Re: routing LAN traffic through/around a pf gateway

Thu, 24 Jan 2019 16:32:48 -0800 


On 25 Jan 2019, at 9:37, James B. Byrne via freebsd-pf wrote:


I have limited knowledge of PF being in the process of transitioning
from 20+ years of RHEL/CentOS to FreeBSD.  Neither do I possess a
great fund of knowledge respecting IP routing.  That said this is my
problem:

On a small test LAN I have three hosts, W44, W4 and G5:

network layout, gateway address 216.185.71.5

     W44                 G5                  w4
216.185.71.44 ----> 216.185.71.5        216.185.71.4   int_if IP
192.168.150.44      192.168.150.5 ----> 192.168.150.4  int_if IP alias

Using ssh and with PF running on the gateway, when I connect from
216.185.71.44 to 216.185.71.4 then the ssh session operates normally.
However, if instead I connect from 216.185.71.44 to 192.168.150.4 then
the initial connection is made but the ssh session remains responsive
for a brief time before it becomes non-responsive.  If I terminate the
PF running on the gateway the ssh session again becomes responsive.
If I do not terminate PF then eventually the ssh session client
disconnects with a timeout error.

Besides macros the entire active contents of pf.conf on G5 are:

scrub         in        all no-df max-mss 1440 fragment reassemble

block return  out log   all

block drop    in  log   all

pass              log   on $int_if

pass                    inet proto icmp all \
                        icmp-type $icmp_types keep state

pass          out       quick on $ext_if inet proto udp \
                  from  any \
                  to    any         port  33433 >< 33626 keep state

Which results in these rules when PF is running:

@0 scrub in all no-df max-mss 1440 fragment reassemble
@1 block return out log all
@2 block drop in log all
@3 pass log on em0 all flags S/SA keep state
@4 pass inet proto icmp all icmp-type echoreq keep state
@5 pass inet proto icmp all icmp-type unreach keep state
@6 pass out quick on em1 inet proto udp from any to any port 33433 ><
33626 keep state


You don’t appear to have a rule permitting the SSH traffic to pass 
through your router.
I’m a more than little surprised you manage to establish a connection 
in the first place.

Unless the connection existed before you started pf, of course.

Try adding something like:
pass inet porto tcp port 22

Regards,
Kristof
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"






















					Reply via email to