SEO

#1 (**permalink**) 02-16-2008, 06:40 AM

Hi,

I have upgraded the system to 5.4 Release with PF/CARP enabled.
There is some traffic blocked by PF, which supposed to be passed thru.
eg. the PF configuration is shown as follow:

block log all
pass in on bge0 proto tcp from any to any port 13:600 keep state
pass in on bge0 proto udp from any to any port 13:600 keep state
pass in on bge1 proto tcp from any to any port 1024:10000 keep state
pass in on bge1 proto udp from any to any port 1024:10000 keep state
....

But the following traffic is blocked by PF:

000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 <mss 1326,nop,wscale
0,[|tcp]>

Did I configured PF incorrectly?

Thanks
Sam

#2 (**permalink**) 02-16-2008, 06:40 AM

sam wrote:

> Hi,
>
> I have upgraded the system to 5.4 Release with PF/CARP enabled.
> There is some traffic blocked by PF, which supposed to be passed thru.
> eg. the PF configuration is shown as follow:
>
> block log all
> pass in on bge0 proto tcp from any to any port 13:600 keep state
> pass in on bge0 proto udp from any to any port 13:600 keep state
> pass in on bge1 proto tcp from any to any port 1024:10000 keep state
> pass in on bge1 proto udp from any to any port 1024:10000 keep state
> ....
>
> But the following traffic is blocked by PF:
>
> 000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
> 10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 <mss 1326,nop,wscale
> 0,[|tcp]>
>
> Did I configured PF incorrectly?
>
I just found out 2000:2004 is not the same as 1999<>2005.
But after read thru manpage of pf.conf, it seems that 2000:2004 is not
working and remain as a bug in PF.

Now, I need to use the following rules to get around the problem:
pass in on bge0 proto tcp from any to any port 12<>601 keep state
pass in on bge0 proto udp from any to any port 12<>601 keep state
pass in on bge1 proto tcp from any to any port 1023<>10001 keep state
pass in on bge1 proto udp from any to any port 1023<>10001 keep state

Sam.

> Thanks
> Sam

#3 (**permalink**) 02-16-2008, 06:40 AM

sam <sam++@--.com> writes:

>> pass in on bge0 proto tcp from any to any port 13:600 keep state
>> But the following traffic is blocked by PF:
>> 000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
>> 10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 <mss
>> 1326,nop,wscale 0,[|tcp]>
>> Did I configured PF incorrectly?

Yes.

> I just found out 2000:2004 is not the same as 1999<>2005.
> But after read thru manpage of pf.conf, it seems that 2000:2004 is not
> working and remain as a bug in PF.

There's no bug here, 13:600 means all ports beetween 13 and 600 included
so a packet with dest port 3389 won't match the rule and therefore in
your setup will be blocked (initial block)

Éric Masson

Fu2 : comp.unix.bsd.freebsd.misc

--
- Tous les messages annulés ne sont pas nécéssairement à reposter...
- Quitte à reposter, serait-il possible de corriger les fautes
d'orthographe, par la même occasion ?
-+- JL in <http://www.le-gnu.net> : Comme une lettre à la [Repost]

#4 (**permalink**) 02-16-2008, 06:40 AM

Eric Masson wrote:

> sam <sam++@--.com> writes:
>
>
>>>pass in on bge0 proto tcp from any to any port 13:600 keep state
>>>But the following traffic is blocked by PF:
>>>000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
>>>10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 <mss
>>>1326,nop,wscale 0,[|tcp]>
>>>Did I configured PF incorrectly?
>
>
> Yes.
>
>
>>I just found out 2000:2004 is not the same as 1999<>2005.
>>But after read thru manpage of pf.conf, it seems that 2000:2004 is not
>>working and remain as a bug in PF.
>
>
> There's no bug here, 13:600 means all ports beetween 13 and 600 included
> so a packet with dest port 3389 won't match the rule and therefore in
> your setup will be blocked (initial block)
>
In my previous post, I also have the following rules setup:
pass in on bge1 proto tcp from any to any port 1024:10000 keep state
pass in on bge1 proto udp from any to any port 1024:10000 keep state

Sam
> Éric Masson
>
> Fu2 : comp.unix.bsd.freebsd.misc
>

#5 (**permalink**) 02-16-2008, 06:40 AM

On Tue, 17 May 2005 21:50:20 +0800, sam wrote:
> Eric Masson wrote:
>
>> sam <sam++@--.com> writes:
>>
>>
>>>>pass in on bge0 proto tcp from any to any port 13:600 keep state
>>>>But the following traffic is blocked by PF:
>>>>000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
>>>>10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 <mss
>>>>1326,nop,wscale 0,[|tcp]>
>>>>Did I configured PF incorrectly?
>>
>>
>> Yes.
>>
>>
>>>I just found out 2000:2004 is not the same as 1999<>2005.
>>>But after read thru manpage of pf.conf, it seems that 2000:2004 is not
>>>working and remain as a bug in PF.
>>
>>
>> There's no bug here, 13:600 means all ports beetween 13 and 600 included
>> so a packet with dest port 3389 won't match the rule and therefore in
>> your setup will be blocked (initial block)
>>
> In my previous post, I also have the following rules setup:
> pass in on bge1 proto tcp from any to any port 1024:10000 keep state
> pass in on bge1 proto udp from any to any port 1024:10000 keep state

But your traffic was blocked on bge0, remember?

#6 (**permalink**) 02-16-2008, 06:40 AM

Shane Almeida wrote:

> On Tue, 17 May 2005 21:50:20 +0800, sam wrote:
>
>>Eric Masson wrote:
>>
>>
>>>sam <sam++@--.com> writes:
>>>
>>>
>>>
>>>>>pass in on bge0 proto tcp from any to any port 13:600 keep state
>>>>>But the following traffic is blocked by PF:
>>>>>000000 rule 0/0(match): block in on bge0: IP 10.8.99.255.3995 >
>>>>>10.3.0.4.3389: S 2292736159:2292736159(0) win 64676 <mss
>>>>>1326,nop,wscale 0,[|tcp]>
>>>>>Did I configured PF incorrectly?
>>>
>>>
>>>Yes.
>>>
>>>
>>>
>>>>I just found out 2000:2004 is not the same as 1999<>2005.
>>>>But after read thru manpage of pf.conf, it seems that 2000:2004 is not
>>>>working and remain as a bug in PF.
>>>
>>>
>>>There's no bug here, 13:600 means all ports beetween 13 and 600 included
>>>so a packet with dest port 3389 won't match the rule and therefore in
>>>your setup will be blocked (initial block)
>>>
>>
>>In my previous post, I also have the following rules setup:
>>pass in on bge1 proto tcp from any to any port 1024:10000 keep state
>>pass in on bge1 proto udp from any to any port 1024:10000 keep state
>
>
> But your traffic was blocked on bge0, remember?
sorry, I have overlooked the name of the interfaces. I need a new pair
of glasses.

Sam

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

SEO

PF blocks passing rule again.