DragonFly BSD
DragonFly users List (threaded) for 2006-09
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Bridging again


From: Tiv <gtivey@xxxxxxxxxxxxx>
Date: Mon, 25 Sep 2006 22:16:40 -0500

Gergo Szakal wrote:

Argh, I tracked down the problem to pf itself.

With this ruleset it works:
------------------------------------------------------------------
int_if=sk0
ext_if=sk1
intnet={xxx.xxx.118.64/26,xxx.1xxx14.118.224/27}
tcp_opts="flags S/SA modulate state"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 35000, frags 15000 }
set loginterface $ext_if
set optimization conservative
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub all no-df random-id


# Filtering
pass in all
pass out all
------------------------------------------------------------------

Now if I replace the filtering part:
------------------------------------------------------------------
# Filtering
block in all
block out all
pass quick on {lo0,$int_if} all
pass out quick on $ext_if proto tcp from <intnet> to any $tcp_opts
pass out quick on $ext_if proto udp from <intnet> to any keep state
------------------------------------------------------------------
then I can not SSH from a box sitting behind the bridge, while using the previous config I can. I thought this config was good. What can be the problem?
Oh, and something else: the direction of the state when SSHing from behind the bridge is IN!!! On my OpenBSD 3.8 box outbound states' directions are obviously Out, and obviously this ruleset is working fine on that OBSD bridge. I think this is in connection with the problems I just described. Can anyone tell me what the cause of this paradox behaviour is?
Thanks in advance.


Hi all ---

I'm no expert, but unless you intend to block ICMP messages,
you just might want to use something like this...

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

If you can't ping/arp a host (icmp disabled), I'd think you'd have trouble connecting ssh...

When i block/filter icmp on a Cisco router I get this:

ssh: connect to host targa port 22: No route to host


. ..just something to consider.


Best regards,
Gary





[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]