PF blocks passing rule again. - BSD

This is a discussion on PF blocks passing rule again. - BSD ; Hi, I have upgraded the system to 5.4 Release with PF/CARP enabled. There is some traffic blocked by PF, which supposed to be passed thru. eg. the PF configuration is shown as follow: block log all pass in on bge0 ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: PF blocks passing rule again.

  1. PF blocks passing rule again.

    Hi,

    I have upgraded the system to 5.4 Release with PF/CARP enabled.
    There is some traffic blocked by PF, which supposed to be passed thru.
    eg. the PF configuration is shown as follow:

    block log all
    pass in on bge0 proto tcp from any to any port 13:600 keep state
    pass in on bge0 proto udp from any to any port 13:600 keep state
    pass in on bge1 proto tcp from any to any port 1024:10000 keep state
    pass in on bge1 proto udp from any to any port 1024:10000 keep state
    ....

    But the following traffic is blocked by PF:

    000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
    10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 0,[|tcp]>

    Did I configured PF incorrectly?

    Thanks
    Sam

  2. Re: PF blocks passing rule again.

    sam wrote:

    > Hi,
    >
    > I have upgraded the system to 5.4 Release with PF/CARP enabled.
    > There is some traffic blocked by PF, which supposed to be passed thru.
    > eg. the PF configuration is shown as follow:
    >
    > block log all
    > pass in on bge0 proto tcp from any to any port 13:600 keep state
    > pass in on bge0 proto udp from any to any port 13:600 keep state
    > pass in on bge1 proto tcp from any to any port 1024:10000 keep state
    > pass in on bge1 proto udp from any to any port 1024:10000 keep state
    > ....
    >
    > But the following traffic is blocked by PF:
    >
    > 000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
    > 10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 > 0,[|tcp]>
    >
    > Did I configured PF incorrectly?
    >

    I just found out 2000:2004 is not the same as 1999<>2005.
    But after read thru manpage of pf.conf, it seems that 2000:2004 is not
    working and remain as a bug in PF.

    Now, I need to use the following rules to get around the problem:
    pass in on bge0 proto tcp from any to any port 12<>601 keep state
    pass in on bge0 proto udp from any to any port 12<>601 keep state
    pass in on bge1 proto tcp from any to any port 1023<>10001 keep state
    pass in on bge1 proto udp from any to any port 1023<>10001 keep state


    Sam.

    > Thanks
    > Sam


  3. Re: PF blocks passing rule again.

    sam writes:

    >> pass in on bge0 proto tcp from any to any port 13:600 keep state
    >> But the following traffic is blocked by PF:
    >> 000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
    >> 10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 >> 1326,nop,wscale 0,[|tcp]>
    >> Did I configured PF incorrectly?


    Yes.

    > I just found out 2000:2004 is not the same as 1999<>2005.
    > But after read thru manpage of pf.conf, it seems that 2000:2004 is not
    > working and remain as a bug in PF.


    There's no bug here, 13:600 means all ports beetween 13 and 600 included
    so a packet with dest port 3389 won't match the rule and therefore in
    your setup will be blocked (initial block)

    Éric Masson

    Fu2 : comp.unix.bsd.freebsd.misc

    --
    - Tous les messages annulés ne sont pas nécéssairement à reposter...
    - Quitte à reposter, serait-il possible de corriger les fautes
    d'orthographe, par la même occasion ?
    -+- JL in : Comme une lettre à la [Repost]

  4. Re: PF blocks passing rule again.

    Eric Masson wrote:

    > sam writes:
    >
    >
    >>>pass in on bge0 proto tcp from any to any port 13:600 keep state
    >>>But the following traffic is blocked by PF:
    >>>000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
    >>>10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 >>>1326,nop,wscale 0,[|tcp]>
    >>>Did I configured PF incorrectly?

    >
    >
    > Yes.
    >
    >
    >>I just found out 2000:2004 is not the same as 1999<>2005.
    >>But after read thru manpage of pf.conf, it seems that 2000:2004 is not
    >>working and remain as a bug in PF.

    >
    >
    > There's no bug here, 13:600 means all ports beetween 13 and 600 included
    > so a packet with dest port 3389 won't match the rule and therefore in
    > your setup will be blocked (initial block)
    >

    In my previous post, I also have the following rules setup:
    pass in on bge1 proto tcp from any to any port 1024:10000 keep state
    pass in on bge1 proto udp from any to any port 1024:10000 keep state

    Sam
    > Éric Masson
    >
    > Fu2 : comp.unix.bsd.freebsd.misc
    >


  5. Re: PF blocks passing rule again.

    On Tue, 17 May 2005 21:50:20 +0800, sam wrote:
    > Eric Masson wrote:
    >
    >> sam writes:
    >>
    >>
    >>>>pass in on bge0 proto tcp from any to any port 13:600 keep state
    >>>>But the following traffic is blocked by PF:
    >>>>000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
    >>>>10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 >>>>1326,nop,wscale 0,[|tcp]>
    >>>>Did I configured PF incorrectly?

    >>
    >>
    >> Yes.
    >>
    >>
    >>>I just found out 2000:2004 is not the same as 1999<>2005.
    >>>But after read thru manpage of pf.conf, it seems that 2000:2004 is not
    >>>working and remain as a bug in PF.

    >>
    >>
    >> There's no bug here, 13:600 means all ports beetween 13 and 600 included
    >> so a packet with dest port 3389 won't match the rule and therefore in
    >> your setup will be blocked (initial block)
    >>

    > In my previous post, I also have the following rules setup:
    > pass in on bge1 proto tcp from any to any port 1024:10000 keep state
    > pass in on bge1 proto udp from any to any port 1024:10000 keep state


    But your traffic was blocked on bge0, remember?

  6. Re: PF blocks passing rule again.

    Shane Almeida wrote:

    > On Tue, 17 May 2005 21:50:20 +0800, sam wrote:
    >
    >>Eric Masson wrote:
    >>
    >>
    >>>sam writes:
    >>>
    >>>
    >>>
    >>>>>pass in on bge0 proto tcp from any to any port 13:600 keep state
    >>>>>But the following traffic is blocked by PF:
    >>>>>000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
    >>>>>10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 >>>>>1326,nop,wscale 0,[|tcp]>
    >>>>>Did I configured PF incorrectly?
    >>>
    >>>
    >>>Yes.
    >>>
    >>>
    >>>
    >>>>I just found out 2000:2004 is not the same as 1999<>2005.
    >>>>But after read thru manpage of pf.conf, it seems that 2000:2004 is not
    >>>>working and remain as a bug in PF.
    >>>
    >>>
    >>>There's no bug here, 13:600 means all ports beetween 13 and 600 included
    >>>so a packet with dest port 3389 won't match the rule and therefore in
    >>>your setup will be blocked (initial block)
    >>>

    >>
    >>In my previous post, I also have the following rules setup:
    >>pass in on bge1 proto tcp from any to any port 1024:10000 keep state
    >>pass in on bge1 proto udp from any to any port 1024:10000 keep state

    >
    >
    > But your traffic was blocked on bge0, remember?

    sorry, I have overlooked the name of the interfaces. I need a new pair
    of glasses.

    Sam

+ Reply to Thread