Re: PF Routing to VPN Device
On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost mik...@adhost.comwrote: Hello, We have a network with a VPN device sitting beside a PF server, both connected to an internal network. PF Server: 10.1.4.1 VPN Device: 10.1.4.200 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to these networks should be routed to 10.1.4.200. We've set up routes on the PF server as such. We've set up the following rules: block in log pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24 10.1.2.0/24) However, the block in log is catching the return traffic. From pflog when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on port 80: 00 rule 28/0(match): block in on bge1: 10.1.4.25.80 10.1.2.105.3558: [|tcp] If we remove the block in log, the traffic works. What are we missing? Thanks, Mike Hello Mike, What version on FBSD are you using? The keep state is implicit from 7.0 as far as i know. I might not be right so someone please correct. If that is the case you should add keep state to your rule and see what happens. my 7c, v -- network warrior since 2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: PF Routing to VPN Device
-Original Message- From: Valentin Bud [mailto:valentin@gmail.com] Sent: Thursday, June 18, 2009 1:36 AM To: Mike Sweetser - Adhost Cc: freebsd-questions@freebsd.org Subject: Re: PF Routing to VPN Device On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost mik...@adhost.com wrote: Hello, We have a network with a VPN device sitting beside a PF server, both connected to an internal network. PF Server: 10.1.4.1 VPN Device: 10.1.4.200 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to these networks should be routed to 10.1.4.200. We've set up routes on the PF server as such. We've set up the following rules: block in log pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24 10.1.2.0/24) However, the block in log is catching the return traffic. From pflog when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on port 80: 00 rule 28/0(match): block in on bge1: 10.1.4.25.80 10.1.2.105.3558: [|tcp] If we remove the block in log, the traffic works. What are we missing? Thanks, Mike Hello Mike, What version on FBSD are you using? The keep state is implicit from 7.0 as far as i know. I might not be right so someone please correct. If that is the case you should add keep state to your rule and see what happens. We're using FreeBSD 7.2. Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF Routing to VPN Device
On Thu, Jun 18, 2009 at 11:35 AM, Valentin Bud valentin@gmail.comwrote: On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost mik...@adhost.com wrote: Hello, We have a network with a VPN device sitting beside a PF server, both connected to an internal network. PF Server: 10.1.4.1 VPN Device: 10.1.4.200 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to these networks should be routed to 10.1.4.200. We've set up routes on the PF server as such. We've set up the following rules: block in log pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24 10.1.2.0/24) However, the block in log is catching the return traffic. From pflog when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on port 80: 00 rule 28/0(match): block in on bge1: 10.1.4.25.80 10.1.2.105.3558: [|tcp] If we remove the block in log, the traffic works. What are we missing? Thanks, Mike Hello Mike, What version on FBSD are you using? The keep state is implicit from 7.0 AFAIK. So if you are using a version prior 7.0 you should add keep state so the return traffic can be passed. v -- network warrior since 2005 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: PF Routing to VPN Device
On 6/17/09, Mike Sweetser - Adhost mik...@adhost.com wrote: Hello, We have a network with a VPN device sitting beside a PF server, both connected to an internal network. PF Server: 10.1.4.1 VPN Device: 10.1.4.200 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to these networks should be routed to 10.1.4.200. We've set up routes on the PF server as such. We've set up the following rules: block in log pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24 10.1.2.0/24) However, the block in log is catching the return traffic. From pflog when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on port 80: 00 rule 28/0(match): block in on bge1: 10.1.4.25.80 10.1.2.105.3558: [|tcp] If we remove the block in log, the traffic works. What are we missing? Thanks, Mike Mike, I know the typical firewall rules that are googleable are one of two basic starting policies.. -- 1. block in all pass out all -- 2. block all They've become a headache to me to configure a firewall and I now start with this base. In this example, fxp0 is facing the Internet, and xl0 is facing the trusted network. -- 3. block in on fxp0 all pass out This adds the benefit that VPN connections, TUNs, GIFs, and all other ethernet devices aren't blindly evaluated to a simple block in rule, rather it's just the fxp0 interface public Internet traffic that is being blocked, while TUNs, GIFs, and the like are exempt from that rule entry line. Might you try by editing your rules to just block your public IP firewall interface? Good luck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
PF Routing to VPN Device
Hello, We have a network with a VPN device sitting beside a PF server, both connected to an internal network. PF Server: 10.1.4.1 VPN Device: 10.1.4.200 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to these networks should be routed to 10.1.4.200. We've set up routes on the PF server as such. We've set up the following rules: block in log pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24 10.1.2.0/24) However, the block in log is catching the return traffic. From pflog when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on port 80: 00 rule 28/0(match): block in on bge1: 10.1.4.25.80 10.1.2.105.3558: [|tcp] If we remove the block in log, the traffic works. What are we missing? Thanks, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org