Re: PF packets being blocked...why?

[Steve Williams]

Hi,

Yes, I have (what appears to be) 100% functionality of the 
forwarding/nat/etc.

That wouldn't work if forwarding wasn't enabled.

# cat /etc/sysctl.conf
net.inet.ip.forwarding=1

And I have rebooted multiple times.

Thanks,
Steve W.


On 26/06/2017 12:30 PM, Timo Myyrä wrote:
Hmm, have you enabled net.inet.ip.forwarding?

Timo

Steve Williams <st...@williamsitconsulting.com> writes:

Hi,

Packets from vether are going out NAT'd no problem.  I have 100%
Internet access on 192.168.123.0/24.

 From my understanding, the "pass out quick inet all flags S/SA" allow
packets out and should create state for the connection for any ipv4
packets on any interface.

Subsequent packets (these seem to have the "P"ush flag set) should
match the state and not get blocked.

Hum... perhaps the states are expiring too fast?

How do I find out if the state existed at the time that the packet was
blocked?

Thanks,
Steve W.


On 26/06/2017 12:09 PM, Ville Valkonen wrote:
Hello,

a quick glance and it seems you aren't allowing vether traffic to pass.

--
Regards,
Ville

On Jun 26, 2017 8:19 PM, "Steve Williams"
<st...@williamsitconsulting.com
<mailto:st...@williamsitconsulting.com>> wrote:

     Hi,

     New install of OpenBSD 6.1 on apu2.  Love the little box.

     I have em0 as the connection to the Internet and I bridged em1 and
     em2 together on 192.168.123.0.

     I've been using OpenBSD since the 2.7 days, but have never run NAT
     so this is my first foray into that world.  I have followed the
     FAQ on "building a router" almost vebatim. It's working fine, but
     I am seeing some packets blocked with no effect on browsing behind
     the OpenBSD box.

     My ruleset:

     # pfctl -sr
     match in all scrub (no-df random-id)
     match out on egress inet from ! (egress:network) to any nat-to
     (egress:0) round-robin
     block drop log quick from <blocklist> to any
     block drop log quick from <bad_hosts> to any
     block drop log all
     pass out quick inet all flags S/SA
     pass in on vether0 inet all flags S/SA
     pass in on em1 inet all flags S/SA
     pass in on em2 inet all flags S/SA
     pass in on egress inet proto tcp from any to (egress) port = 22
     flags S/SA
     pass in on egress inet proto tcp from any to (egress) port = 993
     flags S/SA
     pass in on egress inet proto tcp from any to (egress) port = 80
     flags S/SA
     pass in on egress inet proto tcp from any to (egress) port = 443
     flags S/SA

     # tcpdump -n -e -ttt -i pflog0    # from man pflog man page
     Jun 26 09:45:54.241145 rule 4/(match) block in on vether0:
     192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
     1805 (DF)
     Jun 26 09:45:54.701283 rule 4/(match) block in on vether0:
     192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
     1805 (DF)
     Jun 26 09:45:55.623757 rule 4/(match) block in on vether0:
     192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
     1805 (DF)
     Jun 26 09:45:57.460985 rule 4/(match) block in on vether0:
     192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
     1805 (DF)
     Jun 26 09:46:01.150933 rule 4/(match) block in on vether0:
     192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win
     1805 (DF)
     Jun 26 09:46:08.522599 <tel:08.522599> rule 4/(match) block in on
     vether0: 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375)
     ack 1 win 1805 (DF)
     Jun 26 09:46:47.479083 rule 4/(match) block in on vether0:
     192.168.123.2.46549 > 172.217.3.206.443: P
     4042174712:4042174735(23) ack 2564095917 win 1593 (DF)
     Jun 26 09:46:47.896295 rule 4/(match) block in on vether0:
     192.168.123.2.53452 > 23.23.126.54.443: P
     4003838125:4003838156(31) ack 2044539346 win 65535 (DF)
     Jun 26 09:46:47.896662 rule 4/(match) block in on vether0:
     192.168.123.2.53452 > 23.23.126.54.443: R 31:31(0) ack 1 win 65535
     (DF)
     Jun 26 09:46:47.896674 rule 4/(match) block in on vether0:
     192.168.123.2.59762 > 216.58.216.163.443: P
     113176577:113176608(31) ack 2619790719 win 1403 (DF)
     Jun 26 09:46:47.896685 rule 4/(match) block in on vether0:
     192.168.123.2.59762 > 216.58.216.163.443: F 31:31(0) ack 1 win
     1403 (DF)
     Jun 26 09:46:47.896711 rule 4/(match) block in on vether0:
     192.168.123.2.39279 > 31.13.77.6.443: P 4254697166:4254697197(31)
     ack 2615144509 win 1545 (DF)
     Jun 26 09:46:47.896735 rule 4/(match) block in on vether0:
     192.168.123.2.39279 > 31.13.77.6.443: R 31:31(0) ack 1 win 1545 (DF)

     # pfctl -R 4 -sr
     block drop log all

     It is not all https traffice that is being blocked as I can hit my
     banking site, etc.  Does anyone have an idea why are these packets
     being blocked?

     Thanks,
     Steve Williams