[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pflog and traffic via gif_if



Hi again,
After some pondering over my problem re: gif traffic not being able to
be sent/received, I've concluded that because gif is tunneled via tun0
 (my $ext_if), I need to somehow permit gif traffic via $ext_if.  I've
tried a couple of things but neither seem to help.
The local network address is 10.0.88.0 and the other end of tunnel is 10.0.89.0
Local side of tunnel is 10.0.88.254 and remote end is 10.0.89.254 as
shown below:
Wed Apr 13 16:53:19 [email protected]:~# ifconfig gif3
gif3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet x.x.y.199 --> x.x.z.214
        inet 10.0.88.254 --> 10.0.89.254 netmask 0xffffff00
        inet6 fe80::248:54ff:fed1:3308%gif3 prefixlen 64 scopeid 0x7
I've pasted my pf.conf again, and cleaned it up a bit by replacing all
the variables I made with what they stand for (ie: '$po' become 'pass
out')
/etc/pf.conf:
##### macros
int_if = "rl0"
ext_if = "tun0"
gif_if = "gif3"
icmp_types = "echoreq"
-hosts here-
##### aliases
ks = "keep state"
ms = "modulate state"
ss = "synproxy state"
int_net = "{" $int_if:network "}"
##### behavior options
set block-policy return
set loginterface $ext_if
##### scrub
scrub in all
##### nat/rdr
nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128
##### anti spoofing protection
#antispoof quick for $int_if inet
#antispoof quick for $ext_if inet
#antispoof quick for lo0
 block drop in on $ext_if from $priv_nets to any
 block drop out on $ext_if from any to $priv_nets
#####filter rules
###default block and log all
 block log all
#pass in inet proto icmp all icmp-type $icmp_types $ks
#pass out inet proto icmp all icmp-type $icmp_types $ks
 pass quick on lo0 all
###filter rules for $int_if inbound
 $bi on $int_if all
 pass in on $int_if inet proto tcp from any to $int_if port 2222 $ks
 pass in on $int_if proto { udp,tcp } from $int_net to any port 53 $ks
 pass in on $int_if proto tcp from $soh to any port 3128 flags S/SA $ks 
 pass in on $int_if proto tcp from $soh to any port 443 flags S/SA $ks 
 pass in on $int_if proto tcp from $int_net to $int_if port { 21,20 } $ks
 pass in on $int_if proto tcp from $soh to $int_if port 25 $ks 
 pass in on $int_if proto tcp from $soh to $int_if port 110 $ks 
 pass in on $int_if proto tcp from $int_net to ($ext_if) port { 25,110 } $ks   
###filter rules for $int_if outbound
 block out on $int_if all
 pass out on $int_if inet proto tcp from $int_if to $int_net port 20 $ks
###filter rules for $ext_if inbound
 block in on $ext_if all
 pass in on $ext_if inet proto tcp from any to ($ext_if) port 20 $ks
 pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 $ks
 pass in on $ext_if inet proto tcp from any to ($ext_if) port 25 $ks
 pass in on $ext_if inet proto tcp from any to ($ext_if) port 110 $ks
###filter rules for $ext_if outbound
 block in on $ext_if all
 pass out on $ext_if from any to $dns $ks
 pass out on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags S/SA $ks
 pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 $ks
 pass out on $ext_if inet proto tcp from ($ext_if) to any port 20 $ks
 pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 $ks 
 pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110 $ks 
 pass out on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 $ks 
 pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 $ks 
 pass in inet proto icmp all icmp-type $icmp_types $ks
 pass out inet proto icmp all icmp-type $icmp_types $ks
###filter to pass all tunnel traffic
 pass in on $gif_if all 
 pass out on $gif_if all
 
I've had to specify the ports/ hosts seperately for labelling purposes
incase anyone wonders why I written it how I have.
I'm also struggling to get pflog to show anything (I want it to show
everything, not just the blocked traffic, would this implying having
'log' in every rule I have?)... left it running for a while and it
showed nothing, even with myself purposely trying to connect to
blocked ports (and ofcourse trying to ping via my gif iface)
Thanks in advance,
Stephen