[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ruleset Problem



Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1.
IE machine that pf.conf was given for is doing nat and some small routing.
Machine1(pf.conf given for this one)
Eth0=internetip
Eth1=10.0.0.1 network 10.0.0.0/24
Eth1=10.0.0.2 network 10.0.0.0/24
Machine2
Eth0=internetip
Eth1=10.0.0.2 network 10.0.0.0/24
Eth1=10.0.4.1 network 10.0.4.0/24
If I am reading this right translation takes precendence over filtering,
which means If I have the following after translation, then the packets will
still pass, or do they get blocked after translation on the outbound if.x
block in log all
block out log all
As for the keep state rules, what I was trying to accomplish is passing
packets between eth1 & eth2 checking state on each interface. Maybe one 2
revised rules would be
pass in on $eth1 inet proto udp from $lan1 to $lan2 		keep state
pass in on $eth2 inet proto udp from $lan1 to $lan2 		keep state
Do I need a corresponding one backtracking such as?
pass in on $eth2 inet proto udp from $lan2 to $lan1 		keep state
pass in on $eth1 inet proto udp from $lan2 to $lan1 		keep state
Amir Seyavash Mesry 
[email protected] 
LSI Logic Corporation 
http://www.lsilogic.com/ 
Raid Support Test Technician 
6145-D Northbelt Parkway 
Norcross, GA 30071 
678-728-1211 
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.
 
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of j
knight
Sent: Monday, June 02, 2003 2:42 PM
To: pf
Subject: Re: Ruleset Problem
Amir Seyavash Mesry wrote:
> I am having a odd problem and I am hoping someone one the list can 
> point out my error, Here is my pf.conf, the keepstate on the icmp 
> doesn't seem to be working, it won't pass the packets out. Ie
> I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
> this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
> allow the packet and let it return. I think it is something really simple
> that I am overlooking but I can't figure it out. Any help is appreciated.
Which interface do packets have to exit to reach 10.0.4.1?
> #allow outgoing traffic from Internet nic to internet if initiated 
> from Internet Nic.
> pass out on $eth0 inet proto tcp from $eth0 to any 	modulate state
> pass out on $eth0 inet proto udp from $eth0 to any 	keep state
> pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0
keep
> state
Translation happens before filtering so you will find that these rules 
are passing packets from $lan1, $lan2 as well.
> #allow nat for both lan segments only if lan segments initiate request.
> pass out on $eth0 inet proto tcp from $lan1 to any		modulate
> state
> pass out on $eth0 inet proto udp from $lan1 to any		keep state
> pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0 
> keep state
> pass out on $eth0 inet proto tcp from $lan2 to any		modulate
> state
> pass out on $eth0 inet proto udp from $lan2 to any		keep state
> pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0 
> keep state
These rules will have no affect because of what I mentioned above.
> #allow requests from segment 1 to segment 2 or internet only if 
> segment 1 requests it.
> pass in on $eth1 inet proto tcp from $lan1 to any		modulate
> state
> pass in on $eth1 inet proto udp from $lan1 to any 		keep state
> pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
> code 0	keep state
> 
> #allow requests from segment 2 to segment 1 or internet only if 
> segment 2 requests it.
> pass in on $eth2 inet proto tcp from $lan2 to any		modulate
> state
> pass in on $eth2 inet proto udp from $lan2 to any 		keep state
> pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
> code 0   keep state
Where are your "pass out on { $eth1, $eth2 }" rules? "Keep state" only 
tracks state on one interface; you still have to pass the traffic 
through any other interface the packets will pass through.
.joel