|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Vpn is ok, but, factory can't ping or can't access to the ftp.
When i use tcpdump, i can see some packets but nothing is blocked. |
|
|||
no_traffic:single ??
Hello,
VPN is mounted but there's no traffic. For recall : Code:
Factory ip : 22.22.22.22 factory lan : 10.0.0.0/8 --> biNAT--> 192.168.191.0 Our ip : 11.11.11.11 Our lan : 10.0.0.0/24 --> biNAT --> 192.168.192.0 our ftp : 10.0.0.115 --> biNAT --> 192.168.192.115 our OpenBSD Firewal : 10.0.0.113 (ftpproxy) -->biNAT--> 192.168.192.113 You will find my pf.conf and ipsec.conf files attached. pfctl -s states :: Code:
all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1311 ESTABLISHED:ESTABLISHED all tcp 193.253.100.193:1311 -> 10.0.0.114:25 ESTABLISHED:ESTABLISHED all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1316 ESTABLISHED:ESTABLISHED all tcp 193.253.100.193:1316 -> 10.0.0.114:25 ESTABLISHED:ESTABLISHED all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.100.193:1320 ESTABLISHED:ESTABLISHED all tcp 193.253.100.193:1320 -> 10.0.0.114:110 ESTABLISHED:ESTABLISHED all tcp 10.0.0.114:25 (11.11.11.11:25) <- 193.253.100.193:1328 ESTABLISHED:ESTABLISHED all tcp 193.253.100.193:1328 -> 10.0.0.114:25 ESTABLISHED:ESTABLISHED all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.99.118:2600 FIN_WAIT_2:FIN_WAIT_2 all tcp 193.253.99.118:2600 -> 10.0.0.114:110 FIN_WAIT_2:FIN_WAIT_2 all tcp 10.0.0.114:110 (11.11.11.11:110) <- 193.253.99.118:2979 FIN_WAIT_2:FIN_WAIT_2 all tcp 193.253.99.118:2979 -> 10.0.0.114:110 FIN_WAIT_2:FIN_WAIT_2 all esp 11.11.11.11 <- 22.22.22.22 NO_TRAFFIC:SINGLE Code:
Sep 22 09:10:15.348127 rule 0/(match) block in on bge0: 192.168.0.13.138 > 192.168.0.255.138: udp 201 Sep 22 09:10:16.268114 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:10:16.270094 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:10:19.442729 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:10:19.442782 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:10:21.744797 rule 0/(match) block in on bge0: 10.0.0.114.138 > 10.0.0.255.138: udp 204 Sep 22 09:10:26.004802 rule 0/(match) block out on rl0: 192.168.191.254.5558 > 192.168.192.115.21: S 3008802303:3008802303(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:10:26.004856 rule 0/(match) block out on rl0: 192.168.191.254.11215 > 192.168.192.113.21: S 416012410:416012410(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:10:55.980627 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] Sep 22 09:10:55.987199 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] Sep 22 09:10:56.055641 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] Sep 22 09:10:56.132420 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] Sep 22 09:10:56.177171 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] Sep 22 09:10:56.347699 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] Sep 22 09:11:00.759127 rule 0/(match) block in on bge0: 192.168.0.92.138 > 192.168.0.255.138: udp 201 Sep 22 09:11:09.724487 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:11:09.724542 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:11:11.743450 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF) Sep 22 09:11:12.925128 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:11:12.927137 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:11:13.743026 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF) Sep 22 09:11:13.743317 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF) Sep 22 09:11:15.742900 rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF) Sep 22 09:11:15.743629 rule 0/(match) block in on bge0: 10.0.0.115.138 > 10.0.0.255.138: udp 183 (DF) Sep 22 09:11:19.487204 rule 0/(match) block out on rl0: 192.168.191.254.22124 > 192.168.192.113.21: S 4242417665:4242417665(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:11:19.489208 rule 0/(match) block out on rl0: 192.168.191.254.12443 > 192.168.192.115.21: S 916436565:916436565(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:12:02.397661 rule 0/(match) block out on rl0: 192.168.191.254.20978 > 192.168.192.113.21: S 313707294:313707294(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:12:02.399746 rule 0/(match) block out on rl0: 192.168.191.254.21081 > 192.168.192.115.21: S 32318798:32318798(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:12:05.642545 rule 0/(match) block out on rl0: 192.168.191.254.20978 > 192.168.192.113.21: S 313707294:313707294(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Sep 22 09:12:05.644562 rule 0/(match) block out on rl0: 192.168.191.254.21081 > 192.168.192.115.21: S 32318798:32318798(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Code:
09:04:06.296541 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:04:06.296601 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:04:09.541372 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:04:09.543372 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:04:16.103470 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.22139 > 192.168.192.113.ftp: S 3367012579:3367012579(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:04:16.103526 (authentic,confidential): SPI 0x5a2c3acf: 192.168.191.254.17868 > 192.168.192.115.ftp: S 2687060267:2687060267(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:04:59.771111 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:04:59.772896 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:05:03.025847 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:05:03.025899 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:05:09.587923 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.28703 > 192.168.192.113.ftp: S 3433315986:3433315986(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:05:09.587980 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.27475 > 192.168.192.115.ftp: S 647084916:647084916(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:05:52.420076 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:05:52.420132 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:05:55.632782 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:05:55.634783 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:06:02.196911 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.31644 > 192.168.192.113.ftp: S 3932100714:3932100714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:06:02.196973 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.22769 > 192.168.192.115.ftp: S 1761837725:1761837725(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:06:45.908543 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:06:45.908595 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.10421 > 192.168.192.115.ftp: S 1560911767:1560911767(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:06:49.117237 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:06:49.119247 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.10421 > 192.168.192.115.ftp: S 1560911767:1560911767(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) 09:06:55.679310 (authentic,confidential): SPI 0xb98d4b73: 192.168.191.254.21483 > 192.168.192.113.ftp: S 592730350:592730350(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) Last edited by Carpetsmoker; 22nd September 2009 at 09:32 AM. Reason: Add [code] tags |
|
||||
There is traffic on enc0, so there is traffic on the tunnel. What it is, I have no idea, because you were only using -i. -neti would provide additional protocol information.
e.g.: # tcpdump -neti enc0 # tcpdump -neti pflog0 action block # tcpdump -neti <gateway nic> net 192.168.1.0/24 |
|
|||
Here additional protocol information :
tcpdump -neti enc0 : ----------------------- (authentic,confidential): SPI 0x01112673: 192.168.191.254.30740 > 192.168.192.113.21: S 2719148255:2719148255(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.29712 > 192.168.192.115.21: S 26857501:26857501(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.29712 > 192.168.192.115.21: S 26857501:26857501(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.30740 > 192.168.192.113.21: S 2719148255:2719148255(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.29712 > 192.168.192.115.21: S 26857501:26857501(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.30740 > 192.168.192.113.21: S 2719148255:2719148255(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.27440 > 192.168.192.113.21: S 3748804944:3748804944(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.7600 > 192.168.192.115.21: S 2048028966:2048028966(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.27440 > 192.168.192.113.21: S 3748804944:3748804944(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.7600 > 192.168.192.115.21: S 2048028966:2048028966(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.27440 > 192.168.192.113.21: S 3748804944:3748804944(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.7600 > 192.168.192.115.21: S 2048028966:2048028966(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.6478 > 192.168.192.113.21: S 208296092:208296092(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.11298 > 192.168.192.115.21: S 3712341480:3712341480(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.11298 > 192.168.192.115.21: S 3712341480:3712341480(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.6478 > 192.168.192.113.21: S 208296092:208296092(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.11298 > 192.168.192.115.21: S 3712341480:3712341480(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) (authentic,confidential): SPI 0x01112673: 192.168.191.254.6478 > 192.168.192.113.21: S 208296092:208296092(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) (encap) tcpdump -neti pflog0 action block : ----------------------------------- rule 0/(match) block out on rl0: 192.168.191.254.26486 > 192.168.192.115.21: S 4267692740:4267692740(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.22980 > 192.168.192.113.21: S 3045080857:3045080857(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.26486 > 192.168.192.115.21: S 4267692740:4267692740(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.22980 > 192.168.192.113.21: S 3045080857:3045080857(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.26486 > 192.168.192.115.21: S 4267692740:4267692740(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 192.168.0.90.137 > 192.168.0.255.137: udp 50 rule 0/(match) block out on rl0: 192.168.191.254.24461 > 192.168.192.113.21: S 2995623372:2995623372(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.32214 > 192.168.192.115.21: S 2747258712:2747258712(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.24461 > 192.168.192.113.21: S 2995623372:2995623372(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.32214 > 192.168.192.115.21: S 2747258712:2747258712(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.24461 > 192.168.192.113.21: S 2995623372:2995623372(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.32214 > 192.168.192.115.21: S 2747258712:2747258712(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 192.168.0.90.138 > 192.168.0.255.138: udp 201 rule 0/(match) block out on rl0: 192.168.191.254.28033 > 192.168.192.113.21: S 144558888:144558888(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.22274 > 192.168.192.115.21: S 1192551097:1192551097(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.22274 > 192.168.192.115.21: S 1192551097:1192551097(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.28033 > 192.168.192.113.21: S 144558888:144558888(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.22274 > 192.168.192.115.21: S 1192551097:1192551097(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.28033 > 192.168.192.113.21: S 144558888:144558888(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 192.168.0.13.138 > 192.168.0.255.138: udp 201 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block out on rl0: 192.168.191.254.20032 > 192.168.192.113.21: S 627212253:627212253(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.8843 > 192.168.192.115.21: S 3116891829:3116891829(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.8843 > 192.168.192.115.21: S 3116891829:3116891829(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.20032 > 192.168.192.113.21: S 627212253:627212253(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.8843 > 192.168.192.115.21: S 3116891829:3116891829(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.20032 > 192.168.192.113.21: S 627212253:627212253(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 192.168.0.106.138 > 192.168.0.255.138: udp 201 (DF) rule 0/(match) block in on bge0: 192.168.0.106.138 > 192.168.0.255.138: udp 204 (DF) rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 68 rule 0/(match) block in on bge0: 192.168.0.93.138 > 192.168.0.255.138: udp 201 rule 0/(match) block in on bge0: 192.168.0.96.138 > 192.168.0.255.138: udp 201 rule 0/(match) block in on bge0: 192.168.0.96 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.96 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block out on rl0: 192.168.191.254.26415 > 192.168.192.113.21: S 2708323010:2708323010(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.24441 > 192.168.192.115.21: S 3574680055:3574680055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF) rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF) rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF) rule 0/(match) block out on rl0: 192.168.191.254.24441 > 192.168.192.115.21: S 3574680055:3574680055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.26415 > 192.168.192.113.21: S 2708323010:2708323010(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 10.0.0.115.137 > 10.0.0.255.137: udp 50 (DF) rule 0/(match) block in on bge0: 10.0.0.115.138 > 10.0.0.255.138: udp 183 (DF) rule 0/(match) block in on bge0: 10.0.0.114.137 > 10.0.0.255.137: udp 50 rule 0/(match) block in on bge0: 10.0.0.114.137 > 10.0.0.255.137: udp 50 rule 0/(match) block out on rl0: 192.168.191.254.24441 > 192.168.192.115.21: S 3574680055:3574680055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.26415 > 192.168.192.113.21: S 2708323010:2708323010(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 10.0.0.114.137 > 10.0.0.255.137: udp 50 rule 0/(match) block in on rl0: 222.186.24.88.6000 > 11.11.11.11.2967: S 424673280:424673280(0) win 16384 rule 0/(match) block in on bge0: 192.168.0.96.138 > 192.168.0.255.138: udp 201 rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.92.137 > 192.168.0.255.137: udp 50 rule 0/(match) block out on rl0: 192.168.191.254.22620 > 192.168.192.113.21: S 1458540138:1458540138(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.5512 > 192.168.192.115.21: S 1144270903:1144270903(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.5512 > 192.168.192.115.21: S 1144270903:1144270903(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.22620 > 192.168.192.113.21: S 1458540138:1458540138(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.5512 > 192.168.192.115.21: S 1144270903:1144270903(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.21194 > 192.168.192.113.21: S 2050700805:2050700805(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.10586 > 192.168.192.115.21: S 2056532055:2056532055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 192.168.0.96.138 > 192.168.0.255.138: udp 174 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.96.137 > 192.168.0.255.137: udp 50 rule 0/(match) block out on rl0: 192.168.191.254.21194 > 192.168.192.113.21: S 2050700805:2050700805(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.10586 > 192.168.192.115.21: S 2056532055:2056532055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.21194 > 192.168.192.113.21: S 2050700805:2050700805(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.10586 > 192.168.192.115.21: S 2056532055:2056532055(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 192.168.0.144.138 > 192.168.0.255.138: udp 201 rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.90.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.90.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.90.137 > 192.168.0.255.137: udp 50 rule 0/(match) block in on bge0: 192.168.0.96.138 > 192.168.0.255.138: udp 201 rule 0/(match) block out on rl0: 192.168.191.254.23460 > 192.168.192.113.21: S 2343404651:2343404651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.2484 > 192.168.192.115.21: S 194258043:194258043(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.23460 > 192.168.192.113.21: S 2343404651:2343404651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.2484 > 192.168.192.115.21: S 194258043:194258043(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.23460 > 192.168.192.113.21: S 2343404651:2343404651(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.2484 > 192.168.192.115.21: S 194258043:194258043(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block in on bge0: 192.168.0.92 > 224.0.0.22: igmp-2 [v2] [ttl 1] rule 0/(match) block out on rl0: 192.168.191.254.22382 > 192.168.192.113.21: S 939136304:939136304(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.4963 > 192.168.192.115.21: S 118026792:118026792(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254.4963 > 192.168.192.115.21: S 118026792:118026792(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) rule 0/(match) block out on rl0: 192.168.191.254. If you can help me please.?. Last edited by wesley; 22nd September 2009 at 12:33 PM. Reason: there was an error |
|
||||
The very first pflog0 entry is:
Code:
rule 0/(match) block out on rl0: 192.168.191.254.26486 > 192.168.192.115.21: There is no pass rule matching this traffic. |
|
|||
Ok, i will add this line :
pass on egress proto tcp from 192.168.191.0/24 to 192.168.192.115 port 21 Last edited by wesley; 22nd September 2009 at 07:11 PM. Reason: correction line |
|
||||
Be sure to read the Issues with FTP section of the PF Users Guide: http://www.openbsd.org/faq/pf/ftp.html -- it is available in French, if you prefer:
Gestion du Protocole FTP |
|
|||
ftpproxy
ftproxy functions seen well that outside, at home, I can reach the nas.
|
|
|||
i ve added these lines :
pass in on egress inet proto tcp to 192.168.192.113 port 21 \ flags S/SA keep state pass out on $int_if inet proto tcp to 192.168.192.115 port 21 \ user proxy flags S/SA keep state pass out on egress proto tcp from 192.168.191.254 to 192.168.192.115 port 21 pass out on egress proto tcp from 192.168.191.254 to 192.168.192.113 port 21 |
|
||||
Since your company needs to communicate effectively with the factory in Asia, and time may be a critical business consideration -- you (and your company) might consider a commercial consultant. See http://www.openbsd.org/support.html which is organized by country.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ipsec with client nat | sicute | OpenBSD General | 0 | 30th October 2008 05:39 PM |
Routing between site-to-site tunnels | docrice | OpenBSD General | 5 | 26th September 2008 09:21 AM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |
Bare Minimum Site-to-Site VPN on OpenBSD | ai-danno | Guides | 0 | 20th May 2008 12:45 AM |
Transferring away from the other site... | s2scott | Feedback and Suggestions | 2 | 5th May 2008 09:47 AM |