|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
pf: why is that rule not working?
Hello,
The situation is simple: two machines are behind NAT and I'm operating on the NAT box. The NAT is set up correctly - both of the machines are connected to the Internet. I have a few IPs from Internet that are put into a table <data>. I'm trying to learn PF, but something is not going well. I have a rule that doesn't match. In order to debug things, I've set up a logging on that rule and it really doesn't match at all. Could you explain me why? Forget about the (probably messed up) ALTQ, now everything I want is to understand why the last rule doesn't match. Code:
### Macros int_if = "re0" ext_if = "rl0" ext_ip = "192.168.1.2" ### Tables table <network> { 192.168.0.34, 192.168.0.223 } table <data> persist file "/root/ip-store.data" ### Normalizations scrub in all ### Queueing altq on $int_if hfsc bandwidth 10Mb queue {general, data} queue general bandwidth 4Mb hfsc (realtime 4Mb upperlimit 4Mb default) queue data bandwidth 1Mb hfsc (realtime 128Kb upperlimit 256Kb) ### Translation nat pass on $ext_if from <network> to any -> $ext_ip ### Filtering #pass log (all to pflog0) on $ext_if proto icmp # this is working on pflog0 or pflog1, so probability of not working logging devices is zero pass out log (all to pflog1) on $int_if proto tcp from <data> to <network> #this is not working - nothing is logged to pflog1 As you have seen I'm trying to do some ALTQ on the internal interface (for incomming traffic I thing this is the right interface?), and that's why I need that rule to get working. I assume something is totaly wrong in my setup or in my understandings, isn't it? ************************************************** ******************* Things are getting even more confusing! I changed Code:
pass out log (all to pflog1) on $int_if proto tcp from <data> to <network> Code:
pass in log (all to pflog1) on $int_if proto tcp from <network> to <data> Despite the "from <network> to any" I see in tcpdump packets flying in both directions, like: Code:
19:51:36.024411 IP 195.149.248.137.80 > 192.168.0.34.46276: tcp 1472 [bad hdr length 8 - too short, < 20] 19:51:36.024738 IP 192.168.0.34.46276 > 195.149.248.137.80: tcp 12 [bad hdr length 8 - too short, < 20] And why the opposite direction rule again doesn't match? Code:
pass out log (all to pflog0) on $int_if proto tcp from <data> to <network> I'd say there is something interesting even more. I see packets on pflog1, but according to pfctl -s rules, there shouldn't be any packets at all: Code:
# pfctl -v -s rules scrub in all fragment reassemble [ Evaluations: 39611 Packets: 19895 Bytes: 7958775 States: 0 ] [ Inserted: uid 0 pid 3338 ] pass out quick on re0 from any to <network> flags S/SA keep state label "incomming" [ Evaluations: 5050 Packets: 8 Bytes: 1747 States: 8 ] [ Inserted: uid 0 pid 3338 ] pass in log (all, to pflog1) on re0 proto tcp from <network> to <data> flags S/SA keep state label "??? in" [ Evaluations: 4688 Packets: 0 Bytes: 0 States: 0 ] <--- packets 0 ! [ Inserted: uid 0 pid 3338 ] pass in log (all) on rl0 proto tcp from <data> to <network> flags S/SA keep state label "??? out" [ Evaluations: 3186 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 3338 ] Last edited by ivanatora; 1st December 2008 at 06:57 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Working with CVS? | Zmyrgel | OpenBSD General | 15 | 6th October 2009 01:32 PM |
[ OpenBSD 4.5 ] apm -C not working | wraith0x2b | OpenBSD Installation and Upgrading | 17 | 6th May 2009 09:03 AM |
USB not working after suspend | stukov | Other BSD and UNIX/UNIX-like | 5 | 11th August 2008 06:48 PM |
pf.conf brute force rule | ijk | FreeBSD Security | 6 | 11th August 2008 04:54 PM |
Crontab not working | beandip | FreeBSD General | 6 | 6th August 2008 08:33 PM |