Dear List,
I'm facing what I think is a problem in my pf.conf rules set. Here is
my setup:
I've a private network, 192.168.1.0/24, with 192.168.1.1 being the
default gateway. It runs OpenBSD and pf. Another box on the network,
192.168.1.4, is a gateway to the 10.82.6.0/24 network.
On 192.168.1.1, I've a static route for the 10.82.6.0/24 as follow:
10.82/24 192.168.1.4 UGS 0 251 - sis2
On 192.168.1.1, I've got the following pf rule (the whole rule set is
in [PF] below):
pass to 10.82.6.0/24
Pinging 10.82.6.6 from 192.168.1.130 is okay (I get some ICMP redirect
but that's fine). Pinging 192.168.1.130 from 10.82.6.6 is also okay.
But when I'm trying to ssh from 10.82.6.6 to 192.168.1.130 it
fails. Tcpdump on 192.168.1.1 shows me what follows:
# tcpdump -lni pflog0 | grep 10.82
tcpdump: listening on pflog0, link-type PFLOG
11:01:52.146428 192.168.1.130.22 > 10.82.6.6.34034: [|tcp] (DF)
11:01:55.140689 192.168.1.130.22 > 10.82.6.6.34034: [|tcp] (DF)
11:02:01.140510 192.168.1.130.22 > 10.82.6.6.34034: [|tcp] (DF)
and on the internal iface of 192.168.1.1:
# tcpdump -lni sis2 | grep 10.82
tcpdump: listening on sis2, link-type EN10MB
11:23:13.442990 10.82.6.6.59679 > 192.168.1.130.22: S 3260704175:3260704175(0)
win 5840 <mss 1350,sackOK,timestamp 145091318 0,nop,wscale 7> (DF)
11:23:13.443015 192.168.1.130.22 > 10.82.6.6.59679: S 1828934748:1828934748(0)
ack 3260704176 win 5792 <mss 1460,sackOK,timestamp 409106167
145091318,nop,wscale 6> (DF)
11:23:13.443222 10.82.6.6.59679 > 192.168.1.130.22: R 1:1(0) ack 1 win 0 (DF)
[tos 0x10]
11:23:16.435254 192.168.1.130.22 > 10.82.6.6.59679: S 1868970766:1868970766(0)
ack 3260704176 win 5792 <mss 1460,sackOK,timestamp 409106808
145092068,nop,wscale 6> (DF)
11:23:16.435452 10.82.6.6.59679 > 192.168.1.130.22: R 1:1(0) ack 1 win 0 (DF)
[tos 0x10]
11:23:22.433479 192.168.1.130.22 > 10.82.6.6.59679: S 1955564464:1955564464(0)
ack 3260704176 win 5792 <mss 1460,sackOK,timestamp 409108193
145093568,nop,wscale 6> (DF)
11:23:22.433744 10.82.6.6.59679 > 192.168.1.130.22: R 1:1(0) ack 1 win 0 (DF)
[tos 0x10]
Which seems to show that 192.168.1.1 block the traffic by resestting
the connections.
What am I doing wrong?
Thanks for your reply,
-AJ
[PF]
# pfctl -s rules
scrub in all fragment reassemble
block return in log all
pass in on sis0 proto tcp from any to any port = 5001 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 6700 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = www flags S/SA keep state
pass in on sis0 proto tcp from any to any port = https flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 2020 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 5555 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 5556 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 6555 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 6556 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 622 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 7500 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 822 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = ftp flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 990 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 991 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 992 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = imaps flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 994 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = pop3s flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 996 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 997 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 998 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 8087 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 8443 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 1194 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = ssh flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 5000 flags S/SA keep state
pass in on sis0 proto tcp from any to any port = 29684 flags S/SA keep state
pass in on sis0 proto udp from any to any port = www keep state
pass in on sis0 proto udp from any to any port = 443 keep state
pass in on sis0 proto udp from any to any port = 7510 keep state
pass in on sis0 proto udp from any to any port = 990 keep state
pass out on sis0 all flags S/SA keep state
pass in on sis2 all flags S/SA keep state
pass out on sis2 inet from any to 192.168.1.0/24 flags S/SA keep state
pass inet from any to 10.82.6.0/24 flags S/SA keep state
