[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf causing creation of static routes to 127.0.0.1---maybe?



Hello,
I've come across some odd behaviour from an OpenBSD 3.6 firewall that
I recently set up. I'm hoping to figure out why it might be happening.
The firewall uses 2 DSL connections and round-robin load-balances
between them as per the pf FAQ. It also has ftp-proxy running; pf
redirects port 21 on the internal interface to 127.0.0.1:8021 where
the daemon listens. Normally it works quite well.
However, it seems that after an unexpected reboot (power failure) or a simple 
pfctl -f /etc/pf.conf
the firewall sometimes causes static routes to be created for some
arbitrary IP (possibly one that was listed in a state table at the
time of power failure or rule-load) with the next hop being 127.0.0.1
(not unlike what an alias looks like from the routing tables
perspective)
My suspicion is that  this is just a result of rudely interrupting pf.
is it likely a result of the rdr rule for ftp-proxy, or route-to?
Maybe a combination?
This isn't a big deal to me, but I was hoping to learn something as I
had always thought that pf operated somewhat independently of the
system routing tables.
Any insight would be greatly appreciated. Please let me know if more
logs/dumps/etc are needed.
Regards 
Oliver
#pf.conf
<macro defs snipped>
scrub in all  random-id fragment reassemble
#*** REDIRECTS
rdr pass on $ext_att_if proto tcp from any to $ext_nortel_ip port 443
-> $server_nortel port 443
rdr pass on $ext_att_if proto tcp from any to $ext_att_ip port pop3 ->
$server_mail port pop3
rdr pass on $ext_att_if proto tcp from any to $ext_att_ip port smtp ->
$server_mail port smtp
rdr pass on $ext_att_if proto tcp from any to $ext_att_ip port 443 ->
$server_db port 443
rdr pass on $ext_att_if proto tcp from any to $ext_unicron_ip port 22
-> $server_unicron port 22
rdr pass on $ext_att_if proto tcp from any to $ext_db_ip port 22 ->
$server_db port 22
# FTP proxy to allow active ftp
rdr pass on $int_if proto tcp from $int_net to any port 21 ->
127.0.0.1 port 8021
rdr-anchor authpf
### NAT
nat on $ext_att_if from $int_net to any -> $ext_att_ip
nat on $ext_telus_if from $int_net to any -> $ext_telus_ip
#*** PACKET FILTERING RULES
# If no rule matches, drop all incoming packets, allow all outgoing packets
block in log all
pass out all
block in quick on $int_if from any to 192.168.2.255 
pass in on $int_if from any to any
#full access to machine from inside
pass in quick on $int_if from $int_net to $int_ip
# To accomodate redirects 
pass in quick on $ext_att_if proto tcp from any to $server_nortel port
443 keep state
pass in quick on $ext_att_if proto tcp from any to $server_mail port
{smtp, pop3} keep state
pass in quick on $ext_att_if proto tcp from any to $server_db port 443
keep state
pass in quick on $ext_att_if proto tcp from any to $server_unicron
port 22 keep state
pass in quick on $ext_att_if proto tcp from any to $server_db port 22 keep state
pass in quick on $ext_att_if proto tcp from any to any port
$activeftp_ports keep state
# Insert authpf stuff here
anchor authpf
#allow pings
#pass in quick on $ext_att_if proto icmp from any to any
#allow ssh from certain hosts/nets to both interfaces
pass in quick on $ext_att_if proto tcp from <trusted_ssh_ips> to {
$ext_att_ip $ext_telus_ip }  port ssh
# Passing in ISAKMP traffic from the security gateways
pass out quick on $ext_att_if proto udp from $ext_att_ip port = 500 to
 any  port = 500
pass in quick on $ext_att_if proto udp from any port = 500 to
$ext_att_ip port = 500
# Passing in encrypted traffic from security gateways
pass out quick proto esp from any to any
pass in quick proto esp from any to any
pass in quick on enc0 from any to any
pass out quick on enc0 from any to any
pass in quick on enc0 proto icmp from any to any
pass out quick on enc0 proto icmp from any to any
#Dis-allow all other incoming initiations
block in quick log on $ext_att_if from any to any
### LOAD BALANCING
# Exception: Normal SMTP traffic will always go out here (reverse DNS issues)
pass in quick on $int_if route-to \
    ($ext_att_if $ext_att_gw) \
    proto tcp from $int_net to any port 25 flags S/SA modulate state
pass in quick on $int_if route-to \
    ($ext_att_if $ext_att_gw) \
    proto tcp from $int_net to any port 443 flags S/SA modulate state
pass in quick on $int_if route-to \
    ($ext_att_if $ext_att_gw) \
    proto tcp from $int_net to any port 4430 flags S/SA modulate state
#All other traffic
pass in on $int_if route-to \
    { ($ext_att_if $ext_att_gw), ($ext_telus_if $ext_telus_gw) } \
    round-robin \
    proto tcp from $int_net to any flags S/SA modulate state
pass in on $int_if route-to \
    { ($ext_att_if $ext_att_gw), ($ext_telus_if $ext_telus_gw) } \
    round-robin \
    proto { udp, icmp } from $int_net to any keep state
pass out on $ext_att_if proto tcp from any to any flags S/SA modulate state
pass out on $ext_att_if proto { udp, icmp } from any to any keep state
pass out on $ext_telus_if proto tcp from any to any flags S/SA modulate state
pass out on $ext_telus_if proto { udp, icmp } from any to any keep state
# Ensure proper routing 
pass out on $ext_att_if route-to ($ext_telus_if $ext_telus_gw) from
$ext_telus_if to any
pass out on $ext_telus_if route-to ($ext_att_if $ext_att_gw) from
$ext_att_if to any