pf rules on enc0 interface (OpenBSD)
Mike
plug-discuss@lists.plug.phoenix.az.us
Mon, 18 Mar 2002 13:06:45 -0500
Just tried it: Doesn't work :-(
In fact, that line you refered to was added after the fact.
After I realized the enc0 line wouldn't work. I commented
the whole line out and it still chokes. I set up a ping
on my notebook with your suggestion, and here is what
the logs say (trimmed down).
rule 2/0(match): block in on enc0: 192.168.3.2 > 192.168.2.202: icmp: echo reply (encap)
The traffic gets out, but not back in. That is the part I do not
understand.
On Mon, Mar 18, 2002 at 10:51:13AM -0700, J.Francois wrote:
You have a rule that blocks all incoming RFC1918 addresses.
Remove the "quick" on:
> block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \
> 192.168.0.0/16, 255.255.255.255/32} to any
and lets see what happens.
Getting rid of "quick" will let you fall thru the rest of your rules.
IIRC the physical interface gets handled before the tunneled interface.
On Mon, Mar 18, 2002 at 12:15:11PM -0500, Mike wrote:
> In setting up IPSec on some OpenBSD boxes, I have
> noticed that I can not use a statement to pass traffic
> on the enc0 in ONLY from a certain network. See my pf
> rules below:
> --------------------------------------------------------
> SCOTT_OFFICE = "XXX.XXX.XXX.XXX"
>
> scrub in on xl0 all
> scrub in on enc0 all
>
> block in log from any to any
> block out log from any to any
>
> block in quick on xl0 from any to 255.255.255.255
> block in log quick on xl0 from {10.0.0.0/8, 172.16.0.0/12, \
> 192.168.0.0/16, 255.255.255.255/32} to any
>
> pass in on enc0 from any to any
> pass out quick on enc0 from 192.168.3.0/24 to 192.168.2.0/24
> #pass in quick on enc0 from 192.168.2.0/24 to 192.168.3.0/24
>
> pass in quick on fxp0 from 192.168.3.0/24 to any keep state
> pass out quick on fxp0 from 192.168.2.235 to 192.168.3.13
> pass out quick on fxp0 from 192.168.2.202 to 192.168.3.2
>
> pass in quick on xl0 proto udp from $SCOTT_OFFICE to xl0 port = 500
> pass out quick on xl0 proto udp from xl0 to $SCOTT_OFFICE port = 500
>
> pass in on xl0 proto esp from $SCOTT_OFFICE to xl0
> pass out on xl0 proto esp from xl0 to $SCOTT_OFFICE
> ----------------------------------------------------------------
> Notice the commented line for the enc0 interface. I have tried
> changing the line, but it will not work. These rules function
> similar on both sides (work & home). It only chokes on the "in"
> rules, not the "out".
>
> Can anyone explain this behavior to me?
--
Jean Francois - JLF Sends... /"\
"Tell them we are not Gods, but SysAdmins, which is the next best thing." \ / ASCII Ribbon Campaign
Getting Facts - $35: http://www.winface.com/blurb.html X Against HTML Mail
Getting Certs - $40: http://www.brainbench.com/transcript.jsp?pid=1214021 / \
Getting Published - Priceless: http://www.informit.com/authors/index.asp?authorid={6AD44647-E752-4CAB-B911-D3246F294DBA}
________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss