[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN client cannot connect through OpenBSD router/firewall



jared r r spiegel wrote:

Why would I not see the dropped packets in my log file (pflog0).


in this case i think you would. i looked back at the original pf.conf you posted that the other fellow replied to and the 'block all' didn't have the "$log_flg" in it (cute idea, btw)...

Thanks. What can I say? I'm lazy. :) Now I just have to create a command-line argument for my lfw (load firwall) wrapper script that checks the validity of the rules, dumps any current rules, and loads the new rules. I'll add this script at the bottom of this message for anyone who wants it.


  is it possible that you weren't seeing them before, but added
  the $log_flg to this pf.conf after the problem?

I looked and this is exactly what happened. I looked and I am seeing items like this:


Jan 19 07:43:46.952091 rule 0/0(match): block in on xl1: 10.248.0.145.1211 > 255.255.255.255.1211: udp 95
Jan 19 07:43:57.109716 rule 0/0(match): block in on fxp0: 200.165.174.115.1847 > 24.174.112.98.1434: udp 376
Jan 19 07:44:51.013127 rule 14/0(match): block in on fxp0: 10.49.160.1.67 > 255.255.255.255.68: xid:0x85eca861 flags:0x8000 [|bootp]


BTW, I'm getting *tons* of these! Is it someone hammering my box trying to find a weakness?

Should I be setting pflog0 as my loginterface instead of fxp0?

nope, 'loginterface' is for the interface pf collects operational statistics on ( eg pfctl -si ). i believe
the interface name and number, pflog0, are hardcoded.


  then pflogd(8) listens to pflog0 and redirects that
  down into /var/log/pflog ( by default ).

Ahhhh cool. That's good. And, speaking of statistics, when I stop my tcpdump (tcpdump -nettti pflog0), it shows:


   265 packets received by filter
   0 packets dropped by kernel

If I have set block-policy drop, shouldn't I be seeing these packets dropped instead of blocked?

rvb

====================================
lfw - Load Firewall Rulesets script
====================================
#!/bin/ksh

#=================================
# Load Firewall Rules (lfw):
#
# A program to check validity of
# a nat/firewall ruleset, flush
# all existing rules, and load
# the new, valid ruleset.
#
# Author: rvb
# Date  : 12.23.2004
#=================================

. ~/.profile

pgm_nm=`basename $0`

if [ "$#" -ne 1 ]
then
        echo ""
        echo "Usage: $pgm_nm <file>"
        echo ""
        echo "Note : <file> must conform to pf.conf rules"
        echo "       See man pf.conf for details"
        echo ""
        exit 1
fi

file="$1"

if [ -e "$file" ]
then
        echo ""
        echo "checking the rules in $file..."
        sudo pfctl -nf $file

        if [ $? -eq 0 ]
        then
                echo ""
                echo "flushing all existing rules..."
                sudo pfctl -F all
        else
                echo ""
                echo "pfctl -nf $file was not successful!"
                exit 1
        fi

        if [ $? -eq 0 ]
        then
                echo ""
                echo "loading the rules from $file"

sudo pfctl -f $file;

                echo ""
                echo "ruleset loaded!"
                echo ""
        else
                echo ""
                echo "pfctl -f $file was not successful!";
                exit 1;
        fi
else
        echo ""
        echo "$file does not exist!"
        exit 1;
fi