routing LAN traffic through/around a pf gateway

James B. Byrne byrnejb at harte-lyne.ca
Fri Jan 25 14:17:40 UTC 2019 


On Thu, January 24, 2019 19:31, Kristof Provost wrote:
>
>
> On 25 Jan 2019, at 9:37, James B. Byrne via freebsd-pf wrote:
>
>> I have limited knowledge of PF being in the process of transitioning
>> from 20+ years of RHEL/CentOS to FreeBSD.  Neither do I possess a
>> great fund of knowledge respecting IP routing.  That said this is my
>> problem:
>>
>> On a small test LAN I have three hosts, W44, W4 and G5:
>>
>> network layout, gateway address 216.185.71.5
>>
>>      W44                 G5                  w4
>> 216.185.71.44 ----> 216.185.71.5        216.185.71.4   int_if IP
>> 192.168.150.44      192.168.150.5 ----> 192.168.150.4  int_if IP
>> alias
>>
>> Using ssh and with PF running on the gateway, when I connect from
>> 216.185.71.44 to 216.185.71.4 then the ssh session operates
>> normally.
>> However, if instead I connect from 216.185.71.44 to 192.168.150.4
>> then
>> the initial connection is made but the ssh session remains
>> responsive
>> for a brief time before it becomes non-responsive.  If I terminate
>> the
>> PF running on the gateway the ssh session again becomes responsive.
>> If I do not terminate PF then eventually the ssh session client
>> disconnects with a timeout error.
>>
>> Besides macros the entire active contents of pf.conf on G5 are:
>>
>> scrub         in        all no-df max-mss 1440 fragment reassemble
>>
>> block return  out log   all
>>
>> block drop    in  log   all
>>
>> pass              log   on $int_if
>>
>> pass                    inet proto icmp all \
>>                         icmp-type $icmp_types keep state
>>
>> pass          out       quick on $ext_if inet proto udp \
>>                   from  any \
>>                   to    any         port  33433 >< 33626 keep state
>>
>> Which results in these rules when PF is running:
>>
>> @0 scrub in all no-df max-mss 1440 fragment reassemble
>> @1 block return out log all
>> @2 block drop in log all
>> @3 pass log on em0 all flags S/SA keep state
>> @4 pass inet proto icmp all icmp-type echoreq keep state
>> @5 pass inet proto icmp all icmp-type unreach keep state
>> @6 pass out quick on em1 inet proto udp from any to any port 33433
>> ><
>> 33626 keep state
>>
> You don’t appear to have a rule permitting the SSH traffic to pass
> through your router.
> I’m a more than little surprised you manage to establish a
> connection
> in the first place.
> Unless the connection existed before you started pf, of course.
>
> Try adding something like:
> pass inet porto tcp port 22
>
> Regards,
> Kristof


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the freebsd-pf mailing list