scott escreveu: > openBSD(4.2) and 4.3-beta > > /etc/pf.conf fragment > # ---v--- > pass in log quick on em0 inet proto tcp \ > from !<ssh_pests> to (em0:0) port 22 \ > tag SSHVPN flags S/SA keep state \ > (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \ > label R1 > # > pass out log quick on em1 tagged SSHVPN keep state \ > label R2 > # > block log all label R3 > # ---^--- > > In the above rule set, "R2" does not "matches" anything/ever. It is > silent to pflog0. The traffic that should be passed by R2 instead posts > in pflog0 as blocked by R3. > > Something about the sshd's tcp decapsulization or pf's relationship with > it is loosing the tag SSHVPN. > > Without the ability to tag the ssh tunneled traffic post > decapsulization, I don't know how to do the differentiated handling I > need. e.g. sshd -w from inside via my wifi vs. sshd -w from outside to > inside. > > I've posted a form of this question before but I've focused it further > here. The ssh mail-list folks allege it's a pf issue. > > Now, I know that ssh -w flows via tun(n) interfaces. The following > rules set flows the outside to inside traffic BUT THERE'S NO LINKAGE > BETWEEN R1 AND R2. Putting "tagged SSHVPN" on R2 will cause R2 to "not > match" and therefore "not pass" the tun traffic. > # ---v--- > pass in log quick on em0 inet proto tcp \ > from !<ssh_pests> to (em0:0) port 443 \ > tag SSHVPN flags S/SA keep state \ > (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \ > label R1 > # > pass in log quick on tun inet \ > from (tun:peer) to any \ > tag VTUNPKTS keep state label R2 > # > pass out log quick on inside inet \ > tagged VTUNPKTS keep state label R3 > # ---^--- > > Is is this a bug or is there a way that R2 can "know" where the tun > traffic is ingressing from. > > What I think I want to be able to effect is... > # ---v--- > pass in log quick on em0 inet proto tcp \ > from !<ssh_pests> to (em0:0) port 443 \ > tag SSHVPN flags S/SA keep state \ > (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \ > label R1 > # > pass in log quick on tun inet \ > tagged SSHVPN \ > tag VTUNPKTS keep state label R2 > # > pass out log quick on inside inet \ > tagged VTUNPKTS keep state label R3 > # ---^--- > > > Thanks, > > Tags are only visible while in the kernel. Once you send them to a application, unless it has the ability to set a tag, the tag will be lost. The ftp-proxy(8) AFAICR, since 4.1 has the ability to set a tag on the packet. It would be nice if more userland applications like sshd, spamd, hoststated, etc, could set tags too. In this case (sshd) you can't do much thing as it runs with root privileges. You can't classify it with the user keyword from pf. So i believe you will have to redesign your rules in this case.
My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 7.04 Feisty Fawn Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
