PF blocks pass traffic - BSD

This is a discussion on PF blocks pass traffic - BSD ; Hi, I have the PF gateway setup with the following rules: (shown by pfctl -sr) block drop in log all pass quick on xl0 proto pfsync all pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: PF blocks pass traffic

  1. PF blocks pass traffic

    Hi,

    I have the PF gateway setup with the following rules: (shown by pfctl -sr)

    block drop in log all
    pass quick on xl0 proto pfsync all
    pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state
    pass in on fxp0 inet proto icmp from 10.1.254.250 to any keep state
    pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state
    pass in on fxp1 inet proto icmp from 10.3.254.250 to any keep state
    pass in on fxp0 inet proto tcp from 10.1.254.250 to any flags S/SA keep
    state
    pass in on fxp0 proto tcp from any to any port 13:700 flags S/SA keep state
    pass in on fxp0 proto tcp from any to any port 1024:10000 flags S/SA
    keep state
    pass in on fxp0 inet proto udp from 10.1.254.250 to any keep state
    pass in on fxp0 proto udp from any to any port 13:700 keep state
    pass in on fxp0 proto udp from any to any port 1024:10000 keep state
    pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state
    pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state
    pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state
    pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state
    pass in on fxp1 inet proto tcp from 10.3.254.250 to any flags S/SA keep
    state
    pass in on fxp1 proto tcp from any to any port 13:700 flags S/SA keep state
    pass in on fxp1 proto tcp from any to any port 1024:10000 flags S/SA
    keep state
    pass in on fxp1 inet proto udp from 10.3.254.250 to any keep state
    pass in on fxp1 proto udp from any to any port 13:700 keep state
    pass in on fxp1 proto udp from any to any port 1024:10000 keep state
    pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state
    pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state
    pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state
    pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state
    pass out quick on fxp0 all keep state
    pass out quick on fxp1 all keep state

    But I found I have problem going to some website and connect to the 119
    newsgroup server. The blocks are shown as below:
    227798 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3649 >
    210.0.254.15.80: R 683496679:683496679(0) win 0
    000279 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3648 >
    210.0.254.15.80: R 683458179:683458179(0) win 0
    000170 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3644 >
    210.0.254.15.80: R 683256805:683256805(0) win 0
    000177 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3642 >
    210.0.254.15.80: R 683220810:683220810(0) win 0
    .....
    493350 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3716 >
    64.12.28.224.5190: . ack 125704492 win 65280
    2. 351088 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3656 >
    210.0.254.6.80: R 684653276:684653276(0) win 0
    4. 685213 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3534 >
    210.0.255.209.119: R 616658034:616658034(0) win 0
    470031 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3594 >
    210.0.255.209.119: R 663385685:663385685(0) win 0

    What is wrong with this PF rules setup?

    Thanks
    Sam

  2. Re: PF blocks pass traffic

    If I added a "pass quick..." line after block drop.. clause, PF will not
    blocking the pass traffic.
    eg.
    block drop in log all
    pass quick all keep state
    ....
    other pass rules..

    Why PF does not execute those specific pass rules in the previous PF setup?

    Sam.

    sam wrote:

    > Hi,
    >
    > I have the PF gateway setup with the following rules: (shown by pfctl -sr)
    >
    > block drop in log all
    > pass quick on xl0 proto pfsync all
    > pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state
    > pass in on fxp0 inet proto icmp from 10.1.254.250 to any keep state
    > pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state
    > pass in on fxp1 inet proto icmp from 10.3.254.250 to any keep state
    > pass in on fxp0 inet proto tcp from 10.1.254.250 to any flags S/SA keep
    > state
    > pass in on fxp0 proto tcp from any to any port 13:700 flags S/SA keep state
    > pass in on fxp0 proto tcp from any to any port 1024:10000 flags S/SA
    > keep state
    > pass in on fxp0 inet proto udp from 10.1.254.250 to any keep state
    > pass in on fxp0 proto udp from any to any port 13:700 keep state
    > pass in on fxp0 proto udp from any to any port 1024:10000 keep state
    > pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state
    > pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state
    > pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state
    > pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state
    > pass in on fxp1 inet proto tcp from 10.3.254.250 to any flags S/SA keep
    > state
    > pass in on fxp1 proto tcp from any to any port 13:700 flags S/SA keep state
    > pass in on fxp1 proto tcp from any to any port 1024:10000 flags S/SA
    > keep state
    > pass in on fxp1 inet proto udp from 10.3.254.250 to any keep state
    > pass in on fxp1 proto udp from any to any port 13:700 keep state
    > pass in on fxp1 proto udp from any to any port 1024:10000 keep state
    > pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state
    > pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state
    > pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state
    > pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state
    > pass out quick on fxp0 all keep state
    > pass out quick on fxp1 all keep state
    >
    > But I found I have problem going to some website and connect to the 119
    > newsgroup server. The blocks are shown as below:
    > 227798 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3649 >
    > 210.0.254.15.80: R 683496679:683496679(0) win 0
    > 000279 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3648 >
    > 210.0.254.15.80: R 683458179:683458179(0) win 0
    > 000170 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3644 >
    > 210.0.254.15.80: R 683256805:683256805(0) win 0
    > 000177 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3642 >
    > 210.0.254.15.80: R 683220810:683220810(0) win 0
    > .....
    > 493350 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3716 >
    > 64.12.28.224.5190: . ack 125704492 win 65280
    > 2. 351088 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3656 >
    > 210.0.254.6.80: R 684653276:684653276(0) win 0
    > 4. 685213 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3534 >
    > 210.0.255.209.119: R 616658034:616658034(0) win 0
    > 470031 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3594 >
    > 210.0.255.209.119: R 663385685:663385685(0) win 0
    >
    > What is wrong with this PF rules setup?
    >
    > Thanks
    > Sam


  3. Re: PF blocks pass traffic

    In article , sam wrote:

    > If I added a "pass quick..." line after block drop.. clause, PF will not
    > blocking the pass traffic.
    > eg.
    > block drop in log all
    > pass quick all keep state
    > ...
    > other pass rules..
    >
    > Why PF does not execute those specific pass rules in the previous PF setup?
    >
    > Sam.
    >
    > sam wrote:
    >
    > > Hi,
    > >
    > > I have the PF gateway setup with the following rules: (shown by pfctl -sr)
    > >
    > > block drop in log all
    > > pass quick on xl0 proto pfsync all
    > > pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state
    > > pass in on fxp0 inet proto icmp from 10.1.254.250 to any keep state
    > > pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state
    > > pass in on fxp1 inet proto icmp from 10.3.254.250 to any keep state
    > > pass in on fxp0 inet proto tcp from 10.1.254.250 to any flags S/SA keep
    > > state
    > > pass in on fxp0 proto tcp from any to any port 13:700 flags S/SA keep state
    > > pass in on fxp0 proto tcp from any to any port 1024:10000 flags S/SA
    > > keep state
    > > pass in on fxp0 inet proto udp from 10.1.254.250 to any keep state
    > > pass in on fxp0 proto udp from any to any port 13:700 keep state
    > > pass in on fxp0 proto udp from any to any port 1024:10000 keep state
    > > pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state
    > > pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state
    > > pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state
    > > pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state
    > > pass in on fxp1 inet proto tcp from 10.3.254.250 to any flags S/SA keep
    > > state
    > > pass in on fxp1 proto tcp from any to any port 13:700 flags S/SA keep state
    > > pass in on fxp1 proto tcp from any to any port 1024:10000 flags S/SA
    > > keep state
    > > pass in on fxp1 inet proto udp from 10.3.254.250 to any keep state
    > > pass in on fxp1 proto udp from any to any port 13:700 keep state
    > > pass in on fxp1 proto udp from any to any port 1024:10000 keep state
    > > pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state
    > > pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state
    > > pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state
    > > pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state
    > > pass out quick on fxp0 all keep state
    > > pass out quick on fxp1 all keep state


    > > What is wrong with this PF rules setup?


    Which rule are you expecting this traffic (for example) to match?
    227798 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3649 >
    210.0.254.15.80: R 683496679:683496679(0) win 0

  4. Re: PF blocks pass traffic

    Ryoko wrote:

    > In article , sam wrote:
    >
    >
    >>If I added a "pass quick..." line after block drop.. clause, PF will not
    >> blocking the pass traffic.
    >>eg.
    >>block drop in log all
    >>pass quick all keep state
    >>...
    >>other pass rules..
    >>
    >>Why PF does not execute those specific pass rules in the previous PF setup?
    >>
    >>Sam.
    >>
    >>sam wrote:
    >>
    >>
    >>>Hi,
    >>>
    >>>I have the PF gateway setup with the following rules: (shown by pfctl -sr)
    >>>
    >>>block drop in log all
    >>>pass quick on xl0 proto pfsync all
    >>>pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state
    >>>pass in on fxp0 inet proto icmp from 10.1.254.250 to any keep state
    >>>pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state
    >>>pass in on fxp1 inet proto icmp from 10.3.254.250 to any keep state
    >>>pass in on fxp0 inet proto tcp from 10.1.254.250 to any flags S/SA keep
    >>>state
    >>>pass in on fxp0 proto tcp from any to any port 13:700 flags S/SA keep state
    >>>pass in on fxp0 proto tcp from any to any port 1024:10000 flags S/SA
    >>>keep state
    >>>pass in on fxp0 inet proto udp from 10.1.254.250 to any keep state
    >>>pass in on fxp0 proto udp from any to any port 13:700 keep state
    >>>pass in on fxp0 proto udp from any to any port 1024:10000 keep state
    >>>pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state
    >>>pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state
    >>>pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state
    >>>pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state
    >>>pass in on fxp1 inet proto tcp from 10.3.254.250 to any flags S/SA keep
    >>>state
    >>>pass in on fxp1 proto tcp from any to any port 13:700 flags S/SA keep state
    >>>pass in on fxp1 proto tcp from any to any port 1024:10000 flags S/SA
    >>>keep state
    >>>pass in on fxp1 inet proto udp from 10.3.254.250 to any keep state
    >>>pass in on fxp1 proto udp from any to any port 13:700 keep state
    >>>pass in on fxp1 proto udp from any to any port 1024:10000 keep state
    >>>pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state
    >>>pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state
    >>>pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state
    >>>pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state
    >>>pass out quick on fxp0 all keep state
    >>>pass out quick on fxp1 all keep state

    >
    >
    >>>What is wrong with this PF rules setup?

    >
    >
    > Which rule are you expecting this traffic (for example) to match?
    > 227798 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3649 >
    > 210.0.254.15.80: R 683496679:683496679(0) win 0


    I am expecting this traffic will match the following rule:
    pass in on fxp0 proto tcp from any to any port 13:700 flags S/SA keep state

    Is there anything wrong with my rule definition?

    Thanks
    Sam

  5. Re: PF blocks pass traffic

    sam wrote:

    > Ryoko wrote:
    >
    >> In article , sam wrote:
    >>
    >>
    >>> If I added a "pass quick..." line after block drop.. clause, PF will
    >>> not blocking the pass traffic.
    >>> eg.
    >>> block drop in log all
    >>> pass quick all keep state
    >>> ...
    >>> other pass rules..
    >>>
    >>> Why PF does not execute those specific pass rules in the previous PF
    >>> setup?
    >>>
    >>> Sam.
    >>>
    >>> sam wrote:
    >>>
    >>>
    >>>> Hi,
    >>>>
    >>>> I have the PF gateway setup with the following rules: (shown by
    >>>> pfctl -sr)
    >>>>
    >>>> block drop in log all
    >>>> pass quick on xl0 proto pfsync all
    >>>> pass in on fxp0 inet proto carp from 10.1.254.250 to any keep state
    >>>> pass in on fxp0 inet proto icmp from 10.1.254.250 to any keep state
    >>>> pass in on fxp1 inet proto carp from 10.3.254.250 to any keep state
    >>>> pass in on fxp1 inet proto icmp from 10.3.254.250 to any keep state
    >>>> pass in on fxp0 inet proto tcp from 10.1.254.250 to any flags S/SA
    >>>> keep state
    >>>> pass in on fxp0 proto tcp from any to any port 13:700 flags S/SA
    >>>> keep state
    >>>> pass in on fxp0 proto tcp from any to any port 1024:10000 flags S/SA
    >>>> keep state
    >>>> pass in on fxp0 inet proto udp from 10.1.254.250 to any keep state
    >>>> pass in on fxp0 proto udp from any to any port 13:700 keep state
    >>>> pass in on fxp0 proto udp from any to any port 1024:10000 keep state
    >>>> pass in on fxp0 inet proto tcp from any to 255.255.255.255 keep state
    >>>> pass in on fxp0 inet proto udp from any to 255.255.255.255 keep state
    >>>> pass in on fxp0 inet proto tcp from any to 10.1.255.255 keep state
    >>>> pass in on fxp0 inet proto udp from any to 10.1.255.255 keep state
    >>>> pass in on fxp1 inet proto tcp from 10.3.254.250 to any flags S/SA
    >>>> keep state
    >>>> pass in on fxp1 proto tcp from any to any port 13:700 flags S/SA
    >>>> keep state
    >>>> pass in on fxp1 proto tcp from any to any port 1024:10000 flags S/SA
    >>>> keep state
    >>>> pass in on fxp1 inet proto udp from 10.3.254.250 to any keep state
    >>>> pass in on fxp1 proto udp from any to any port 13:700 keep state
    >>>> pass in on fxp1 proto udp from any to any port 1024:10000 keep state
    >>>> pass in on fxp1 inet proto tcp from any to 255.255.255.255 keep state
    >>>> pass in on fxp1 inet proto udp from any to 255.255.255.255 keep state
    >>>> pass in on fxp1 inet proto tcp from any to 10.3.255.255 keep state
    >>>> pass in on fxp1 inet proto udp from any to 10.3.255.255 keep state
    >>>> pass out quick on fxp0 all keep state
    >>>> pass out quick on fxp1 all keep state

    >>
    >>
    >>
    >>>> What is wrong with this PF rules setup?

    >>
    >>
    >>
    >> Which rule are you expecting this traffic (for example) to match?
    >> 227798 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3649 >
    >> 210.0.254.15.80: R 683496679:683496679(0) win 0

    >
    >
    > I am expecting this traffic will match the following rule:
    > pass in on fxp0 proto tcp from any to any port 13:700 flags S/SA keep state
    >
    > Is there anything wrong with my rule definition?
    >

    I have just added one "pass" rule to fix issue by removing the proto clause:
    pass in on fxp0 inet from 10.8.0.0/16 to any keep state

    Isn't this a tcp traffic?

    Thanks
    Sam

    > Thanks
    > Sam


  6. Re: PF blocks pass traffic

    In article , sam wrote:

    > > Which rule are you expecting this traffic (for example) to match?
    > > 227798 rule 0/0(match): block in on fxp0: IP 10.1.185.13.3649 >
    > > 210.0.254.15.80: R 683496679:683496679(0) win 0

    >
    > I am expecting this traffic will match the following rule:
    > pass in on fxp0 proto tcp from any to any port 13:700 flags S/SA keep state
    >
    > Is there anything wrong with my rule definition?
    >
    > Thanks
    > Sam


    The packet that was dropped has flags of R i.e. RST - i.e. it does not
    match your rule which is looking for Syn (and not Syn+Ack) That is why
    it didn't match that rule.

    Most of the packets you listed probably failed to match for the same
    reason.

    Hope that helps.
    R.

+ Reply to Thread