[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pflog and traffic via gif_if



Hi,
 
I'm not sure what I'm not doing wrong, but I can't seem to send any
traffic via gif3 ($gif_if).. The rule I had have in place is a working
rule from previous conf, but in my wisdom in rewriting conf from
scratch yesterday I managed to overwrite the previous conf.   The only
different thing I had which may have come into play was a pass out all
on ext_if rule which I no longer want.
 
I tried having a look at pflog0 with tcpdump, but it doesnt seem to
show any traffic at all nevermind just the blocked traffic (I would
like to know if there is a way to log all?   all examples I've seen
online say 'block log all').   I made sure I did 'ifconfig pflog0 up'
before attempting to run tcpdump on it.
 
 
/etc/pf.conf:
 
##### macros
int_if = "rl0"
ext_if = "tun0"
gif_if = "gif3"
icmp_types = "echoreq"
-list of ports/hosts here-
##### aliases
bi = "block in"
bo = "block out"
bq = "block quick"
biq = "block in quick"
boq = "block out quick"
bd = "block drop"
pi = "pass in"
po = "pass out"
pq = "pass quick"
piq = "pass in quick"
poq = "pass out quick"
ks = "keep state"
ms = "modulate state"
ss = "synproxy state"
l = "label"
int_net = "{" $int_if:network "}"
##### behavior options
set block-policy return
set loginterface $ext_if
##### scrub
scrub in all
##### nat/rdr
nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128
##### anti spoofing protection
#antispoof quick for $int_if inet
#antispoof quick for $ext_if inet
#antispoof quick for lo0
#$bd in   on $ext_if    from $priv_nets to any
#$bd out  on $ext_if    from any to $priv_nets
#####filter rules
###default block and log all
 block log all
#$pi            inet proto icmp all icmp-type $icmp_types             
       $ks
#$po            inet proto icmp all icmp-type $icmp_types             
       $ks
 $pq  on lo0 all
###filter rules for $int_if inbound
 $bi on $int_if all
 $pi on $int_if inet proto tcp from any       to $int_if    port 2222 
       $ks
 $pi on $int_if proto { udp,tcp } from $int_net to any      port 53   
       $ks
 $pi on $int_if proto tcp from $soh           to any port 3128 flags
S/SA     $ks $l "http :   $srcaddr  "
 $pi on $int_if proto tcp from $soh           to any port 443 flags
S/SA      $ks $l "ssl  :   $srcaddr  "
 $pi on $int_if proto tcp from $int_net       to $int_if    port {
21,20 }    $ks
 $pi on $int_if proto tcp from $soh           to $int_if    port 25   
       $ks $l "smtp :   $srcaddr  "
 $pi on $int_if proto tcp from $soh           to $int_if    port 110  
       $ks $l "pop3 :   $srcaddr  "
 $pi on $int_if proto tcp from $int_net       to ($ext_if) port {
25,110 }    $ks
 $pi on $int_if proto tcp from $sh            to any port {
6667,6668,7000 }  $ks
###filter rules for $int_if outbound
 $bo on $int_if all
 $po on $int_if inet proto tcp from $int_if   to $int_net   port 20   
       $ks
###filter rules for $ext_if inbound
 $bi on $ext_if all
 $pi on $ext_if inet proto tcp from any       to ($ext_if)  port 20   
       $ks
 $pi on $ext_if inet proto tcp from any       to ($ext_if)  port 21   
       $ks
 $pi on $ext_if inet proto tcp from any       to ($ext_if)  port 25   
       $ks
 $pi on $ext_if inet proto tcp from any       to ($ext_if)  port 110  
       $ks
###filter rules for $ext_if outbound
 $bo on $ext_if all
 $po on $ext_if                    from any   to $dns                 
       $ks
 $po on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA 
       $ks
 $po on $ext_if inet proto tcp from ($ext_if) to any       port 21    
       $ks
 $po on $ext_if inet proto tcp from ($ext_if) to any       port 20    
       $ks
 $po on $ext_if inet proto tcp from ($ext_if) to $mail1    port 25    
       $ks $l "total smtp (storm)  : "
 $po on $ext_if inet proto tcp from ($ext_if) to $mail1    port 110   
       $ks $l "total pop3 (storm)  : "
 $po on $ext_if inet proto tcp from ($ext_if) to $mail2    port 25    
       $ks $l "total smtp (saix)   : "
 $po on $ext_if inet proto tcp from ($ext_if) to any       port 80    
       $ks $l "total http          : "
 $po on $ext_if inet proto tcp from ($ext_if) to any       port {
6667,6668,7000 } $ks
 $pi inet proto icmp all icmp-type $icmp_types $ks
 $po inet proto icmp all icmp-type $icmp_types $ks
###filter to pass all tunnel traffic
 $pi on $gif_if all 
 $po on $gif_if all
 
-eof-
 
I also added a rule:
 $po on $ext_if                     from ($ext_if)  to $gif_if        
              $ks
 
as well as
 $po on $ext_if                     from ($ext_if)  to 10.0.89.0/24   
              $ks
but neither seem to help much...
 
(they shouldn't be necessary because I said pass in/out all on $gif??
 
 
 
 
It would be a lot easier if I could decipher what is going on via
pflog0, but when i do:
 
tcpdump -n -e -ttt -vv -i pflog0
 
all I get is:
 
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
 
 
What confuses me is that even though I have a specific pass in/out
rule for icmp, a pass out rule after that for $gif_if, and no rules
after that (so there are no more block matches)... I still can't ping
or send/recv traffic via $gif_if to 10.0.89.0 but can ping other
hosts:
 
Tue Apr 12 09:31:45 [email protected]:~# ping -c 3 www.iol.co.za
PING www.iol.co.za (196.30.168.79): 56 data bytes
64 bytes from 196.30.168.79: icmp_seq=0 ttl=58 time=45.315 ms
64 bytes from 196.30.168.79: icmp_seq=1 ttl=58 time=47.876 ms
64 bytes from 196.30.168.79: icmp_seq=2 ttl=58 time=54.126 ms
--- www.iol.co.za ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 45.315/49.106/54.126/3.701 ms
Tue Apr 12 09:31:59 [email protected]:~# ifconfig gif3
gif3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet x.x.y.123 --> x.x.z.96
        inet 10.0.88.254 --> 10.0.89.254 netmask 0xffffff00
        inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7
Tue Apr 12 09:32:08 [email protected]:~# ping -c 3 10.0.89.254
PING 10.0.89.254 (10.0.89.254): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
--- 10.0.89.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
 
I may be doing something stupid in either of the two problems, but
perhaps a look from someone else will spot something I have not
noticed..
 
Thanks in advance,
Stephen.