Trouble with PF

David Verzolla dverzolla at fcl.com.br
Wed Sep 26 14:20:41 PDT 2007 

Hi,

 

I'm working with two firewall box:

      - Dell poweredge 2950

            - First  network device BCE0

            - Second network device BCE1

 

      - HP ML350 G3

            - First network device BGE0

            - Second network device XL0

 

My FreeBSD Box is a: 6.2-STABLE.

 

I'm working with PF Firewall + PFSYNC + VLANS (3 vlans) + CARP.

All interfaces is cloned with CARP.

 

The problem is:

My network is slow, when I try to connect in a web server, or try pings from my Firewall to some machine located in DMZ (tests from DMZ -> Firewall Box have the same result), I get this trouble:

 

The command: while true ; do ping -c 1 DMZ_IP ; done Ping works in the most of tests, but some tests give me this error:

 

(For security reasons I suppress my original IP, sorry for inconvenience)

 

--- 201.x.x.x ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.194/0.194/0.194/0.000 ms PING 201.x.x.x (201.x.x.x): 56 data bytes

64 bytes from 201.x.x.x: icmp_seq=0 ttl=64 time=0.197 ms

 

--- 201.x.x.x ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.197/0.197/0.197/0.000 ms PING 201.x.x.x (201.x.x.x): 56 data bytes

64 bytes from 201.x.x.x: icmp_seq=0 ttl=64 time=0.192 ms

 

--- 201.x.x.x ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.211/0.211/0.211/0.000 ms PING 201.x.x.x (201.x.x.x): 56 data bytes

---> ping: sendto: Operation not permitted

 

The ping returns "Operation not permitted".

 

Other command:

[root at f1000 /etc/pf]# ping 201.x.x.x

PING 201.x.x.x (201.x.x.x): 56 data bytes

ping: sendto: Operation not permitted

ping: sendto: Operation not permitted

ping: sendto: Operation not permitted

ping: sendto: Operation not permitted

64 bytes from 201.x.x.x: icmp_seq=4 ttl=64 time=2.636 ms

64 bytes from 201.x.x.x: icmp_seq=5 ttl=64 time=0.210 ms

64 bytes from 201.x.x.x: icmp_seq=6 ttl=64 time=0.136 ms

 

The ping returns "Operation not permitted" too.

 

I have other applications working with Ajax that is broken, the time to load all the resources is bigger, within this trouble (Ajax) its possible verify that the problem occur with TCP protocol as well.  

 

When I disable PF, all works greatly.

 

Bellow my rules:

-- begin

#     $FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $

#     $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $

#

# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.

# Required order: options, normalization, queueing, translation, filtering.

# Macros and tables may be defined and used anywhere.

# Note that translation rules are first match while filter rules are last match.

 

# Macros: define common values, so they can be referenced and changed easily.

 

### NET DEVICES

ext_if            =     "bce0"

dmz_if            =     "vlan20"

corp_if           =     "vlan30"

ras_if            =     "vlan40"

sync_if           =     $ras_if

 

### ICMP OPTIONS

icmp_types="{ echoreq, unreach }"

 

 

table <impsat>    { 200.x.x.0/26   }

table <totalrange> { 201.x.x.0/20   }

table <dmz>        { 201.x.x.0/24   }

 

 

# Options: tune the behavior of pf, default values are given.

set optimization normal

#set timeout { tcp.closing 900, tcp.finwait 15, tcp.closed 90 } set block-policy return set state-policy floating set skip on lo set loginterface $ext_if set fingerprints "/etc/pf/_pf.os"

 

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.

scrub in all

 

#### start

block in

 

# PFSYNC

pass on $sync_if proto pfsync

 

# Permit all out

pass out keep state

 

# PERMIT MULTI-CAST (CARP)

pass quick on { $dmz_if $corp_if $ras_if $ext_if } inet from any to 224.0.0.0/4 allow-opts keep state

 

# PERMIT DNS OUT

pass in quick on { $dmz_if $corp_if $ras_if } inet proto { udp tcp } from any to any port 53 keep state

 

# PERMIT DMZ OUT

pass in quick on { $dmz_if } inet proto tcp from <dmz> to any \

      port 80 flags S/SA keep state

 

# PERMITE SSH

pass in quick on { $ext_if } inet proto tcp from <impsat> to any \

      port { 22 } flags S/SA keep state

 

# TEMP PERMIT, OLD NET -> NEW NET

pass quick inet proto tcp from <totalrange> to <impsat> \

      flags S/SA keep state

 

# ME

pass in quick on $ext_if inet proto tcp from <impsat> to $ext_if:network \

   port 22 flags S/SA keep state

 

pass in quick on $ext_if inet proto udp from <impsat> to $ext_if:network \

   port snmp keep state

 

pass in quick on $ext_if inet proto tcp from <totalrange> to $ext_if:network \

   port 22 flags S/SA keep state

 

pass in quick on $ext_if inet proto udp from <totalrange> to $ext_if:network \

   port snmp keep state

 

### GERAL RULES

## NTP

pass in quick on { $dmz_if } inet proto udp from 200.x.x.1 port { 123 } to any \

      port { 123 } keep state

 

### <NS1>

pass in quick on { $ext_if $corp_if } inet proto tcp from any port { 53 } to 200.x.x.2 \

      port { 53 } flags S/SA keep state

 

pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.2 \

      port { 53 } flags S/SA keep state

 

pass in quick on { $ext_if $corp_if } inet proto tcp from <impsat> to 200.x.x.2 \

      port { 22 } flags S/SA keep state

 

pass in quick on { $ext_if $corp_if } inet proto udp from any to 200.x.x.2 \

      port { 53 } keep state

 

### </NS1>

 

### <HERZOG_NEW>

pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.3 \

      port { 20 21 80 443 } flags S/SA keep state

 

# RSYNC

pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.3 \

      port { 873 } flags S/SA keep state

 

# FTP

pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.3 \

      port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE # FTP pass in quick on { $dmz_if } inet proto tcp from 200.x.x.3 port 20 to any \

      flags S/SA keep state tag FTP-BACK # ACTIVE MODE ### </HERZOG_NEW>

 

### <Webtrends teste>

# WEB

pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.4 \

      port { 80 } flags S/SA keep state

 

### </Webtrends teste>

 

# <WINDOWS MEDIA>

pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.5 \

      port { 554 1755 } flags S/SA keep state

 

# VNC

pass in quick on { $ext_if } inet proto tcp from <impsat> to 200.x.x.5 \

      port { 5900 } flags S/SA keep state

 

pass in quick on { $ext_if $corp_if } inet proto udp from any to 200.x.x.5 \

      port { 554 1755 } keep state

# </WINDOWS MEDIA>

 

# TEST NOTEBOOK - HOLYDAY

pass in quick on { $ext_if $dmz_if } inet proto tcp from any to 200.x.x.6 \

      port { 22 80 } flags S/SA keep state

# </TESTE COM NOTEBOOK - HOLYDAY>

 

# TEST WITH CISNET

pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.7 \

      port { 21 22 } flags S/SA keep state

 

pass in quick on { $ext_if $corp_if } inet proto tcp from any to 200.x.x.7 \

      port 30000 >< 65000 flags S/SA keep state # PASSIVE MODE

 

pass in quick on { $dmz_if } inet proto tcp from 200.x.x.7 port 20 to any \

      flags S/SA keep state tag FTP-BACK # ACTIVE MODE # </TESTE COM CISNET>

 

# PING

pass log inet proto icmp all icmp-type $icmp_types keep state

 

# TRACEROUTE

pass inet proto udp from any to any \

      port 33433 >< 33626 keep state

 

-- end

 

Thanks in advance.

 

 

David Verzolla

Administrador de Redes

Fundação Cásper Líbero - FCLNet

Tel: +55 11 3170.5937

More information about the freebsd-pf mailing list