Dear list,
after re-installing a machine with 5.3 (i386), I wanted to tighten up the
filtering rules. To that end, I added a 'block log' rule near the top of my
rules. This appears to be unexpectedly effective.
I'm having trouble with my IPsec VPN to a VoIP PBX. Although my SAs come up
as expected, outbound traffic appears to be blocked on enc0. What bugs me
is that the 'tag' and 'tagged' keywords do not seem to work as I'd expect
from ipsec.conf(5).
I created the SAs with the 'PBX' tag and would like to be so lazy as to
just use:
pass on enc keep state (if-bound) tagged PBX
Surprisingly, I can receive incoming pings from the PBX (172.24.8.0/24)
with this setup, but am unable to ping the address from my own net (
192.128.10.0/24). I get this with the fairly minimal ruleset added below.
Of course, I could add rules listing the address ranges in question, but I
had hoped to use the 'PBX' tag for that instead. Did I misread or
misunderstand ipsec.conf(5) or am I missing something else entirely?
Insight greatly appreciated,
Regards,
Rogier
# tcpdump -eee -ttt -ni pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Jun 10 22:42:39.513643 rule 0/(match) block out on enc0: 192.168.10.102 >
172.24.8.1: icmp: echo request
# cat /etc/pf.conf
if_int="vlan801"
pbx_net="172.24.8.0/24"
noc_net="172.24.10.0/24"
table <internal> persist { $if_int:network, $pbx_net, $noc_net }
set block-policy return
block log
set skip on { lo sk0 }
# Outbound traffic
match out on egress inet nat-to (egress:0) tagged OUT
pass out on egress from (egress)
# IPv6 tunnel
pass out on egress proto tcp from (egress) to any port 3874 # TIC
pass out on egress proto udp from (egress) to any port 3740 # heartbeat
pass on egress proto ipv6
pass on egress inet proto icmp
pass on egress inet6 proto icmp6
# IPsec tunnel
pass on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass on egress proto esp
pass on enc0 keep state (if-bound) tagged PBX
# SSH
pass in on $if_int proto tcp from ($if_int:network) to ($if_int) \
port ssh
# Internal traffic
match in on $if_int from ($if_int:network) to !<internal> tag OUT
pass on $if_int
# cat /etc/ipsec.conf
id = "b2"
gw = "fxp0"
gw6 = "gif6"
net = "192.168.10.0/24"
# PBX access
pbx_id = "weber"
pbx_gw = [removed]
pbx_net = "172.24.8.0/24"
ike esp from $net to $pbx_net peer $pbx_gw srcid $id dstid $pbx_id tag PBX
# cat /var/run/dmesg.boot
OpenBSD 5.3 (GENERIC) #50: Tue Mar 12 18:35:23 MDT 2013
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.40GHz ("GenuineIntel" 686-class) 2.40 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,CNXT-ID,xTPR,PERF
real mem = 1071374336 (1021MB)
avail mem = 1042882560 (994MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/22/04, BIOS32 rev. 0 @ 0xf0010,
SMBIOS rev. 2.3 @ 0xfbe60 (76 entries)
bios0: vendor Intel Corp. version "BF86510A.86A.0053.P13.0401220953" date
01/22/2004
bios0: Intel Corporation D865GBF
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC ASF! TCPA WDDT
acpi0: wakeup devices TANA(S4) P0P3(S4) AC97(S4) USB0(S4) USB1(S4) USB2(S4)
USB3(S4) USB7(S4) UAR1(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 99MHz
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus -1 (P0P2)
acpiprt3 at acpi0: bus 1 (P0P3)
acpicpu0 at acpi0
acpipwrres0 at acpi0: URP1
acpipwrres1 at acpi0: FDDP
acpipwrres2 at acpi0: LPTP
acpibtn0 at acpi0: SLPB
bios0: ROM list: 0xc0000/0xa200! 0xca800/0x800 0xcb000/0x1000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82865G Host" rev 0x02
vga1 at pci0 dev 2 function 0 "Intel 82865G Video" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xf0000000, size 0x8000000
inteldrm0 at vga1: apic 1 int 16
drm0 at inteldrm0
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: apic 1 int
16
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: apic 1 int
19
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: apic 1 int
18
uhci3 at pci0 dev 29 function 3 "Intel 82801EB/ER USB" rev 0x02: apic 1 int
16
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: apic 1
int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xc2
pci1 at ppb0 bus 1
skc0 at pci1 dev 0 function 0 "3Com 3c940" rev 0x10, Yukon (0x1): apic 1
int 21
sk0 at skc0 port A: address 00:0a:5e:54:48:99
eephy0 at sk0 phy 0: 88E1011 Gigabit PHY, rev. 3
fxp0 at pci1 dev 8 function 0 "Intel PRO/100 VE" rev 0x01, i82562: apic 1
int 20, address 00:0c:f1:b9:54:00
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 "Intel 82801EB SATA" rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 1 int 18 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: <SAMSUNG HD253GJ>
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
ichiic0 at pci0 dev 31 function 3 "Intel 82801EB/ER SMBus" rev 0x02: apic 1
int 17
iic0 at ichiic0
adt0 at iic0 addr 0x2e: emc6d100 rev 0x65
spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM non-parity PC3200CL3.0
spdmem1 at iic0 addr 0x52: 512MB DDR SDRAM non-parity PC3200CL3.0
auich0 at pci0 dev 31 function 5 "Intel 82801EB/ER AC97" rev 0x02: apic 1
int 17, ICH5 AC97
ac97: codec id 0x41445375 (Analog Devices AD1985)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
mtrr: Pentium Pro MTRR support
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (a413237c58f6c650.a) swap on wd0b dump on wd0b
