Re: Redirected packet from pf is lost
Hi Stuart, I've got a Dell SC1435, running OpenBSD 4.0, with two Ethernet interfaces (bge0 and bge1) working as a gateway and firewall for our internal network. bge0 is the external connection (with a class B IPv4 address), and bge1 is the internal connection (private IP network, class C). They are both part of a bridge, bridge0: From the information you gave, I don't see any reason for these to be bridged, and there are some good reasons not to (it will increase broadcast traffic on both segments, and makes things more complex, especially where PF is concerned) The main reason you might need it is if there are also machines on bge1 with public addresses (though if that's the case, it would be cleaner to have them on a separate interface - physical or vlan) There is only one public address, which is the one on bge0. It's the first time I've setup a OpenBSD machine and I'm happy to learn of a better way to accomplish this! Based on various docs I've read I understood that I needed to create such a bridge, and since it worked I assumed it was the way to this. But I just shut down the bridge and our network still works. Thanks! Best regards, Andreas
Re: Redirected packet from pf is lost
Andreas Hdber wrote: Hi all, I've got a Dell SC1435, running OpenBSD 4.0, with two Ethernet interfaces (bge0 and bge1) working as a gateway and firewall for our internal network. bge0 is the external connection (with a class B IPv4 address), and bge1 is the internal connection (private IP network, class C). They are both part of a bridge, bridge0: # cat /etc/bridgename.bridge0 add bge0 add bge1 blocknonip bge0 blocknonip bge1 up # Our pf-config has worked fine for normal Internet access, so internal computers can access external hosts fine (through NAT). However, now we need to redirect packets from an external host (external.sip.proxy.example below, using a normal class B IPv4 address) to one of our internal hosts (internal.sip.proxy.test below, which is part of the same private network as bge1 on our gateway). This is the first rdr rule below. I've also used rdr pass instead of the explicit pass as shown below, obviously with no success. The pf-config looks like this (rules related to IPSec, SSH-access are removed): ext_if=bge0 # External interface int_if=bge1 # Internal interface set block-policy return set loginterface $ext_if set skip on { lo enc0 } scrub in rdr on $ext_if proto udp from external.sip.proxy.example port sip to any port 6060 \ tag VoIP - internal.sip.proxy.test port 6060 nat on $ext_if from !($ext_if) to any - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $int_if proto tcp from any to any port ftp - 127.0.0.1 port 8021 block in log all pass out keep state anchor ftp-proxy/* antispoof quick for { lo enc0 $int_if } # Does NOT work (see tag on rdr-rule above) pass in log tagged VoIP # Does work, according to pflog. Tag is nowhere to be seen, though. pass in log on {$ext_if $int_if} proto udp from external.sip.proxy.example port sip to internal.sip.proxy.test port 6060 tag VoIP2 keep state pass quick on { $int_if, enc0 } # -- end pf.conf -- As you can see above, I'm logging blocked packets and also the relevant packets passed in. I've found these two packets in pflog0 related to this. The first one is a SIP request sent out from internal.sip.proxy.test to external.sip.proxy.example: Frame 205258 (1458 bytes on wire, 1458 bytes captured) Arrival Time: May 8, 2007 16:58:45.715379000 [Time delta from previous packet: 679.119839000 seconds] [Time since reference or first frame: 8590.343581000 seconds] Frame Number: 205258 Packet Length: 1458 bytes Capture Length: 1458 bytes [Frame is marked: True] [Protocols in frame: pflog:ip:udp:sip:sdp] PF Log IPv4 passed on bge1 by rule 46 Header Length: 61 Address Family: IPv4 (2) Action: passed (0) Reason: match (0) Interface: bge1 Ruleset: Rule Number: 46 Sub Rule Number: -1 Direction: Unknown (255) Internet Protocol, Src: internal.sip.proxy.test (192.168.1.7), Dst: external.sip.proxy.example (external.sip.proxy.example) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 1394 Identification: 0x (0) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x622c [correct] [Good: True] [Bad : False] Source: internal.sip.proxy.test (192.168.1.7) Destination: external.sip.proxy.example (external.sip.proxy.example) User Datagram Protocol, Src Port: 6060 (6060), Dst Port: 5060 (5060) Source port: 6060 (6060) Destination port: 5060 (5060) Length: 1374 Checksum: 0x1eac [correct] Session Initiation Protocol Request-Line: INVITE sip:[EMAIL PROTECTED] SIP/2.0 Method: INVITE [Resent Packet: False] [Snipped away rest of the SIP-content!] The external.sip.proxy.example sends the following response back Frame 205259 (805 bytes on wire, 805 bytes captured) Arrival Time: May 8, 2007 16:58:45.716547000 [Time delta from previous packet: 0.001168000 seconds] [Time since reference or first frame: 8590.344749000 seconds] Frame Number: 205259 Packet Length: 805 bytes Capture Length: 805 bytes [Frame is marked: True] [Protocols in frame: pflog:ip:udp:sip] PF Log IPv4 passed on bge0 by rule 14 Header Length: 61 Address Family: IPv4 (2) Action: passed (0) Reason: match (0) Interface: bge0 Ruleset: Rule Number: 14 Sub Rule Number: -1 Direction: Unknown (255) Internet Protocol, Src: external.sip.proxy.example (external.sip.proxy.example), Dst: internal.sip.proxy.test (192.168.1.7) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04:
Re: Redirected packet from pf is lost
On Wed, May 09, 2007 at 09:08:58AM -0600, Steve Williams wrote: Check out a (very) recent thread initiated by myself with the subject rdr on bridge interface possible? (squid transparent proxy on bridge). There are a few suggestions there, none of which have worked for me. I have no idea why it's not working for me. Let me know if you get it working! Steve, I only posted a single rule before. Here are all the relevant parts... ext_if=de0 # this if has an IP address rdr on $ext_if inet proto tcp from spamd to port smtp \ - 127.0.0.1 port spamd pass in on $ext_if route-to lo0 inet proto tcp to 127.0.0.1 port spamd Note that the pass/route-to rule targets the *destination* of the rdr... -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Redirected packet from pf is lost
Hi all, I've got a Dell SC1435, running OpenBSD 4.0, with two Ethernet interfaces (bge0 and bge1) working as a gateway and firewall for our internal network. bge0 is the external connection (with a class B IPv4 address), and bge1 is the internal connection (private IP network, class C). They are both part of a bridge, bridge0: # cat /etc/bridgename.bridge0 add bge0 add bge1 blocknonip bge0 blocknonip bge1 up # Our pf-config has worked fine for normal Internet access, so internal computers can access external hosts fine (through NAT). However, now we need to redirect packets from an external host (external.sip.proxy.example below, using a normal class B IPv4 address) to one of our internal hosts (internal.sip.proxy.test below, which is part of the same private network as bge1 on our gateway). This is the first rdr rule below. I've also used rdr pass instead of the explicit pass as shown below, obviously with no success. The pf-config looks like this (rules related to IPSec, SSH-access are removed): ext_if=bge0 # External interface int_if=bge1 # Internal interface set block-policy return set loginterface $ext_if set skip on { lo enc0 } scrub in rdr on $ext_if proto udp from external.sip.proxy.example port sip to any port 6060 \ tag VoIP - internal.sip.proxy.test port 6060 nat on $ext_if from !($ext_if) to any - ($ext_if) nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr on $int_if proto tcp from any to any port ftp - 127.0.0.1 port 8021 block in log all pass out keep state anchor ftp-proxy/* antispoof quick for { lo enc0 $int_if } # Does NOT work (see tag on rdr-rule above) pass in log tagged VoIP # Does work, according to pflog. Tag is nowhere to be seen, though. pass in log on {$ext_if $int_if} proto udp from external.sip.proxy.example port sip to internal.sip.proxy.test port 6060 tag VoIP2 keep state pass quick on { $int_if, enc0 } # -- end pf.conf -- As you can see above, I'm logging blocked packets and also the relevant packets passed in. I've found these two packets in pflog0 related to this. The first one is a SIP request sent out from internal.sip.proxy.test to external.sip.proxy.example: Frame 205258 (1458 bytes on wire, 1458 bytes captured) Arrival Time: May 8, 2007 16:58:45.715379000 [Time delta from previous packet: 679.119839000 seconds] [Time since reference or first frame: 8590.343581000 seconds] Frame Number: 205258 Packet Length: 1458 bytes Capture Length: 1458 bytes [Frame is marked: True] [Protocols in frame: pflog:ip:udp:sip:sdp] PF Log IPv4 passed on bge1 by rule 46 Header Length: 61 Address Family: IPv4 (2) Action: passed (0) Reason: match (0) Interface: bge1 Ruleset: Rule Number: 46 Sub Rule Number: -1 Direction: Unknown (255) Internet Protocol, Src: internal.sip.proxy.test (192.168.1.7), Dst: external.sip.proxy.example (external.sip.proxy.example) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00) 0001 00.. = Differentiated Services Codepoint: Unknown (0x04) ..0. = ECN-Capable Transport (ECT): 0 ...0 = ECN-CE: 0 Total Length: 1394 Identification: 0x (0) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x622c [correct] [Good: True] [Bad : False] Source: internal.sip.proxy.test (192.168.1.7) Destination: external.sip.proxy.example (external.sip.proxy.example) User Datagram Protocol, Src Port: 6060 (6060), Dst Port: 5060 (5060) Source port: 6060 (6060) Destination port: 5060 (5060) Length: 1374 Checksum: 0x1eac [correct] Session Initiation Protocol Request-Line: INVITE sip:[EMAIL PROTECTED] SIP/2.0 Method: INVITE [Resent Packet: False] [Snipped away rest of the SIP-content!] The external.sip.proxy.example sends the following response back Frame 205259 (805 bytes on wire, 805 bytes captured) Arrival Time: May 8, 2007 16:58:45.716547000 [Time delta from previous packet: 0.001168000 seconds] [Time since reference or first frame: 8590.344749000 seconds] Frame Number: 205259 Packet Length: 805 bytes Capture Length: 805 bytes [Frame is marked: True] [Protocols in frame: pflog:ip:udp:sip] PF Log IPv4 passed on bge0 by rule 14 Header Length: 61 Address Family: IPv4 (2) Action: passed (0) Reason: match (0) Interface: bge0 Ruleset: Rule Number: 14 Sub Rule Number: -1 Direction: Unknown (255) Internet Protocol, Src: external.sip.proxy.example (external.sip.proxy.example), Dst: internal.sip.proxy.test (192.168.1.7) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: