[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ruleset Problem



Amir Seyavash Mesry wrote:
I am having a odd problem and I am hoping someone one the list can point out
my error,
Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it
won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
allow the packet and let it return. I think it is something really simple
that I am overlooking but I can't figure it out. Any help is appreciated.

Which interface do packets have to exit to reach 10.0.4.1?


#allow outgoing traffic from Internet nic to internet if initiated from
Internet Nic.
pass out on $eth0 inet proto tcp from $eth0 to any 	modulate state
pass out on $eth0 inet proto udp from $eth0 to any 	keep state
pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0	keep
state

Translation happens before filtering so you will find that these rules are passing packets from $lan1, $lan2 as well.


#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to any		modulate
state
pass out on $eth0 inet proto udp from $lan1 to any		keep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
keep state
pass out on $eth0 inet proto tcp from $lan2 to any		modulate
state
pass out on $eth0 inet proto udp from $lan2 to any		keep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
keep state

These rules will have no affect because of what I mentioned above.


#allow requests from segment 1 to segment 2 or internet only if segment 1
requests it.
pass in on $eth1 inet proto tcp from $lan1 to any		modulate
state
pass in on $eth1 inet proto udp from $lan1 to any 		keep state
pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0	keep state

#allow requests from segment 2 to segment 1 or internet only if segment 2
requests it.
pass in on $eth2 inet proto tcp from $lan2 to any		modulate
state
pass in on $eth2 inet proto udp from $lan2 to any 		keep state
pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0   keep state

Where are your "pass out on { $eth1, $eth2 }" rules? "Keep state" only tracks state on one interface; you still have to pass the traffic through any other interface the packets will pass through.



.joel