weird PF behavior

Hexren me at hexren.net
Wed Mar 30 23:31:12 PST 2005 

> Here's a rough sketch of the home network

FBSD 5.3 box ===>>>> xl0 ===>>> ADSL modem
>                     ===>>> xl1 ===>>> 10/100 Mbps switch ===>>>
> several Windows PC are connected to the switch
>                     ===>>> xl2 ===>>> Windows PC (via x-over cable).
> This is the FTP server.

> I have an FTP server running in a windows box with IP = 192.168.2.2

> here's a snippet of my rules
> ==========
> ext_if = "tun0"
> elayne_ftp_service = "19985:19989"
> elayne = "192.168.2.2/32"

> rdr on $ext_if proto tcp from any to ($ext_if) port
> $elayne_ftp_service -> $elayne
> block log all #This is the very first rule after the nat/rdr rules
> pass in quick on $ext_if inet proto tcp from any to $elayne port {
> $elayne_ftp_service } flags S/SA keep state
> ============

> Looking at the PF FAQ in openbsd.org, this seem to be correct.

> But when I try to connect from work to the FTP, I get the following
> tcpdump entries:
> =====================
> 15:44:38.009604 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 >
> TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win
> 49640 <mss 1402,nop,nop,sackOK>
> 15:44:41.423697 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 >
> TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win
> 49640 <mss 1402,nop,nop,sackOK>
> ===================

> If I change the last rule in the snippet to:
> ===========
> pass in quick inet proto tcp from any to $elayne port {
> $elayne_ftp_service } flags S/SA keep state
> ===========
> it works.

> Well I thought that having "on $ext_if" is correctly as well as the
> traffic from work to home FTP server must pass thru $ext_if.

> Any ideas for this behavior?

> Thanks

---------------------------------------------

Guessing I would say that:
The traffic comes in on $ext_if a state for it is created and it then
tries to leave over $int_if. At that point it is catched by "block log
all #This is the very first rule after the nat/rdr rules" as obviously
"on $ext_if" in the pass rule. Is not true for a packet traversing
$int_if. Imho a rule alog the lines of "pass on $int_if from any to
$elayne port { $elayne_ftp_service } keep state" should fix the
problem. Try it I am not dead sure.

Regards
Hexren

More information about the freebsd-pf mailing list