subject:"Re\: probably bug in using in combination rdomain \+ nat\-to \+ specific ip addresses"

Re: probably bug in using in combination rdomain + nat-to + specific ip addresses

2016-09-15 Thread Mike Belopuhov

Sorry for a huge delay in responding.

You're right that I've missed the quick keyword.  However, it appears to me
that your problem stems from the fact that you don't have a gateway in
rdomain 100.  You must have some valid route in every rdomain otherwise
routing won't happen at all.  Point the default route to yourself if there's
nothing else there.


On 23 July 2016 at 13:38, Imre Oolberg  wrote:
> Hi!
>
> I am sorry for the delay but I still think this must be a bug somewhere. My
> first pass rules apply because they are 'quick' and because i see traffic
> also in pflogs. And without changing anything in packet filter and only
> changing ip aadresses so that computer behind firewall does not match with
> firewall's internet facing side, everythins starts to work (and with this
> workaround i went).
>
>
> Best regards,
>
> Imre
>
>
>
> Hi Imre,
>
> Not sure you've got a reply to this (I was going through unread mail
> on bugs@), but your "pass all flags" rule is a last match thus neither
> of the other pass rules are taken into account.
>
> Cheers,
> Mike
>
> On 28 May 2016 at 00:20,   wrote:
> Hi!
>
> I think i stumbed onto a bug related to using in combination rdomain,
> specific set on ip aadresses and pf doing nat-to.
>
> I have OpenBSD v. 5.9 installed from .iso, not patches applied and not
> special programs insalled or running
>
> # uname
> OpenBSD obsd59.auul 5.9 GENERIC#1761 amd64
>
> In my setup OpenBSD acts as a firwall, it has two network interfaces, one
> faceing internet and another internal network.
>
> vio0 (rdomain 0): 192.168.1.146 and vlan11, internet side
> vio1 (rdomain 100): 192.168.1.254 and vlan10, intranet side
>
> in rdomain 0 gateway is 192.168.1.254
> in rdomain 100 no gateway is set
>
> computer behind OpenBSD in rdomain 100 (and vlan10) has ip address
> 192.168.1.146 and gw 192.168.1.254.
>
> OpenBSD ruleset is essentially
>
> # pfctl -sr
> pass in log quick on vio1 inet from 192.168.1.0/24 to any flags S/SA tag
> FROM_INTRANET rtable 0
> pass out log quick on vio0 inet all flags S/SA tagged FROM_INTRANET nat-to
> 192.168.1.146
> pass all flags S/SA
>
> Now, when sending packets from computer behind this OpenBSD firewall thru it
> tcp connections aint established, for some reason OpenBSD rejects incoming
> syn-ack packets
>
> # tcpdump -ni vio0 port 873
> tcpdump: listening on vio0, link-type EN10MB
> 00:40:34.231363 192.168.1.146.60895 > 10.80.123.154.873: S
> 233483646:233483646(0) win 29200  0,nop,wscale 6> (DF)
> 00:40:34.240835 10.80.123.154.873 > 192.168.1.146.60895: S
> 344980263:344980263(0) ack 233483647 win 28960  174805425 7512261,nop,wscale 7> (DF)
> 00:40:34.240937 192.168.1.146.60895 > 10.80.123.154.873: R
> 233483647:233483647(0) win 0 (DF)
>
> If i change computer's address behind OpenBSD different from the vio0
> address, say 192.168.1.144, then packets get thru OpenBSD. I wonder if this
> is a bug or still i am doing something wrong.
>
> You may wonder why this kind of ugly setup is useful. It is not designed
> from the ground up like this. It is just so to say 'OpenBSD to the rescue'
> to get one legacy system connected to the internet more-or-less controlled
> way. In that legacy system ip config cant be changed so OpenBSD is placed in
> between the legacy system and the rest of the network and it is doing this
> strange mapping.
>
>
> Best regards,
>
> Imre

Re: probably bug in using in combination rdomain + nat-to + specific ip addresses

2016-07-23 Thread Imre Oolberg


Hi!

I am sorry for the delay but I still think this must be a bug somewhere. 
My first pass rules apply because they are 'quick' and because i see 
traffic also in pflogs. And without changing anything in packet filter 
and only changing ip aadresses so that computer behind firewall does not 
match with firewall's internet facing side, everythins starts to work 
(and with this workaround i went).



Best regards,

Imre


Hi Imre,

Not sure you've got a reply to this (I was going through unread mail
on bugs@), but your "pass all flags" rule is a last match thus neither
of the other pass rules are taken into account.

Cheers,
Mike

On 28 May 2016 at 00:20,   wrote:
Hi!

I think i stumbed onto a bug related to using in combination rdomain,
specific set on ip aadresses and pf doing nat-to.

I have OpenBSD v. 5.9 installed from .iso, not patches applied and not
special programs insalled or running

# uname
OpenBSD obsd59.auul 5.9 GENERIC#1761 amd64

In my setup OpenBSD acts as a firwall, it has two network interfaces, 
one

faceing internet and another internal network.

vio0 (rdomain 0): 192.168.1.146 and vlan11, internet side
vio1 (rdomain 100): 192.168.1.254 and vlan10, intranet side

in rdomain 0 gateway is 192.168.1.254
in rdomain 100 no gateway is set

computer behind OpenBSD in rdomain 100 (and vlan10) has ip address
192.168.1.146 and gw 192.168.1.254.

OpenBSD ruleset is essentially

# pfctl -sr
pass in log quick on vio1 inet from 192.168.1.0/24 to any flags S/SA tag
FROM_INTRANET rtable 0
pass out log quick on vio0 inet all flags S/SA tagged FROM_INTRANET 
nat-to

192.168.1.146
pass all flags S/SA

Now, when sending packets from computer behind this OpenBSD firewall 
thru it
tcp connections aint established, for some reason OpenBSD rejects 
incoming

syn-ack packets

# tcpdump -ni vio0 port 873
tcpdump: listening on vio0, link-type EN10MB
00:40:34.231363 192.168.1.146.60895 > 10.80.123.154.873: S
233483646:233483646(0) win 29200  (DF)
00:40:34.240835 10.80.123.154.873 > 192.168.1.146.60895: S
344980263:344980263(0) ack 233483647 win 28960 1460,sackOK,timestamp

174805425 7512261,nop,wscale 7> (DF)
00:40:34.240937 192.168.1.146.60895 > 10.80.123.154.873: R
233483647:233483647(0) win 0 (DF)

If i change computer's address behind OpenBSD different from the vio0
address, say 192.168.1.144, then packets get thru OpenBSD. I wonder if 
this

is a bug or still i am doing something wrong.

You may wonder why this kind of ugly setup is useful. It is not designed
from the ground up like this. It is just so to say 'OpenBSD to the 
rescue'
to get one legacy system connected to the internet more-or-less 
controlled
way. In that legacy system ip config cant be changed so OpenBSD is 
placed in
between the legacy system and the rest of the network and it is doing 
this

strange mapping.


Best regards,

Imre

Re: probably bug in using in combination rdomain + nat-to + specific ip addresses

2016-06-27 Thread Mike Belopuhov

Hi Imre,

Not sure you've got a reply to this (I was going through unread mail
on bugs@), but your "pass all flags" rule is a last match thus neither
of the other pass rules are taken into account.

Cheers,
Mike

On 28 May 2016 at 00:20,   wrote:
> Hi!
>
> I think i stumbed onto a bug related to using in combination rdomain,
> specific set on ip aadresses and pf doing nat-to.
>
> I have OpenBSD v. 5.9 installed from .iso, not patches applied and not
> special programs insalled or running
>
> # uname
> OpenBSD obsd59.auul 5.9 GENERIC#1761 amd64
>
> In my setup OpenBSD acts as a firwall, it has two network interfaces, one
> faceing internet and another internal network.
>
> vio0 (rdomain 0): 192.168.1.146 and vlan11, internet side
> vio1 (rdomain 100): 192.168.1.254 and vlan10, intranet side
>
> in rdomain 0 gateway is 192.168.1.254
> in rdomain 100 no gateway is set
>
> computer behind OpenBSD in rdomain 100 (and vlan10) has ip address
> 192.168.1.146 and gw 192.168.1.254.
>
> OpenBSD ruleset is essentially
>
> # pfctl -sr
> pass in log quick on vio1 inet from 192.168.1.0/24 to any flags S/SA tag
> FROM_INTRANET rtable 0
> pass out log quick on vio0 inet all flags S/SA tagged FROM_INTRANET nat-to
> 192.168.1.146
> pass all flags S/SA
>
> Now, when sending packets from computer behind this OpenBSD firewall thru it
> tcp connections aint established, for some reason OpenBSD rejects incoming
> syn-ack packets
>
> # tcpdump -ni vio0 port 873
> tcpdump: listening on vio0, link-type EN10MB
> 00:40:34.231363 192.168.1.146.60895 > 10.80.123.154.873: S
> 233483646:233483646(0) win 29200  0,nop,wscale 6> (DF)
> 00:40:34.240835 10.80.123.154.873 > 192.168.1.146.60895: S
> 344980263:344980263(0) ack 233483647 win 28960  174805425 7512261,nop,wscale 7> (DF)
> 00:40:34.240937 192.168.1.146.60895 > 10.80.123.154.873: R
> 233483647:233483647(0) win 0 (DF)
>
> If i change computer's address behind OpenBSD different from the vio0
> address, say 192.168.1.144, then packets get thru OpenBSD. I wonder if this
> is a bug or still i am doing something wrong.
>
> You may wonder why this kind of ugly setup is useful. It is not designed
> from the ground up like this. It is just so to say 'OpenBSD to the rescue'
> to get one legacy system connected to the internet more-or-less controlled
> way. In that legacy system ip config cant be changed so OpenBSD is placed in
> between the legacy system and the rest of the network and it is doing this
> strange mapping.
>
>
> Best regards,
>
> Imre
>

Re: probably bug in using in combination rdomain + nat-to + specific ip addresses

Re: probably bug in using in combination rdomain + nat-to + specific ip addresses

Re: probably bug in using in combination rdomain + nat-to + specific ip addresses

3 matches

Site Navigation

Mail list logo

Footer information