[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ruleset Problem



OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1
Maybe this clarifys it now, lol.
Machine1
Eth0=77.77.77.77
Eth1=10.0.0.1 network 10.0.0.0/24
Eth2=10.0.0.2 network 10.0.0.0/24
Machine2
Eth0=11.11.11.11
Eth1=10.0.0.2 network 10.0.0.0/24
Eth2=10.0.4.1 network 10.0.4.0/24
(routing table)
Route 
Destination      Gateway
10.0.0.0         Eth1
10.0.0.2         Eth1
10.0.1.0         Eth2
10.0.4.0         10.0.0.2
BTW, Thanks for working with me on this, and helping me figure where I am
going wrong!
Amir Seyavash Mesry 
[email protected] 
LSI Logic Corporation 
http://www.lsilogic.com/ 
Raid Support Test Technician 
6145-D Northbelt Parkway 
Norcross, GA 30071 
678-728-1211 
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.
 
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of j
knight
Sent: Monday, June 02, 2003 4:50 PM
To: pf
Subject: Re: Ruleset Problem
Amir Seyavash Mesry wrote:
> Sorry, I thought I gave enough info, they come in on eth1 and leave on 
> eth1. IE machine that pf.conf was given for is doing nat and some 
> small routing. Machine1(pf.conf given for this one) Eth0=internetip
> Eth1=10.0.0.1 network 10.0.0.0/24
> Eth1=10.0.0.2 network 10.0.0.0/24
> 
> Machine2
> Eth0=internetip
> Eth1=10.0.0.2 network 10.0.0.0/24
> Eth1=10.0.4.1 network 10.0.4.0/24
Now I'm really confused :(. Perhaps you could draw a simple diagram?
> 
> If I am reading this right translation takes precendence over 
> filtering, which means If I have the following after translation, then 
> the packets will still pass, or do they get blocked after translation 
> on the outbound if.x
Translated packets still pass through the filter engine and are subject 
to your filter rules....
> block in log all
> block out log all
... so this will block translated packets. You'll need to "pass out on 
$ext ..." later on.
> As for the keep state rules, what I was trying to accomplish is 
> passing packets between eth1 & eth2 checking state on each interface. 
> Maybe one 2 revised rules would be
> 
> pass in on $eth1 inet proto udp from $lan1 to $lan2 		keep state
> pass in on $eth2 inet proto udp from $lan1 to $lan2 		keep state
Is $lan1 connected to $eth1 or $eth2? From what I can tell, $lan1 is on 
$eth1 so looking for packets from $lan1 on $eth2 isn't necessary.
> Do I need a corresponding one backtracking such as?
> 
> pass in on $eth2 inet proto udp from $lan2 to $lan1 		keep state
> pass in on $eth1 inet proto udp from $lan2 to $lan1 		keep state
Same situation here with $lan2.
What you need is a set of rules to pass traffic OUT on $eth1, $eth2. 
Like I said, "keep state" only tracks state on one interface, not all of 
them.
	pass in  on $eth1 from $lan1 to $lan2 keep state
	pass out on $eth2 from $lan1 to $lan2 keep state
.joel