Bridging again
Tiv
gtivey at sbcglobal.net
Mon Sep 25 20:25:32 PDT 2006
Gergo Szakal wrote:
Argh, I tracked down the problem to pf itself.
With this ruleset it works:
------------------------------------------------------------------
int_if=sk0
ext_if=sk1
intnet={xxx.xxx.118.64/26,xxx.1xxx14.118.224/27}
tcp_opts="flags S/SA modulate state"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 35000, frags 15000 }
set loginterface $ext_if
set optimization conservative
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub all no-df random-id
# Filtering
pass in all
pass out all
------------------------------------------------------------------
Now if I replace the filtering part:
------------------------------------------------------------------
# Filtering
block in all
block out all
pass quick on {lo0,$int_if} all
pass out quick on $ext_if proto tcp from <intnet> to any $tcp_opts
pass out quick on $ext_if proto udp from <intnet> to any keep state
------------------------------------------------------------------
then I can not SSH from a box sitting behind the bridge, while using
the previous config I can. I thought this config was good. What can be
the problem?
Oh, and something else: the direction of the state when SSHing from
behind the bridge is IN!!! On my OpenBSD 3.8 box outbound states'
directions are obviously Out, and obviously this ruleset is working
fine on that OBSD bridge. I think this is in connection with the
problems I just described. Can anyone tell me what the cause of this
paradox behaviour is?
Thanks in advance.
Hi all ---
I'm no expert, but unless you intend to block ICMP messages,
you just might want to use something like this...
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
If you can't ping/arp a host (icmp disabled), I'd think you'd have
trouble connecting ssh...
When i block/filter icmp on a Cisco router I get this:
ssh: connect to host targa port 22: No route to host
. ..just something to consider.
Best regards,
Gary
More information about the Users
mailing list