PF: divert-to with bridge
Hi, I'm experiencing similar issue than https://marc.info/?l=openbsd-misc=136934201423696=2 with -current on an i386 APU2. The problem is the divert-to rule is not working on interfaces that are part of a bridge(4). Is it a know issue? Thank you, Best -- Olivier Cherrier Phone: +352691754777 mailto:o...@symacx.com
Re: divert-to with bridge
Hello Patrick ! Yes, I could not make it work, I'm using another environment that is working: FreeBSD 9.1-RELEASE with patch for use FORWARD and bridge These patch: http://www.mundounix.com.br/~gugabsd/tproxy_bridge_ipfw-9.1-RELEASE.diff Apply over a complete src of Freebsd 9.1-RELEASE Use ipfw for forward, was: ipfw add 100 fwd 127.0.0.1,3128 tcp from $lan_net to any 80 via em1 ipfw add 100 fwd 127.0.0.1 tcp from any 80 to $lan_net via em0 em0 = WAN interface em1 = LAN interface With this, working 100% ! You can use squid 3.4HEAD or Lusca (from ports) with TPROXY environment For use squid 3.4HEAD, i make a port config (FreeBSD): http://www.mundounix.com.br/~gugabsd/squid34devel.tgz Original patch: http://loos.no-ip.org/lusca_tproxy.diff On Sun, 26 May 2013 18:07:38 +0200 Patrick Wildt m...@patrick-wildt.de wrote: Hi Luiz, I actually have seen that on a bridge setup I had, too. Although the divert-to points to localhost, I see the packet trying to pass out on the interface to the original destination, as your data shows, too. No idea why that's happening though. \Patrick Am 23.05.2013 um 22:45 schrieb Luiz Gustavo S. Costa luizgust...@mundounix.com.br: Hi List ! I'm trying to implement a firewall with squid TPROXY in an environment with bridge. vio0 = external if vio1 = internal if bridge0 = (vio0 + vio1) I have these rules, the connections pass through it, but nothing comes on the side of the divert-to (did tests with nc -l 3128) [17:31:25] root:logs # cat /etc/pf.conf pass in log quick on vio1 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port 3128 pass out log quick on vio0 inet proto tcp from any to any port 80 divert-reply pass all [17:39:40] root:~ # pfctl -vvsr @0 pass in log quick on vio1 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3128 [ Evaluations: 92Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21] @1 pass out log quick on vio0 inet proto tcp from any to any port = 80 flags S/SA divert-reply [ Evaluations: 49Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21] @2 pass all flags S/SA [ Evaluations: 50Packets: 93Bytes: 13453 States: 6 ] [ Inserted: uid 0 pid 22438 State Creations: 50] [17:35:54] root:~ # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG May 23 17:36:13.429174 rule 0/(match) pass in on vio1: 192.168.15.13.38330 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF) tcpdump: WARNING: compensating for unaligned libpcap packets May 23 17:36:13.429228 rule 1/(match) pass out on vio0: 192.168.15.13.38330 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF) but, command nc not receiving any packet or connection. divert-to not working with bridge ? My reference is this - http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf Thanks --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br
Re: divert-to with bridge
On Mon, May 27, 2013 at 3:43 PM, Luiz Gustavo S. Costa luizgust...@mundounix.com.br wrote: Hello Patrick ! Yes, I could not make it work, I'm using another environment that is working: FreeBSD 9.1-RELEASE with patch for use FORWARD and bridge Sure, but this is misc@openbsd.org, an *OpenBSD related* mailing list.
Re: divert-to with bridge
On Mon, 27 May 2013 15:54:23 +0200 David Coppa dco...@gmail.com wrote: Sure, but this is misc@openbsd.org, an *OpenBSD related* mailing list. Sorry David, My intention is to supplement information. Thank you! --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br
Re: divert-to with bridge
Hi Luiz, I actually have seen that on a bridge setup I had, too. Although the divert-to points to localhost, I see the packet trying to pass out on the interface to the original destination, as your data shows, too. No idea why that's happening though. \Patrick Am 23.05.2013 um 22:45 schrieb Luiz Gustavo S. Costa luizgust...@mundounix.com.br: Hi List ! I'm trying to implement a firewall with squid TPROXY in an environment with bridge. vio0 = external if vio1 = internal if bridge0 = (vio0 + vio1) I have these rules, the connections pass through it, but nothing comes on the side of the divert-to (did tests with nc -l 3128) [17:31:25] root:logs # cat /etc/pf.conf pass in log quick on vio1 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port 3128 pass out log quick on vio0 inet proto tcp from any to any port 80 divert-reply pass all [17:39:40] root:~ # pfctl -vvsr @0 pass in log quick on vio1 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3128 [ Evaluations: 92Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21] @1 pass out log quick on vio0 inet proto tcp from any to any port = 80 flags S/SA divert-reply [ Evaluations: 49Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21] @2 pass all flags S/SA [ Evaluations: 50Packets: 93Bytes: 13453 States: 6 ] [ Inserted: uid 0 pid 22438 State Creations: 50] [17:35:54] root:~ # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG May 23 17:36:13.429174 rule 0/(match) pass in on vio1: 192.168.15.13.38330 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF) tcpdump: WARNING: compensating for unaligned libpcap packets May 23 17:36:13.429228 rule 1/(match) pass out on vio0: 192.168.15.13.38330 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF) but, command nc not receiving any packet or connection. divert-to not working with bridge ? My reference is this - http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf Thanks --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br
divert-to with bridge
Hi List ! I'm trying to implement a firewall with squid TPROXY in an environment with bridge. vio0 = external if vio1 = internal if bridge0 = (vio0 + vio1) I have these rules, the connections pass through it, but nothing comes on the side of the divert-to (did tests with nc -l 3128) [17:31:25] root:logs # cat /etc/pf.conf pass in log quick on vio1 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port 3128 pass out log quick on vio0 inet proto tcp from any to any port 80 divert-reply pass all [17:39:40] root:~ # pfctl -vvsr @0 pass in log quick on vio1 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3128 [ Evaluations: 92Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21] @1 pass out log quick on vio0 inet proto tcp from any to any port = 80 flags S/SA divert-reply [ Evaluations: 49Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21] @2 pass all flags S/SA [ Evaluations: 50Packets: 93Bytes: 13453 States: 6 ] [ Inserted: uid 0 pid 22438 State Creations: 50] [17:35:54] root:~ # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG May 23 17:36:13.429174 rule 0/(match) pass in on vio1: 192.168.15.13.38330 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF) tcpdump: WARNING: compensating for unaligned libpcap packets May 23 17:36:13.429228 rule 1/(match) pass out on vio0: 192.168.15.13.38330 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7 (DF) but, command nc not receiving any packet or connection. divert-to not working with bridge ? My reference is this - http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf Thanks --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: cont...@mundounix.com.br Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br
Re: SO_BINDANY and PF's divert-reply on bridge
May I draw attention again on this problem :) PF cannot route the packet back to the socket when using the divert-reply option, if a bridge(4) runs over the interface of arrival. Can anything be done for this? Otherwise, it would be good to document this in pf.conf(5), and the inapplicability of the SO_BINDANY option in setsockopt(2). Hello folks, On a vanilla OpenBSD4.4/i386, I am using the attached spoof.c program to connect to an address pretending to be a source IP that is not actually configured on the OpenBSD box. I use the SO_BINDANY socket option for spoofing, and PF is configured accordingly (see attached pf.conf). When I run eg spoof 1.2.3.4 192.168.2.3 in a normal network setup, spoof actually terminates with a Connection refused as expected. However, if I switch the box to the bridged setup I need, spoof hangs until a timeout is reached. The bridged setup is as follows: - a pair of interfaces $int_if and $ext_if, members of a bridge0 - $ext_if is configured with an address of its own to access the inet - to $int_if there is connected a client, with an address of its own, that passes through the bridge to connect to the internet - spoof generates a SYN packet which is written to both $ext_if and $int_if, and the response arrives from the client only on $int_if A tcpdump on pflog0 run selectively on the divert-reply rule indicates that the both request AND response packets are actually picked by that rule, but the latter is apparently not actually passed to the socket. At the same time, a tcpdump over $ext_if indicates that the response from the client is copied there. My intuition is that the packet proceeds through the kernel after the divert-reply and there it is captured by the bridge(4) driver, thus not making it to the socket. In this case, none of the routing rules seems applicable to prevent the packet from proceeding through that flow. Is there another possibility, or divert-reply is inapplicable when combined with bridge(4)? Any other insight is welcome. thanks [demime 1.01d removed an attachment of type application/octet-stream which had a name of spoof.c] [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
SO_BINDANY and PF's divert-reply on bridge
Hello folks, On a vanilla OpenBSD4.4/i386, I am using the attached spoof.c program to connect to an address pretending to be a source IP that is not actually configured on the OpenBSD box. I use the SO_BINDANY socket option for spoofing, and PF is configured accordingly (see attached pf.conf). When I run eg spoof 1.2.3.4 192.168.2.3 in a normal network setup, spoof actually terminates with a Connection refused as expected. However, if I switch the box to the bridged setup I need, spoof hangs until a timeout is reached. The bridged setup is as follows: - a pair of interfaces $int_if and $ext_if, members of a bridge0 - $ext_if is configured with an address of its own to access the inet - to $int_if there is connected a client, with an address of its own, that passes through the bridge to connect to the internet - spoof generates a SYN packet which is written to both $ext_if and $int_if, and the response arrives from the client only on $int_if A tcpdump on pflog0 run selectively on the divert-reply rule indicates that the both request AND response packets are actually picked by that rule, but the latter is apparently not actually passed to the socket. At the same time, a tcpdump over $ext_if indicates that the response from the client is copied there. My intuition is that the packet proceeds through the kernel after the divert-reply and there it is captured by the bridge(4) driver, thus not making it to the socket. In this case, none of the routing rules seems applicable to prevent the packet from proceeding through that flow. Is there another possibility, or divert-reply is inapplicable when combined with bridge(4)? Any other insight is welcome. thanks [demime 1.01d removed an attachment of type application/octet-stream which had a name of spoof.c] [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
