DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 1st December 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Default pf: why is that rule not working?

Hello,
The situation is simple: two machines are behind NAT and I'm operating on the NAT box. The NAT is set up correctly - both of the machines are connected to the Internet. I have a few IPs from Internet that are put into a table <data>.
I'm trying to learn PF, but something is not going well. I have a rule that doesn't match. In order to debug things, I've set up a logging on that rule and it really doesn't match at all. Could you explain me why?
Forget about the (probably messed up) ALTQ, now everything I want is to understand why the last rule doesn't match.
Code:
### Macros
int_if = "re0"
ext_if = "rl0"
ext_ip = "192.168.1.2"

### Tables
table <network>  { 192.168.0.34, 192.168.0.223 }
table <data> persist file "/root/ip-store.data"

### Normalizations
scrub in all

### Queueing

altq on $int_if hfsc bandwidth 10Mb queue {general, data}
queue general bandwidth 4Mb hfsc (realtime 4Mb upperlimit 4Mb default)   
queue data bandwidth 1Mb hfsc (realtime 128Kb upperlimit 256Kb)

### Translation
nat pass on $ext_if from <network> to any -> $ext_ip

### Filtering

#pass log (all to pflog0) on $ext_if proto icmp # this is working on pflog0 or pflog1, so probability of not working logging devices is zero
pass out log (all to pflog1) on $int_if proto tcp from <data> to <network> #this is not working - nothing is logged to pflog1
First I made myself sure there are some ips into the <data> table - they were there. Then I tried to replace "from <data>" with "from any" - I hought there is no traffic from these hosts, and I tried expanding the rule to apply to the whole traffic. Nothing was logged again.
As you have seen I'm trying to do some ALTQ on the internal interface (for incomming traffic I thing this is the right interface?), and that's why I need that rule to get working. I assume something is totaly wrong in my setup or in my understandings, isn't it?

************************************************** *******************
Things are getting even more confusing!
I changed
Code:
pass out log (all to pflog1) on $int_if proto tcp from <data> to <network>
to
Code:
pass in log (all to pflog1) on $int_if proto tcp from <network> to <data>
and pflog1 began to log!
Despite the "from <network> to any" I see in tcpdump packets flying in both directions, like:
Code:
19:51:36.024411 IP 195.149.248.137.80 > 192.168.0.34.46276:  tcp 1472 [bad hdr length 8 - too short, < 20]
19:51:36.024738 IP 192.168.0.34.46276 > 195.149.248.137.80:  tcp 12 [bad hdr length 8 - too short, < 20]
I thought only the second packet should show up becouse of the "one way" matching only?
And why the opposite direction rule again doesn't match?
Code:
pass out log (all to pflog0) on $int_if proto tcp from <data> to <network>
************************************************** *******************
I'd say there is something interesting even more.
I see packets on pflog1, but according to pfctl -s rules, there shouldn't be any packets at all:
Code:
# pfctl -v -s rules
scrub in all fragment reassemble
  [ Evaluations: 39611     Packets: 19895     Bytes: 7958775     States: 0     ]
  [ Inserted: uid 0 pid 3338 ]
pass out quick on re0 from any to <network> flags S/SA keep state label "incomming"
  [ Evaluations: 5050      Packets: 8         Bytes: 1747        States: 8     ]
  [ Inserted: uid 0 pid 3338 ]
pass in log (all, to pflog1) on re0 proto tcp from <network> to <data> flags S/SA keep state label "??? in"
  [ Evaluations: 4688      Packets: 0         Bytes: 0           States: 0     ]                                                     <--- packets 0 !
  [ Inserted: uid 0 pid 3338 ]
pass in log (all) on rl0 proto tcp from <data> to <network> flags S/SA keep state label "??? out"
  [ Evaluations: 3186      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 3338 ]

Last edited by ivanatora; 1st December 2008 at 06:57 PM.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Working with CVS? Zmyrgel OpenBSD General 15 6th October 2009 01:32 PM
[ OpenBSD 4.5 ] apm -C not working wraith0x2b OpenBSD Installation and Upgrading 17 6th May 2009 09:03 AM
USB not working after suspend stukov Other BSD and UNIX/UNIX-like 5 11th August 2008 06:48 PM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM
Crontab not working beandip FreeBSD General 6 6th August 2008 08:33 PM


All times are GMT. The time now is 11:27 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick