Dear @misc
We found the error!
This is not PF problem.
I found this:
http://undeadly.org/cgi?action=article=20090127205841
If i modify an ipsec config *from:*
ike active esp from 172.20.123.0/24 to 172.20.122.0/24 \
*to:*
ike active esp from 172.20.123.0/24 *(192.168.123.0/24)* to
172.20.122.0/24 \
PF rules working correctly.
--
Regards
Gábor Szél
email:gabor.s...@wantax.hu
2022. 03. 05. 23:08 keltezéssel, Szél Gábor írta:
Dear @misc
We have an stupid problem.
On a complex firewall (currently PF rules 1200 row), one PASS rule not
working.
I do not know why.
There are many VLANs, WAN, LAN interfaces, many ipsec VPNs, CARP
(master-backup), pfsync, etc ...
PF main rules:
# set
#.
set block-policy drop
set loginterface $ext_wan1_if
set skip on { lo $pfsync_if }
set reassemble no
set timeout { tcp.established 600, tcp.closing 60 }
set optimization aggressive
set ruleset-optimization none
set limit { states 10, src-nodes 10, tables 10,
table-entries 10 }
# scrub
# -
match on $ext_wan1_if all scrub ( no-df max-mss 1440 random-id )
#. antispof
#.
antispoof quick for { $ext_wan1_if } inet
# anchors
# -
anchor "ftp-proxy/*"
# Block(s)
#.
block quick proto udp to port { 1985 8116 } # neighbours
HSRP & ...
block quick log on $ext_wan1_if from { }
label IPBlackList
block log inet6 all
block log all
So all interface traffic are basically forbidden (block).
Each traffic is allowed separately
We have one ipsec VPN, where there are NAT on both sides. (on both
sides have 192.168.x.x subnets, there is a subnet collision)
we want to solve a simple thing:
* comes in the packet on VPN tunnel to "virtual" IP address -
172.20.123.54 (bind to oBSD vlan interface)
* from this address PF redirect packet to destination server -
192.168.123.54
* destination server make return package, and send back
* the response packet comes in oBSD VLAN interface (vlan141)
* PF NAT-ed this packate to 172.20.123.54
* NAT-ed package return to source address in VPN
rules:
match in log on enc0 proto tcp from 172.20.122.0/24 to
172.20.123.54 port 5240 rdr-to 192.168.123.54 port 5240
pass in log on enc0 proto tcp from 172.20.122.0/24 to
192.168.123.54
pass out log on vlan141 from 172.20.122.0/24 to 192.168.123.54
match in log on vlan141 from 192.168.123.54 to
172.20.122.0/24 nat-to 172.20.123.54
pass in log on vlan141 from 172.20.123.54 to 172.20.122.0/24
pass in log on vlan141 from 192.168.123.54 to
172.20.122.0/24 (not needed, but ... :)
return package tcpdump:
nat-to, okay:
Mar 05 23:01:09.418806 rule 410/(match) [uid 0, pid 32543] match in on
vlan141: [orig src 192.168.123.54:5240, dst 172.20.122.10:39322]
172.20.123.54.51958 > 172.20.122.10.39322: S [bad tcp cksum 5166! ->
af7b] 966412712:966412712(0) ack 437277320 win 65160 1460,sackOK,timestamp 452766647 201794907,nop,wscale 7> (DF) (ttl 64,
id 0, len 60, bad ip cksum d8be! -> ed52)
and, PF block this packet:
Mar 05 23:01:09.418820 rule 9/(match) [uid 0, pid 32543]*block in on
vlan141:* [orig src 192.168.123.54:5240, dst 172.20.122.10:39322]
172.20.123.54.51958 > 172.20.122.10.39322: S [bad tcp cksum 5166! ->
af7b] 966412712:966412712(0) ack 437277320 win 65160 1460,sackOK,timestamp 452766647 201794907,nop,wscale 7> (DF) (ttl 64,
id 0, len 60, bad ip cksum d8be! -> ed52)
If i modify pass rule, to match rule:
match in log on vlan141 from 172.20.123.54
i see, match it works, but pass rule not works!
I've tried a lot of things already, without match rules, without nat
(okay, no route, but ...), it is always blocked.
Why can't i override the block rule?
Everywhere else goes ...
--
Regards
Gábor Szél
email:gabor.s...@wantax.hu
