PF not sending NAT traffic to external interface

PF not sending NAT traffic to external interface

Post by Ricky Glaz » Sat, 14 Jun 2003 03:28:47



Hi,

I am having a small problem with pf. This is my network setup:

DSL Router (192.168.1.254) ---> OpenBSD box EXTERNAL interface
(192.168.0.3) -----> INTERNAL interface (192.168.0.2) -----> NETWORK

Here is my pf.conf:

----------------------------------------------------------------------------
-------
#macros
INTERNAL = "xl0"
EXTERNAL = "xl1"

SERVICES="{ www, https, ssh, smtp, mysmtp, imap, imaps }" # Allowable
service

tcp_services = "{ 22, 80, 113 }"
icmp_types = "{ 8, 11 }"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $EXTERNAL
set limit { states 10000, frags 10000 }

# scrub
scrub in all

# nat/rdr
nat on $EXTERNAL from $INTERNAL:network to any -> $EXTERNAL

# Default, block everything on every interface
block log all

pass quick on lo0 all

#Block obvious spoofs
block drop in  quick on $EXTERNAL from $priv_nets to any
block drop out quick on $EXTERNAL from any to $priv_nets

# stop IPv6 traffic
block in quick inet6 all
block out quick inet6 all

# Allow internal traffic to flow freely.
pass in quick on $INTERNAL from $INTERNAL:network to any
pass out quick on $INTERNAL from $INTERNAL:network to $INTERNAL:network

# Ping to outside world
pass out quick on $EXTERNAL inet proto icmp all icmp-type 8 code 0 keep
state

# Pass in from the DSL router
pass in on $EXTERNAL from 192.168.1.254 to $EXTERNAL
# Pass out to the DSL router
pass out on $EXTERNAL from $EXTERNAL to 192.168.1.254

pass in on $EXTERNAL inet proto tcp from any to any \
   port $tcp_services flags S/SAFR keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $INTERNAL from $INTERNAL:network to any keep state
pass out on $INTERNAL from any to $INTERNAL:network keep state

pass out on $EXTERNAL proto tcp all modulate state flags S/SAFR
pass out on $EXTERNAL proto { udp, icmp } all keep state
----------------------------------------------------------------------------
-------

All traffic coming in on $INTERNAL that are to the Internet should go out on
$EXTERNAL, but they seem to be going back out on $INTERNAL as I get these
loggings:

Jun 12 09:04:31.984109 rule 0/0(match): block out on xl0: 192.168.0.27.1311

Quote:> 194.159.245.16.80: S 9627054:9627054(0) win

7300 <mss 1460,nop,nop,sackOK> (DF)
Jun 12 09:04:32.482889 rule 0/0(match): block out on xl0: 192.168.0.27.1311
Quote:> 194.159.245.16.80: S 9627054:9627054(0) win

7300 <mss 1460,nop,nop,sackOK> (DF)
Jun 12 09:04:32.982924 rule 0/0(match): block out on xl0: 192.168.0.27.1311
Quote:> 194.159.245.16.80: S 9627054:9627054(0) win

7300 <mss 1460,nop,nop,sackOK> (DF)
Jun 12 09:04:33.482845 rule 0/0(match): block out on xl0: 192.168.0.27.1311
Quote:> 194.159.245.16.80: S 9627054:9627054(0) win

7300 <mss 1460,nop,nop,sackOK> (DF)
Jun 12 09:04:48.679969 rule 0/0(match): block out on xl0: 192.168.0.27.1312
Quote:> 137.118.1.33.53:  1+ A? www.openbsd.org. (33

)

All of these should have gone out on $EXTERNAL (xl1), but instead went out
on $INTERNAL (xl0), and so they are blocked. As far as I can tell, no
traffic is going out on xl1.

If I haven't provided enough info pls let me know.

Thanks a lot,
Ricky Glaze

 
 
 

PF not sending NAT traffic to external interface

Post by Richar » Sat, 14 Jun 2003 03:57:10



Quote:> Hi,

> I am having a small problem with pf. This is my network setup:

> DSL Router (192.168.1.254) ---> OpenBSD box EXTERNAL interface
> (192.168.0.3) -----> INTERNAL interface (192.168.0.2) -----> NETWORK

> Here is my pf.conf:

> --------------------------------------------------------------------------
--
> -------
> #macros
> INTERNAL = "xl0"
> EXTERNAL = "xl1"

> SERVICES="{ www, https, ssh, smtp, mysmtp, imap, imaps }" # Allowable
> service

> tcp_services = "{ 22, 80, 113 }"
> icmp_types = "{ 8, 11 }"

> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

> # options
> set block-policy return
> set loginterface $EXTERNAL
> set limit { states 10000, frags 10000 }

> # scrub
> scrub in all

> # nat/rdr
> nat on $EXTERNAL from $INTERNAL:network to any -> $EXTERNAL

> # Default, block everything on every interface
> block log all

> pass quick on lo0 all

> #Block obvious spoofs
> block drop in  quick on $EXTERNAL from $priv_nets to any
> block drop out quick on $EXTERNAL from any to $priv_nets

> # stop IPv6 traffic
> block in quick inet6 all
> block out quick inet6 all

> # Allow internal traffic to flow freely.
> pass in quick on $INTERNAL from $INTERNAL:network to any
> pass out quick on $INTERNAL from $INTERNAL:network to $INTERNAL:network

> # Ping to outside world
> pass out quick on $EXTERNAL inet proto icmp all icmp-type 8 code 0 keep
> state

> # Pass in from the DSL router
> pass in on $EXTERNAL from 192.168.1.254 to $EXTERNAL
> # Pass out to the DSL router
> pass out on $EXTERNAL from $EXTERNAL to 192.168.1.254

> pass in on $EXTERNAL inet proto tcp from any to any \
>    port $tcp_services flags S/SAFR keep state

> pass in inet proto icmp all icmp-type $icmp_types keep state

> pass in  on $INTERNAL from $INTERNAL:network to any keep state
> pass out on $INTERNAL from any to $INTERNAL:network keep state

> pass out on $EXTERNAL proto tcp all modulate state flags S/SAFR
> pass out on $EXTERNAL proto { udp, icmp } all keep state
> --------------------------------------------------------------------------
--
> -------

> All traffic coming in on $INTERNAL that are to the Internet should go out
on
> $EXTERNAL, but they seem to be going back out on $INTERNAL as I get these
> loggings:

> Jun 12 09:04:31.984109 rule 0/0(match): block out on xl0:
192.168.0.27.1311
> > 194.159.245.16.80: S 9627054:9627054(0) win
> 7300 <mss 1460,nop,nop,sackOK> (DF)
> Jun 12 09:04:32.482889 rule 0/0(match): block out on xl0:
192.168.0.27.1311
> > 194.159.245.16.80: S 9627054:9627054(0) win
> 7300 <mss 1460,nop,nop,sackOK> (DF)
> Jun 12 09:04:32.982924 rule 0/0(match): block out on xl0:
192.168.0.27.1311
> > 194.159.245.16.80: S 9627054:9627054(0) win
> 7300 <mss 1460,nop,nop,sackOK> (DF)
> Jun 12 09:04:33.482845 rule 0/0(match): block out on xl0:
192.168.0.27.1311
> > 194.159.245.16.80: S 9627054:9627054(0) win
> 7300 <mss 1460,nop,nop,sackOK> (DF)
> Jun 12 09:04:48.679969 rule 0/0(match): block out on xl0:
192.168.0.27.1312
> > 137.118.1.33.53:  1+ A? www.openbsd.org. (33
> )

> All of these should have gone out on $EXTERNAL (xl1), but instead went out
> on $INTERNAL (xl0), and so they are blocked. As far as I can tell, no
> traffic is going out on xl1.

I would think it's cause you're doing a block out quick (second pf rule #
below) on your $EXTERNAL while the $EXTERNAL network is part of
192.168.0.0/16 and itself being NAT'd.

One way to test is to remove the quick keyword, reload rules and try again.
If that's it, then I'd recommend going about that another way, ever so
slightly.

#Block obvious spoofs
block drop in  quick on $EXTERNAL from $priv_nets to any
---> block drop out quick on $EXTERNAL from any to $priv_nets <---

Hope this helps, assuming I'm correct in thinking this. Just overly tired
and can't think straight today.

Regards.

 
 
 

PF not sending NAT traffic to external interface

Post by Ricky Glaz » Sat, 14 Jun 2003 04:21:40


Thanks a lot for the quick response Richard. I had thought about that right
after I posted, but that doesn't seems to be it. Here are my new rules:

#macros
INTERNAL = "xl0"
EXTERNAL = "xl1"

SERVICES="{ www, https, ssh, smtp, mysmtp, imap, imaps }" # Allowable
service

tcp_services = "{ 22, 80, 113 }"
icmp_types = "{ 8, 11 }"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $EXTERNAL
set limit { states 10000, frags 10000 }

# scrub
scrub in all

# nat/rdr
nat on $EXTERNAL from $INTERNAL:network to any -> $EXTERNAL

# Default, block everything on every interface
block log all

pass quick on lo0 all

#Block obvious spoofs
block drop in on $EXTERNAL from $priv_nets to any
block drop out on $EXTERNAL from any to $priv_nets

# Pass in from the DSL router
pass in quick on $EXTERNAL from 192.168.1.254 to $EXTERNAL
# Pass out to the DSL router
pass out quick on $EXTERNAL from $EXTERNAL to 192.168.1.254

# stop IPv6 traffic
block in quick inet6 all
block out quick inet6 all

# Allow internal traffic to flow freely.
#pass in quick on $INTERNAL from $INTERNAL:network to any
#pass out quick on $INTERNAL from $INTERNAL:network to $INTERNAL:network
pass in quick on $INTERNAL
pass out quick on $INTERNAL

# Ping to outside world
pass out quick on $EXTERNAL inet proto icmp all icmp-type 8 code 0 keep
state

pass in on $EXTERNAL inet proto tcp from any to any \
   port $tcp_services flags S/SAFR keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $INTERNAL from $INTERNAL:network to any keep state
pass out on $INTERNAL from any to $INTERNAL:network keep state

pass out on $EXTERNAL proto tcp all modulate state flags S/SAFR
pass out on $EXTERNAL proto { udp, icmp } all keep state

It is still doing the same thing.

Reagrds,
Ricky

 
 
 

PF not sending NAT traffic to external interface

Post by Daniel Hartmeie » Sat, 14 Jun 2003 05:43:35



> DSL Router (192.168.1.254) ---> OpenBSD box EXTERNAL interface
> (192.168.0.3) -----> INTERNAL interface (192.168.0.2) -----> NETWORK

What netmasks are you using on xl0 and xl1, /24?
$ ifconfig -a

What default gateway is the OpenBSD box using?
$ route -n show | grep default

Daniel

 
 
 

PF not sending NAT traffic to external interface

Post by zibi » Sat, 14 Jun 2003 05:58:57


Quote:> # Default, block everything on every interface
> block log all

This will never log because it is not final rule

Quote:> pass out quick on $EXTERNAL from $EXTERNAL to 192.168.1.254

Should be
pass out quick on $EXTERNAL from $EXTERNAL to any
(router is only your gateway not destination)

If you like I would send you my solution for comparition

 
 
 

PF not sending NAT traffic to external interface

Post by bean » Sat, 14 Jun 2003 14:49:49



>># Default, block everything on every interface
>>block log all

> This will never log because it is not final rule

That's not actually correct.  My logs are plenty full, and my 'log'
lines are never last or final.  I always start with a 'block ... log...'
line for an interface/direction, then set about defining pass rules that
are exceptions to the block.  Maybe I misunderstood what you meant, zibi?

Indeed, the snipet of his pflog that was included in his original post
shows traffic being blocked by rule 0/0, which is his very first rule.

Quote:

>>pass out quick on $EXTERNAL from $EXTERNAL to 192.168.1.254

> Should be
> pass out quick on $EXTERNAL from $EXTERNAL to any
> (router is only your gateway not destination)

> If you like I would send you my solution for comparition

The questions Daniel Hartmeier asked you probably hold the key to your
problems... show us your default route and ifconfig output.

Mark

 
 
 

PF not sending NAT traffic to external interface

Post by zibi » Sat, 14 Jun 2003 17:21:29


Quote:> >># Default, block everything on every interface
> >>block log all
> > This will never log because it is not final rule

ok, more clear, if you have a sequence

Quote:># Default, block everything on every interface
>block log all

>#Block obvious spoofs
>block drop in  quick on $EXTERNAL from $priv_nets to any
>block drop out quick on $EXTERNAL from any to $priv_nets

>># stop IPv6 traffic
>block in quick inet6 all
>block out quick inet6 all

logging occurs only and only for all blocks except the last four
so I have noticed that logging doesn't cover all blockings,
just to remember what you log

Quote:

> That's not actually correct.  My logs are plenty full, and my 'log'
> lines are never last or final.  I always start with a 'block ... log...'

It must be the last rule in the sequence of checking to be used for log
even it is at a very beginning of pf rules.
---------
Quote:> >>pass out quick on $EXTERNAL from $EXTERNAL to 192.168.1.254

> > Should be
> > pass out quick on $EXTERNAL from $EXTERNAL to any
> > (router is only your gateway not destination)

In my understanding of pf it is the reason for fail (dest addr in the rule)
 
 
 

PF not sending NAT traffic to external interface

Post by bean » Sat, 14 Jun 2003 21:57:17



>>>># Default, block everything on every interface
>>>>block log all

>>>This will never log because it is not final rule

> ok, more clear, if you have a sequence

>># Default, block everything on every interface
>>block log all

>>#Block obvious spoofs
>>block drop in  quick on $EXTERNAL from $priv_nets to any
>>block drop out quick on $EXTERNAL from any to $priv_nets

>>># stop IPv6 traffic

>>block in quick inet6 all
>>block out quick inet6 all

> logging occurs only and only for all blocks except the last four
> so I have noticed that logging doesn't cover all blockings,
> just to remember what you log

>>That's not actually correct.  My logs are plenty full, and my 'log'
>>lines are never last or final.  I always start with a 'block ... log...'

> It must be the last rule in the sequence of checking to be used for log
> even it is at a very beginning of pf rules.
> ---------

>>>>pass out quick on $EXTERNAL from $EXTERNAL to 192.168.1.254

>>>Should be
>>>pass out quick on $EXTERNAL from $EXTERNAL to any
>>>(router is only your gateway not destination)

> In my understanding of pf it is the reason for fail (dest addr in the rule)

I agree with you that the rule you mention there was wrong... he was
only allowing traffic out if it was destined for his DSL modem, not for
'any'.  His logs also look like he has a routing problem, because when
he tries to browse the web, and it gets blocked, the log shows that the
packet he sent to connect to server foo.com was blocked *outbound* on
his inside interface, as though his firewall tried to turn it right back
around and send it out of his $INTERNAL instead of his $EXTERNAL.

Jun 12 09:04:31.984109 rule 0/0(match): block out on xl0:
192.168.0.27.1311 > 194.159.245.16.80: S 9627054:9627054(0) win

(xl0 is his $INTERNAL interface, so looks like his default route may be
pointing back in towards his internal network?)

Regards,
Mark

 
 
 

PF not sending NAT traffic to external interface

Post by Ricky Glaz » Tue, 17 Jun 2003 23:31:48


Thanks a lot for the good feedback guys.

Changing the rule to pass out quick on $EXTERNAL from $EXTERNAL to any does
indeed fix the problem of blocking, but it does seems that I still have a
routing problem as my traffic is going out on xl0 ($INTERNAL) instead of xl1
($EXTERNAL).

Quote:> What netmasks are you using on xl0 and xl1, /24?
> $ ifconfig -a

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:75:c4:84:d4
        media: Ethernet autoselect (100baseTX)
        status: active
        inet 192.168.0.2 netmask 0xffff0000 broadcast 192.168.255.255
        inet6 fe80::204:75ff:fec4:84d4%xl0 prefixlen 64 scopeid 0x1
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:60:08:31:02:9b
        media: Ethernet autoselect (100baseTX)
        status: active
        inet 192.168.0.3 netmask 0xffff0000 broadcast 192.168.255.255
        inet6 fe80::260:8ff:fe31:29b%xl1 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=10<POINTOPOINT> mtu 3000
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
        address: 00:00:00:00:00:00
vlan1: flags=0<> mtu 1500
        address: 00:00:00:00:00:00
gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

Quote:> What default gateway is the OpenBSD box using?
> $ route -n show | grep default

default          192.168.1.254      UG
default          ::1                UG
default          ::1                UG

Thanks again,
Ricky

 
 
 

PF not sending NAT traffic to external interface

Post by Daniel Hartmeie » Wed, 18 Jun 2003 02:43:46



> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.0.2 netmask 0xffff0000 broadcast 192.168.255.255
> xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.0.3 netmask 0xffff0000 broadcast 192.168.255.255

These are overlapping networks. If you send a packet out to 192.168.0.1,
which interface should it go out through? Both networks contain it, and
they are both equally broad/narrow.

Either subnet your /16 (into two /24, for instance, 192.168.1.0/24 and
192.168.2.0/24) or bridge. But what you have is just not a valid
configuration.

Daniel