pf rules on enc0 interface (OpenBSD)
Mike
plug-discuss@lists.plug.phoenix.az.us
Mon, 18 Mar 2002 15:31:32 -0500
Why would I want to add rules to the xl0 interface when
it is choking on enc0 (and only IN, not out)?
On Mon, Mar 18, 2002 at 11:40:50AM -0700, J.Francois wrote:
Add this near the top and do the ping again.
### Handle ICMP
pass in on xl0 proto icmp from any to any icmp-type 0 keep state
### ICMP DESTINATION UNREACHABLE TYPE 3
pass in on xl0 proto icmp from any to any icmp-type 3 keep state
### ICMP SOURCE-QUENCH TYPE 4
pass in on xl0 proto icmp from any to any icmp-type 4 keep state
### ICMP REDIRECT TYPE 5
pass in on xl0 proto icmp from any to any icmp-type 5 keep state
### ICMP ECHO TYPE 8 - DISABLED
pass in on xl0 proto icmp from any to any icmp-type 8 keep state
### ICMP TIME EXCEEDED TYPE 11
pass in on xl0 proto icmp from any to any icmp-type 11 keep state
### ICMP PARAMETER PROBLEM TYPE 12
pass in on xl0 proto icmp from any to any icmp-type 12 keep state
### ICMP TIMESTAMP TYPE 13
pass in on xl0 proto icmp from any to any icmp-type 13 keep state
### ICMP TIMESTAMP REPLY TYPE 14
pass in on xl0 proto icmp from any to any icmp-type 14 keep state
Once you get things going you may want to edit the above and
change some of them to block statements.
The keep state will prevent you from having to set an outbound rule.
On Mon, Mar 18, 2002 at 01:06:45PM -0500, Mike wrote:
> Just tried it: Doesn't work :-(
> In fact, that line you refered to was added after the fact.
> After I realized the enc0 line wouldn't work. I commented
> the whole line out and it still chokes. I set up a ping
> on my notebook with your suggestion, and here is what
> the logs say (trimmed down).
>
> rule 2/0(match): block in on enc0: 192.168.3.2 > 192.168.2.202: icmp: echo reply (encap)
>
> The traffic gets out, but not back in. That is the part I do not
> understand.
>
>
> On Mon, Mar 18, 2002 at 10:51:13AM -0700, J.Francois wrote:
>
> You have a rule that blocks all incoming RFC1918 addresses.
> Remove the "quick" on:
>
> > block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \
> > 192.168.0.0/16, 255.255.255.255/32} to any
>
> and lets see what happens.
> Getting rid of "quick" will let you fall thru the rest of your rules.
> IIRC the physical interface gets handled before the tunneled interface.
>
>
> On Mon, Mar 18, 2002 at 12:15:11PM -0500, Mike wrote:
> > In setting up IPSec on some OpenBSD boxes, I have
> > noticed that I can not use a statement to pass traffic
> > on the enc0 in ONLY from a certain network. See my pf
> > rules below:
> > --------------------------------------------------------
> > SCOTT_OFFICE = "XXX.XXX.XXX.XXX"
> >
> > scrub in on xl0 all
> > scrub in on enc0 all
> >
> > block in log from any to any
> > block out log from any to any
> >
> > block in quick on xl0 from any to 255.255.255.255
> > block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \
> > 192.168.0.0/16, 255.255.255.255/32} to any
> >
> > pass in on enc0 from any to any
> > pass out quick on enc0 from 192.168.3.0/24 to 192.168.2.0/24
> > #pass in quick on enc0 from 192.168.2.0/24 to 192.168.3.0/24
> >
> > pass in quick on fxp0 from 192.168.3.0/24 to any keep state
> > pass out quick on fxp0 from 192.168.2.235 to 192.168.3.13
> > pass out quick on fxp0 from 192.168.2.202 to 192.168.3.2
> >
> > pass in quick on xl0 proto udp from $SCOTT_OFFICE to xl0 port = 500
> > pass out quick on xl0 proto udp from xl0 to $SCOTT_OFFICE port = 500
> >
> > pass in on xl0 proto esp from $SCOTT_OFFICE to xl0
> > pass out on xl0 proto esp from xl0 to $SCOTT_OFFICE
> > ----------------------------------------------------------------
> > Notice the commented line for the enc0 interface. I have tried
> > changing the line, but it will not work. These rules function
> > similar on both sides (work & home). It only chokes on the "in"
> > rules, not the "out".
________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss