Re: problems passing radius traffic through pf
You haven't really supplied enough information, the full pf.conf and
firewall ip addresses would have been better. This is a slight guess at
whats wrong.
You say the request is from access point to radius server I would expect
to see a rule like this in your pf.conf
pass in on $ proto udp from 10.50.3.11 to 172.30.30.5 port 1812
The pass rules keeps the state, allowing the return udp traffic. What
your seeing is blocked return udp traffic, because the udp state is
established in the opposite direction, the pass is ignored. Looks like
you have the rule on the wrong interface also. The other interfaces are
missing as full pf.conf not supplied. You might have to pass port 1813
also replacing 1812 by { 1812, 1813 }.
Regards
Nigel Taylor
[EMAIL PROTECTED] wrote:
I have a Domain Controller in a DMZ which is handling radius requests from
my access point. I'm having problems passing the radius information
successfully through pf. The pf box is a soekris running 4.1.
Mar 09 09:58:56.467664 rule 3/(match) block in on sis4: 172.30.30.5.1812
10.50.3.11.2055: Axs! id:1 [1477] [|radius] (frag 25868:[EMAIL PROTECTED])
Mar 09 09:58:56.467745 rule 3/(match) block in on sis4: 172.30.30.5
10.50.3.11: (frag 25868:[EMAIL PROTECTED])
# more /etc/pf.conf | grep pix_if
pix_if = sis4
pass quick log on $pix_if from any to 10.50.3.11
block in log on $pix_if
pass out on $pix_if
In this case, 172.30.30.5 is my radius server, and 10.50.3.11 is my access
point. Even though I am logging the pass rule, I do not seeing getting
hit through tcpdump. If I take out the block in log on $pix_if, radius
information flows ok.
Thanks,
runelind at runelind dot net
Re: problems passing radius traffic through pf
On 2008-03-09, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have a Domain Controller in a DMZ which is handling radius requests from my access point. I'm having problems passing the radius information successfully through pf. The pf box is a soekris running 4.1. Mar 09 09:58:56.467664 rule 3/(match) block in on sis4: 172.30.30.5.1812 10.50.3.11.2055: Axs! id:1 [1477] [|radius] (frag 25868:[EMAIL PROTECTED]) Mar 09 09:58:56.467745 rule 3/(match) block in on sis4: 172.30.30.5 10.50.3.11: (frag 25868:[EMAIL PROTECTED]) I think it may be connected with the fragments, please have a look at pf.conf(5) about fragment reassembly/scrub. It might be useful to turn on extended logging (pfctl -xmisc) and check syslog. # more /etc/pf.conf | grep pix_if scrub rules are certainly relevant here.. it's generally useful if you can send a whole config, preferably reduced to the minimum that shows the problem (I am sure many people fix things in the process of doing this anyway :-) preferably with rule numbers (pfctl -sr -vv) to match against the tcpdump output.
problems passing radius traffic through pf
I have a Domain Controller in a DMZ which is handling radius requests from my access point. I'm having problems passing the radius information successfully through pf. The pf box is a soekris running 4.1. Mar 09 09:58:56.467664 rule 3/(match) block in on sis4: 172.30.30.5.1812 10.50.3.11.2055: Axs! id:1 [1477] [|radius] (frag 25868:[EMAIL PROTECTED]) Mar 09 09:58:56.467745 rule 3/(match) block in on sis4: 172.30.30.5 10.50.3.11: (frag 25868:[EMAIL PROTECTED]) # more /etc/pf.conf | grep pix_if pix_if = sis4 pass quick log on $pix_if from any to 10.50.3.11 block in log on $pix_if pass out on $pix_if In this case, 172.30.30.5 is my radius server, and 10.50.3.11 is my access point. Even though I am logging the pass rule, I do not seeing getting hit through tcpdump. If I take out the block in log on $pix_if, radius information flows ok. Thanks, runelind at runelind dot net
