Thanked 214 Times in 189 Posts
Default

Since your company needs to communicate effectively with the factory in Asia, and time may be a critical business consideration -- you (and your company) might consider a commercial consultant. See http://www.openbsd.org/support.html which is organized by country.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
Routing between site-to-site tunnels docrice OpenBSD General 5 26th September 2008 09:21 AM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM
Bare Minimum Site-to-Site VPN on OpenBSD ai-danno Guides 0 20th May 2008 12:45 AM
Transferring away from the other site... s2scott Feedback and Suggestions 2 5th May 2008 09:47 AM


All times are GMT. The time now is 03:14 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick