[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PF rules for ip-ip (gif) over pppoe
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: PF rules for ip-ip (gif) over pppoe
- From: Alexis Tremblay <apleks_(_at_)_descension_(_dot_)_org>
- Date: Wed, 03 Dec 2003 13:24:34 -0500
- Cc: Jean-Francois Brousseau <krapht_(_at_)_secureops_(_dot_)_com>
Hello all,
I am having a hard time trying to configure some pf rules to protect a
server behind a weird (really dirty but functionnal and stable enough)
ip-ip(NOT ipv6)/DSL+pppoe tunnel.
The rules I write won't let pass anything through my tun0 interface to
the internal switch (plugged in on xl0), it seems to get bloqued by an
unknown force, see the pflog0 section at the end of this message...
I wondered if any of you would have a suggestion for me (except to get
another ISP that uses DHCP/Real routing), I am getting crazy with this
setup though... here are the details:
Note: Public IPs in that message have been replaced with XXX.XXX.XXX.
thank you.
- There are 2 NICs in the firewall, xl0, xl1.
- On the xl1 interface, a DSL modem is plugged in.
- A GIF tunnel is created between a dynamic ip assigned by pppoe
(assigned to tun0) to my ISP gif endpoint server (XXX.XXX.XXX.6). This
tunnel, tunnels a range of static IPs and then they get routed by the
firewall in question to a switch where the servers are.
- The INBOUND routing goes like this:
--- ISP endpoint server --- gif0 --- tun0 --- xl0 --- SWITCH
- The OUTBOUND routing goes like this:
SWITCH --- xl0 --- tun0 --- default gateway (dynamic, NOT ISP endpoint srv)
- Yeah. It's dirty. But cheap ;)
- ifconfig:
$ ifconfig -A
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:01:02:49:64:35
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.1.0.1 netmask 0xffffff00 broadcast 10.1.0.255
inet6 fe80::201:2ff:fe49:6435%xl0 prefixlen 64 scopeid 0x1
inet XXX.XXX.XXX.13 netmask 0xfffffff8 broadcast XXX.XXX.XXX.19
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:01:02:d0:aa:71
media: Ethernet autoselect (10baseT)
status: active
inet 10.254.0.1 netmask 0xffffff00 broadcast 10.254.0.255
inet6 fe80::201:2ff:fed0:aa71%xl1 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1896
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1452
inet XXX.XXX.XXX.167 --> XXX.XXX.XXX.188 netmask 0xffffffff
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
address: 00:00:00:00:00:00
vlan1: flags=0<> mtu 1500
address: 00:00:00:00:00:00
gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1452
physical address inet XXX.XXX.XXX.167 --> XXX.XXX.XXX.6
inet6 fe80::201:2ff:fe49:6435%gif0 -> prefixlen 64 scopeid 0x13
inet 10.253.0.6 --> 10.253.0.5 netmask 0xfffffffc
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
$ netstat -rnfinet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default XXX.XXX.XXX.188 UGS 1 18879 1452 tun0
10.1.0/24 link#1 UC 1 0 - xl0
10.1.0.1 127.0.0.1 UGHS 0 0 33224 lo0
10.1.0.2 0:1:2:49:64:33 UHLc 1 1369 - xl0
10.253.0.5 10.253.0.6 UH 0 0 - gif0
10.254.0/24 link#2 UC 0 0 - xl1
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 110 33224 lo0
XXX.XXX.XXX.12/29 link#1 UC 5 0 - xl0
XXX.XXX.XXX.13 127.0.0.1 UGHS 0 0 33224 lo0
XXX.XXX.XXX.14 0:1:2:49:64:33 UHLc 0 7824 - xl0
XXX.XXX.XXX.15 link#1 UHLc 0 3 - xl0
XXX.XXX.XXX.16 link#1 UHLc 0 3 - xl0
XXX.XXX.XXX.17 link#1 UHLc 0 3 - xl0
XXX.XXX.XXX.18 link#1 UHLc 1 5 - xl0
XXX.XXX.XXX.188 XXX.XXX.XXX.167 UH 1 0 1452 tun0
224/4 127.0.0.1 URS 0 0 33224 lo0
- now with those rules, everything runs fine, nothing gets blocked of
course:
# BEGIN PF rules ----------------------------------
altq on tun0 priq bandwidth 640Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
pass quick on lo0 all keep state
pass quick on gif0 all keep state
pass quick on xl0 all keep state
pass quick on xl1 all keep state
pass out on tun0 proto tcp all flags S/SA keep state queue(q_def, q_pri)
pass in on tun0 proto tcp all flags S/SA keep state queue(q_def, q_pri)
pass out on tun0 proto udp all keep state queue q_def
pass in on tun0 proto udp all keep state queue q_def
# END PF rules ----------------------------------
- Now! The PF rules that DONT work!:
# BEGIN PF rules --------------------------------------------------
ext_if="tun0"
int_if="xl0"
unfiltered = "{ lo0, gif0, xl0, xl1 }"
services_tcp = "{ ssh, ftp, smtp, domain, www, 443, 993 }"
services_udp = "{ domain }"
table <unroutable> persist { \
0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 7.0.0.0/8, 10.0.0.0/8,
!10.1.0.0/24, 23.0.0.0/8, \
27.0.0.0/8, 31.0.0.0/8, 36.0.0.0/7, 39.0.0.0/8, 41.0.0.0/8,
42.0.0.0/8, \
49.0.0.0/8, 50.0.0.0/8, 58.0.0.0/7, 70.0.0.0/7, 72.0.0.0/5,
83.0.0.0/8, \
84.0.0.0/6, 88.0.0.0/5, 96.0.0.0/3, 169.254.0.0/16,
172.16.0.0/12, \
173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/5, 184.0.0.0/6, 189.0.0.0/8, \
190.0.0.0/8, 192.0.2.0/24, 192.168.0.0/16, 197.0.0.0/8,
198.18.0.0/15, \
223.0.0.0/8, 224.0.0.0/3, 255.255.255.255 \
}
table <doubleclick> persist { \
216.73.80.0/20, 204.253.104.0/24, 205.138.3.0/24, 208.184.29.0/24, \
206.65.183.0/24 \
}
table <mediaforce> persist { \
2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24, 208.251.137.0/24 \
}
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
#scrub in all
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all random-id fragment reassemble
# ACKPRI
altq on $ext_if priq bandwidth 640Kb queue { q_max, q_pri, q_hig, q_def,
q_low }
queue q_max priority 7
queue q_pri priority 6
queue q_hig priority 5
queue q_def priority 3
queue q_low priority 1 priq(default)
# NAT
nat on tun0 from $int_if:network to any -> (tun0)
# rdr outgoing FTP requests to the ftp-proxy
rdr on xl0 proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# Here we let the unfiltered interfaces untouched
pass in quick on $unfiltered all keep state
pass out quick on $unfiltered all keep state
pass in quick on $ext_if inet proto gre all keep state
pass out quick on $ext_if inet proto gre all keep state
block return-rst quick proto tcp all flags /S
block return-rst quick proto tcp all flags A/A
# block and log the rest by default
block log
block return-rst log inet proto tcp
block return-icmp log inet proto udp
block return-icmp(10) in quick log on { $int_if } to { <doubleclick>,
<mediaforce> }
block in quick on $ext_if from { <doubleclick>, <mediaforce> }
#block return-icmp(10) in log on { $int_if } to <reserved>
block in log on $ext_if from <reserved>
block return-rst in quick on $ext_if proto tcp from any to any \
port { 111, 445, 1080, 8080, 6000, 6667 }
block return-icmp in quick on $ext_if proto udp from any to any \
port { 137, 138, 139, 1434 }
# ICMP
#
pass out on $ext_if inet proto icmp from any to any \
icmp-type 8 code 0 keep state queue (q_max)
pass in on $ext_if inet proto icmp from any to $RIP \
icmp-type 8 code 0 keep state (max 32) queue (q_def)
pass in on $ext_if inet proto icmp from any to $ext_if \
icmp-type 8 code 0 keep state (max 32) queue (q_low)
# UDP
pass out on $ext_if inet proto udp from any to any \
keep state queue (q_def)
pass out on $ext_if inet proto udp from any to any port domain \
keep state queue (q_hig)
pass in on $ext_if inet proto udp from any to $RIP \
port $services_udp keep state (max 512) queue (q_hig)
# TCP
pass out on $ext_if inet proto tcp from $ext_if to any \
flags S/SA keep state queue (q_def, q_max)
pass out on $ext_if inet proto tcp from $ext_if to any port www \
flags S/SA keep state queue (q_hig, q_max)
pass in on $ext_if inet proto tcp from any to $RIP port $services_tcp \
flags S/SA keep state (max 1024, tcp.first 10, tcp.opening 10) \
queue (q_low, q_max)
pass in on $ext_if inet proto tcp from any to 127.0.0.1 port 8025 \
keep state queue (q_low, q_def)
# END PF rules ------------------------------------------------------
- Im getting in pflog0:
Dec 03 13:05:45.647651 rule 12/0(match): block in on tun0:
24.200.227.132 > XXX.XXX.XXX.13: icmp: echo request (DF) (encap)
Dec 03 13:05:46.683866 rule 12/0(match): block in on tun0:
24.200.227.132 > XXX.XXX.XXX.13: icmp: echo request (DF) (encap)
Dec 03 13:05:47.667217 rule 12/0(match): block in on tun0:
24.200.227.132 > XXX.XXX.XXX.13: icmp: echo request (DF) (encap)
Dec 03 13:05:48.605121 rule 12/0(match): block in on tun0:
24.200.227.132 > XXX.XXX.XXX.13: icmp: echo request (DF) (encap)
Dec 03 13:05:49.687443 rule 12/0(match): block in on tun0:
24.200.227.132 > XXX.XXX.XXX.13: icmp: echo request (DF) (encap)
Dec 03 13:05:49.692940 rule 12/0(match): block in on tun0:
24.200.227.132.33172 > XXX.XXX.XXX.14.22: P 15648:15696(48) ack 182881
win 44800 <nop,nop,timestamp 1660086[|tcp]> (DF) (encap)
Can someone explain to me what's happening ? I just don't know, why
doesn't the packet get passed through to xl0, there are rules saying it
should in my config, does it ?
Thanks a whole lot!
--
Alexis Tremblay
Key ID: 0xD3221586
0EBD FE7C F301 E7E0 B92F 4D2D 67C8 FA22 D322 1586
Visit your host, monkey.org