[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

3.2 pf+bridge+rdr problem



Hello,
I'm having trouble with a particular configuration:
network A---OBSD 3.2 system---network B
The interface for the network A is aue0 - 192.168.2.250/24.
The interface for network B is dc0 - 10.1.1.1/32.
Both interfaces are bridged.  The default route on the OBSD system is 192.168.2.1
(which is actually on network B, but that should not matter).
There are no filters, but there is an rdr rule in place:
rdr on aue0 inet proto tcp from any to any port 9999 -> 192.168.2.250 port 22
Of course, sshd is listening on all interfaces on TCP/22.
So, one would expect a workstation on network A to be able to connect to port 9999
on a given address and get the SSH daemon on the OBSD system, correct?
It does not work as expected.  Am I missing something?  What's really odd (or maybe
not) is that translated packets are being sent out the dc0 interface!  Could that be
the bridge flooding?
By the way, this same configuration works fine on OpenBSD 3.1.
Here are my relevant configurations and tcpdumps:
# cat /etc/pf.conf
scrub in all
rdr on aue0 proto tcp from any to any port 9999 -> 192.168.2.250 port 22
# pfctl -s all
@0 scrub in all fragment reassemble
rdr on aue0 inet proto tcp from any to any port 9999 -> 192.168.2.250 port 22
tcp 192.168.2.250:22 <- 75.75.75.75:9999 <- 192.168.2.10:2015       CLOSED:SYN_SENT
Status: Enabled for 0 days 00:16:42             Debug: None
# brconfig -a
bridge0: flags=41<UP,RUNNING>
        Configuration:
                priority 32768 hellotime 2 fwddelay 15 maxage 20
        Interfaces:
                dc0 flags=3<LEARNING,DISCOVER>
                        port 1 priority 128
                aue0 flags=3<LEARNING,DISCOVER>
                        port 21 priority 128
        Addresses (max cache: 100, timeout: 240):
                00:10:a4:90:c2:1c aue0 1 flags=0<>
                00:60:6e:39:06:b5 dc0 1 flags=0<>
# ifconfig aue0
aue0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:40:05:8e:cd:3d
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.2.250 netmask 0xffffff00 broadcast 255.255.255.0
        inet6 fe80::240:5ff:fe8e:cd3d%aue0 prefixlen 64 scopeid 0x15
# ifconfig dc0
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:a0:cc:3c:72:61
        media: Ethernet autoselect (10baseT)
        status: active
        inet6 fe80::2a0:ccff:fe3c:7261%dc0 prefixlen 64 scopeid 0x1
        inet 10.1.1.1 netmask 0xff000000 broadcast 255.255.255.255
# netstat -rn -f inet
Routing tables
Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default            192.168.2.1        UGS         1      384      -   dc0
10/8               link#1             UC          0        0      -   dc0
127/8              127.0.0.1          UGRS        0        0  33224   lo0
127.0.0.1          127.0.0.1          UH          2        0  33224   lo0
192.168.2/24       link#21            UC          0        0      -   aue0
192.168.2.1        0:60:6e:39:6:b5    UHL         1        0      -   dc0
192.168.2.10       0:10:a4:90:c2:1c   UHL         0        4      -   aue0
192.168.2.250      127.0.0.1          UGHS        0        0  33224   lo0
224/4              127.0.0.1          URS         0        0  33224   lo0
# netstat -an -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp        0      0  192.168.2.250.22       192.168.1.9.2499       ESTABLISHED
tcp        0      0  127.0.0.1.587          *.*                    LISTEN
tcp        0      0  127.0.0.1.25           *.*                    LISTEN
tcp        0      0  *.22                   *.*                    LISTEN
tcp        0      0  *.37                   *.*                    LISTEN
tcp        0      0  *.13                   *.*                    LISTEN
tcp        0      0  *.113                  *.*                    LISTEN
# tcpdump -n -i aue0 host 192.168.2.10
tcpdump: listening on aue0
23:29:24.019140 arp who-has 192.168.2.1 tell 192.168.2.10
23:29:24.019536 arp reply 192.168.2.1 is-at 0:60:6e:39:6:b5
23:29:24.021124 192.168.2.10.2012 > 75.75.75.75.9999: S 633290235:633290235(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
23:29:26.967599 192.168.2.10.2012 > 75.75.75.75.9999: S 633290235:633290235(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
23:29:32.976506 192.168.2.10.2012 > 75.75.75.75.9999: S 633290235:633290235(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
# tcpdump -n -i dc0 host 192.168.2.10
tcpdump: listening on dc0
23:29:48.110836 192.168.2.10.2013 > 192.168.2.250.22: S 639356933:639356933(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
23:29:51.105285 192.168.2.10.2013 > 192.168.2.250.22: S 639356933:639356933(0) win
16384 <mss 1460,nop,nop,sackOK> (DF)
Any help would be greatly appreciated.
-- 
Mike McClure, CCIE # 5125, CISSP # 30232
PNE Services, Inc. -  http://www.pneservices.com