pf wierd effect

Thu, 03 May 2007 14:13:01 -0700 

Hi,

Now it's time to play with pf. I got some weird trouble on pass ssh
connections.. here is my pf.con

# NICs
ext_if="rl1"
int_if="rl2"
pf_if="rl0"


allow_ports_out="{80,110,143}"
allow_proto_out="{tcp,udp,icmp}"
allow_proto_in="{tcp, udp}"


table <blocked_ips> persist file "/etc/blocked.conf"

table <lan_hosts> persist file "/etc/lan.conf"


scrub out on $ext_if all random-id

rdr on $ext_if proto $allow_proto_in from any to ($ext_if) port $ssh_ext_m2
-> 192.168.0.2 port $ssh_int_m2
rdr on $ext_if proto $allow_proto_in from any to ($ext_if) port $http_ext_2
-> 192.168.0.2 port $http_int_2

rdr on $ext_if proto $allow_proto_in from any to ($ext_if) port $http_ext_m2
-> 192.168.0.3 port $http_int_m2

nat on $ext_if from <lan_hosts> to any -> ($ext_if)


pass out on $pf_if proto carp keep state
pass on $pf_if proto pfsync


block drop in quick on $ext_if from <blocked_ips>

antispoof for $ext_if
antispoof for $int_if


#block in on $ext_if all
block in all

pass in on $int_if proto tcp from <lan_hosts> to ($int_if) port 22 flags
S/SA modulate state

pass out on $ext_if proto tcp from <lan_hosts> to any flags S/SA modulate
state
pass out on $ext_if proto udp from <lan_hosts> to any keep state


It's a very simple pf.conf.. only for play. My trouble comes when i try to
connect via ssh throught int_if ( My lan ). If i use "block in all" rule and
"pass in on $int_if proto tcp from <lan_hosts> to ($int_if) port $ssh_mer
flags S/SA modulate state" i can't connect to ssh. If i change "block in
all" to "block in on$ext_if all" then i can connect to the host. With "block
in all" and if i take off "port 22" from the previous rule, ( so the rule
will be: "pass in on $int_if proto tcp from <lan_hosts> to ($int_if) flags
S/SA modulate state") than again i can connect from the lan to the host via
ssh.

More schematic:

I can't connect:
block in all
pass in on $int_if proto tcp from <lan_hosts> to ($int_if) port 22 flags
S/SA modulate state

I can connect:
block in on $ext_if all
pass in on $int_if proto tcp from <lan_hosts> to ($int_if) port 22 flags
S/SA modulate state

I can connect:
block in on $ext_if all
pass in on $int_if proto tcp from <lan_hosts> to ($int_if) flags S/SA
modulate state

I can't find why, any help? what i am doing bad?

Thanks once again you all,

Tang

Reply via email to