pf not checking traffic from tunnels

Kajetan Staszkiewicz vegeta at tuxpowered.net
Tue May 30 16:17:47 UTC 2017 

Hello,

I have a setup where FreeBSD-based routers serving datacenters are connected 
via gif tunnels which are additionally encrypted using transport mode IPsec. 
Each router runs pf and provides firewalling between multiple VLANs. Tunnel 
interfaces were always trusted, though.

Every rule is with the following options:

"flags any keep state (sloppy)"

This of course makes the firewall a bit less secure but allows routers to be 
rebooted without (usually) resetting connections. Or at least that was the 
idea.

Because of this rule I never noticed that in fact there are never states 
created for connections incoming on tunnels.

In a very simple experiment, even without routing to vlans but just by 
communication between routers I get the following behaviour:

1. I have this rule:
   pass quick log on $if_tunnels flags any keep state (sloppy)
2. I ping this router from another one.
3. I observe pflog0.
4. The 1st entry appearing on pflog0 is ANSWER to the ping:
   17:55:08.276321 rule 0..16777216/0(match): \
   pass out on gif_aw2_YYY1: 10.XX.YYY.201 > 10.XX.YYY.130: \
   ICMP echo reply, id 63443, seq 0, length 64

If I make a rule clearly matching incoming traffic, it won't ever match on 
packets, its counters won't increase.

This is also seen here:

[root at aw-router02 ~]% pfctl -qvvsI | grep -A10 gif_
No ALTQ support in kernel
ALTQ related functions disabled
gif_aw2_awpay1
        Cleared:     Tue May 30 16:35:25 2017
        References:  3
        In4/Pass:    [ Packets: 9                  Bytes: 660                ]
        In4/Block:   [ Packets: 0                  Bytes: 0                  ]
        Out4/Pass:   [ Packets: 10380              Bytes: 800248             ]
        Out4/Block:  [ Packets: 0                  Bytes: 0                  ]
        In6/Pass:    [ Packets: 0                  Bytes: 0                  ]
        In6/Block:   [ Packets: 0                  Bytes: 0                  ]
        Out6/Pass:   [ Packets: 0                  Bytes: 0                  ]
        Out6/Block:  [ Packets: 0                  Bytes: 0                  ]

Here I have a fast ping command running and Out4/Pass counters are increasing 
quite fast while In4/Pass does not grow at all.

This particular machine runs FreeBSD 11.0, same thing happens on my other 
routers running FreeBSD 10.

Is there any option to check from userspace if the gif interface has pf 
attached in netpfil hook for incoming traffic? Running tcpdump on gif 
interface correctly shows incoming icmp echo request.

-- 
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
|  Kajetan Staszkiewicz  | jabber,email: vegeta()tuxpowered net  |
|        Vegeta          | www: http://vegeta.tuxpowered.net     |
`------------------------^---------------------------------------'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20170530/1323974b/attachment.sig>

More information about the freebsd-pf mailing list