[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Redirecting encapsulated traffic with pf



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Does enc0 traffic receive special handling?

On testing with ssh, I log:

Mar 10 10:57:29.547222 rule 20/0(match): pass in on sis0: esp 208.141.190.10 > 
69.20.155.49 spi 0x9B628532 seq 5 len 100 (DF)
Mar 10 10:57:29.548212 rule 2/0(match): block in on enc0: 208.141.190.10.33093 
> 69.20.155.49.22: S 2163241065:2163241065(0) win 16384 <mss 
1460,nop,nop,sackOK,[|tcp]> (DF) (encap)

on pflog0 and:

Mar 10 10:57:29.547974 (authentic,confidential): SPI 0x9b628532: 
208.141.190.10.33093 > 69.20.155.49.22: S 2163241065:2163241065(0) win 16384 
<mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1130461883 0> (DF) 
(encap)
Mar 10 10:57:35.547416 (authentic,confidential): SPI 0x9b628532: 
208.141.190.10.33093 > 69.20.155.49.22: S 2163241065:2163241065(0) win 16384 
<mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1130461895 0> (DF) 
(encap)
Mar 10 10:57:47.547089 (authentic,confidential): SPI 0x9b628532: 
208.141.190.10.33093 > 69.20.155.49.22: S 2163241065:2163241065(0) win 16384 
<mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1130461919 0> (DF) 
(encap)

on enc0.

Using pfctl to show the relevent rules:

@2 block drop log all
@22 pass in log quick on enc0 inet proto tcp from any to any port = ssh flags 
S/FSRA keep state
@23 pass in log quick on enc0 inet proto tcp from any to any port = smtp flags 
S/FSRA keep state
@24 pass in log quick on enc0 inet proto tcp from any to any port = pop3 flags 
S/FSRA keep state
@25 pass in log quick on enc0 inet proto icmp all icmp-type echoreq keep state
@5 rdr on enc0 inet proto tcp from any to 69.20.155.49 port = pop3 -> 
192.168.111.3 port 110
@6 rdr on enc0 inet proto tcp from any to 69.20.155.49 port = smtp -> 
192.168.111.4 port 25
@7 rdr on enc0 inet proto tcp from any to 69.20.155.49 port = ssh -> 
192.168.111.3 port 22

I would expect rule 22 to pass the packet blocked by rule 2.

If I add:

@26 pass in log quick on enc0 all

I log:

Mar 10 11:06:46.023589 rule 20/0(match): pass in on sis0: esp 208.141.190.10 > 
69.20.155.49 spi 0x46A008D2 seq 3 len 100 (DF)

Mar 10 11:06:46.024424 rule 26/0(match): pass in on enc0: 208.141.190.10.28368 
> 69.20.155.49.22: S 4066005614:4066005614(0) win 16384 <mss 
1460,nop,nop,sackOK,[|tcp]> (DF) (encap)

Mar 10 11:06:46.024749 rule 22/0(match): pass in on enc0: 208.141.190.10.28368 
> 192.168.111.3.22: S 4066005614:4066005614(0) win 16384 <mss 
1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1130462996 0> (DF)

indicating the packets are going through pf several times. Yet, after being 
redirected to 192.168.111.3 by the last rule above, sshd on 192.168.111.3 is 
receiving no packets.

1) What is occurring that rule 22 in not catching the (encap) packet?
2) How do I track down what's happening to the redirected packet? 
192.168.111.3 is not running pf and I ran sshd -d on that node during the 
test?

All nodes are running OpenBSD-Current that's less than 3 days of age. The 
firewall is i386 architecture and 192.168.111.3 is sparc64.

The isakmpd policy file is the one that permits all esp traffic from 
/usr/share/ipsec/isakmpd.

- -- 

John R. Shannon
john_(_at_)_johnrshannon_(_dot_)_com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iEYEARECAAYFAj5s13oACgkQOKbCxya4HYstAwCfR7Sm38MdJNjy+R/EkNg+j1Oi
kB0An1crkK8/+iIKZ+3XNoVZBVbtuF2L
=YuGp
-----END PGP SIGNATURE-----



Visit your host, monkey.org