Re: problems passing radius traffic through pf
You haven't really supplied enough information, the full pf.conf and firewall ip addresses would have been better. This is a slight guess at whats wrong. You say the request is from access point to radius server I would expect to see a rule like this in your pf.conf pass in on $ proto udp from 10.50.3.11 to 172.30.30.5 port 1812 The pass rules keeps the state, allowing the return udp traffic. What your seeing is blocked return udp traffic, because the udp state is established in the opposite direction, the pass is ignored. Looks like you have the rule on the wrong interface also. The other interfaces are missing as full pf.conf not supplied. You might have to pass port 1813 also replacing 1812 by { 1812, 1813 }. Regards Nigel Taylor [EMAIL PROTECTED] wrote: I have a Domain Controller in a DMZ which is handling radius requests from my access point. I'm having problems passing the radius information successfully through pf. The pf box is a soekris running 4.1. Mar 09 09:58:56.467664 rule 3/(match) block in on sis4: 172.30.30.5.1812 10.50.3.11.2055: Axs! id:1 [1477] [|radius] (frag 25868:[EMAIL PROTECTED]) Mar 09 09:58:56.467745 rule 3/(match) block in on sis4: 172.30.30.5 10.50.3.11: (frag 25868:[EMAIL PROTECTED]) # more /etc/pf.conf | grep pix_if pix_if = sis4 pass quick log on $pix_if from any to 10.50.3.11 block in log on $pix_if pass out on $pix_if In this case, 172.30.30.5 is my radius server, and 10.50.3.11 is my access point. Even though I am logging the pass rule, I do not seeing getting hit through tcpdump. If I take out the block in log on $pix_if, radius information flows ok. Thanks, runelind at runelind dot net
Re: problems passing radius traffic through pf
On 2008-03-09, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I have a Domain Controller in a DMZ which is handling radius requests from my access point. I'm having problems passing the radius information successfully through pf. The pf box is a soekris running 4.1. Mar 09 09:58:56.467664 rule 3/(match) block in on sis4: 172.30.30.5.1812 10.50.3.11.2055: Axs! id:1 [1477] [|radius] (frag 25868:[EMAIL PROTECTED]) Mar 09 09:58:56.467745 rule 3/(match) block in on sis4: 172.30.30.5 10.50.3.11: (frag 25868:[EMAIL PROTECTED]) I think it may be connected with the fragments, please have a look at pf.conf(5) about fragment reassembly/scrub. It might be useful to turn on extended logging (pfctl -xmisc) and check syslog. # more /etc/pf.conf | grep pix_if scrub rules are certainly relevant here.. it's generally useful if you can send a whole config, preferably reduced to the minimum that shows the problem (I am sure many people fix things in the process of doing this anyway :-) preferably with rule numbers (pfctl -sr -vv) to match against the tcpdump output.
problems passing radius traffic through pf
I have a Domain Controller in a DMZ which is handling radius requests from my access point. I'm having problems passing the radius information successfully through pf. The pf box is a soekris running 4.1. Mar 09 09:58:56.467664 rule 3/(match) block in on sis4: 172.30.30.5.1812 10.50.3.11.2055: Axs! id:1 [1477] [|radius] (frag 25868:[EMAIL PROTECTED]) Mar 09 09:58:56.467745 rule 3/(match) block in on sis4: 172.30.30.5 10.50.3.11: (frag 25868:[EMAIL PROTECTED]) # more /etc/pf.conf | grep pix_if pix_if = sis4 pass quick log on $pix_if from any to 10.50.3.11 block in log on $pix_if pass out on $pix_if In this case, 172.30.30.5 is my radius server, and 10.50.3.11 is my access point. Even though I am logging the pass rule, I do not seeing getting hit through tcpdump. If I take out the block in log on $pix_if, radius information flows ok. Thanks, runelind at runelind dot net