pf rules on enc0 interface (OpenBSD)
Kevin Brown
plug-discuss@lists.plug.phoenix.az.us
Mon, 18 Mar 2002 11:42:09 -0700
I know ipf (the predecessor to pf) had a "keep state" option so that traffic
originating from the machine could get back in. Maybe try taking a look at that
option and see if it helps.
> Just tried it: Doesn't work :-(
> In fact, that line you refered to was added after the fact.
> After I realized the enc0 line wouldn't work. I commented
> the whole line out and it still chokes. I set up a ping
> on my notebook with your suggestion, and here is what
> the logs say (trimmed down).
>
> rule 2/0(match): block in on enc0: 192.168.3.2 > 192.168.2.202: icmp: echo reply (encap)
>
> The traffic gets out, but not back in. That is the part I do not
> understand.
>
> On Mon, Mar 18, 2002 at 10:51:13AM -0700, J.Francois wrote:
>
> You have a rule that blocks all incoming RFC1918 addresses.
> Remove the "quick" on:
>
> > block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \
> > 192.168.0.0/16, 255.255.255.255/32} to any
>
> and lets see what happens.
> Getting rid of "quick" will let you fall thru the rest of your rules.
> IIRC the physical interface gets handled before the tunneled interface.
>
>
> On Mon, Mar 18, 2002 at 12:15:11PM -0500, Mike wrote:
> > In setting up IPSec on some OpenBSD boxes, I have
> > noticed that I can not use a statement to pass traffic
> > on the enc0 in ONLY from a certain network. See my pf
> > rules below:
> > --------------------------------------------------------
> > SCOTT_OFFICE = "XXX.XXX.XXX.XXX"
> >
> > scrub in on xl0 all
> > scrub in on enc0 all
> >
> > block in log from any to any
> > block out log from any to any
> >
> > block in quick on xl0 from any to 255.255.255.255
> > block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \
> > 192.168.0.0/16, 255.255.255.255/32} to any
> >
> > pass in on enc0 from any to any
> > pass out quick on enc0 from 192.168.3.0/24 to 192.168.2.0/24
> > #pass in quick on enc0 from 192.168.2.0/24 to 192.168.3.0/24
> >
> > pass in quick on fxp0 from 192.168.3.0/24 to any keep state
> > pass out quick on fxp0 from 192.168.2.235 to 192.168.3.13
> > pass out quick on fxp0 from 192.168.2.202 to 192.168.3.2
> >
> > pass in quick on xl0 proto udp from $SCOTT_OFFICE to xl0 port = 500
> > pass out quick on xl0 proto udp from xl0 to $SCOTT_OFFICE port = 500
> >
> > pass in on xl0 proto esp from $SCOTT_OFFICE to xl0
> > pass out on xl0 proto esp from xl0 to $SCOTT_OFFICE
> > ----------------------------------------------------------------
> > Notice the commented line for the enc0 interface. I have tried
> > changing the line, but it will not work. These rules function
> > similar on both sides (work & home). It only chokes on the "in"
> > rules, not the "out".
> >
> > Can anyone explain this behavior to me?
> --
> Jean Francois - JLF Sends... /"\
> "Tell them we are not Gods, but SysAdmins, which is the next best thing." \ / ASCII Ribbon Campaign
> Getting Facts - $35: http://www.winface.com/blurb.html X Against HTML Mail
> Getting Certs - $40: http://www.brainbench.com/transcript.jsp?pid=1214021 / \
> Getting Published - Priceless: http://www.informit.com/authors/index.asp?authorid={6AD44647-E752-4CAB-B911-D3246F294DBA}
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss