pf beginner: my firewall passes tcp but not icmp

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

pf beginner: my firewall passes tcp but not icmp

Cameron Simpson
I'm setting up an OpenBSD 3.7 firewall for the first time.
I've been flailing at this all afternoon and have exhausted my ideas.

My ruleset looks like this (from "pfctl -s rules"):

        [var/log]#root@jothee*> pfctl -s rules
        block return all
        pass quick proto tcp from any to any port = ssh flags S/SA keep state
        pass in quick proto icmp all keep state

It was more complex, but this is as simple as I can get it and demo the problem.
(I have also tried "pass quick proto icmp all" with no useful effect.)

With these rules in place and enabled, existing ssh sessions continue thanks
to their kept state, and new ssh connections work also.

However my pings, which work fine with pf disabled, get nothing back when I
enable pf ("pfctl -e") and of course spring back into life with "pfctl -d".

Does anyone have any idea what I'm doing wrong here?
Also, I have seen elsewhere in list archives debug output showing what rules
got applied. I have not found out how to produce such debugging myself.

I'm loading up the rules like this:

        pfctl -F rules -v && pfctl -xm -f /etc/pf.conf -v && echo YES

What else can I do to further debug this?
--
Cameron Simpson <[hidden email]> DoD#743
http://www.cskk.ezoshosting.com/cs/

What the hell, it's only 4 month's grant - I can live in a cardboard box, and
catch pigeons for food. After all, I've got raytracing to do!
        - [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: pf beginner: my firewall passes tcp but not icmp

Ryan McBride-3
On Fri, Nov 04, 2005 at 05:16:22PM +1100, Cameron Simpson wrote:
> [var/log]#root@jothee*> pfctl -s rules
> block return all
> pass quick proto tcp from any to any port = ssh flags S/SA keep state
> pass in quick proto icmp all keep state
             ^^
How are the packets supposed to get OUT of the firewall? You have to
think of the traffic crossing both interfaces.


> (I have also tried "pass quick proto icmp all" with no useful effect.)

With the simple ruleset above, or something more complicated?
This should work (as should the above without the direction)

> Also, I have seen elsewhere in list archives debug output showing what rules
> got applied. I have not found out how to produce such debugging myself.

Add the 'log' keyword to at least your block rule, and maybe your pass
rules as well. Then do:

# tcpdump -vvvpleni pflog0 -s 1518

> I'm loading up the rules like this:
>
> pfctl -F rules -v && pfctl -xm -f /etc/pf.conf -v && echo YES

Don't explicitly flush the ruleset like this, pf does that for you and
with such a command you're running without any ruleset at all for at
least a moment, more if your new ruleset is buggy and fails to load.

> What else can I do to further debug this?

tcpdump on the pflog interface is probably the most powerful tool; you
can also look at pfctl -si to see if packets are being dropped for some
other reason than ruleset evaluation, and perhaps do tcpdump on the
physical interfaces you think the traffic should be crossing, to see if
it's maybe actually coming out on the other side but being dropped
elsewhere on your network.

Reply | Threaded
Open this post in threaded view
|

Re: pf beginner: my firewall passes tcp but not icmp

Cameron Simpson
On 04Nov2005 07:52, Ryan McBride <[hidden email]> wrote:
| On Fri, Nov 04, 2005 at 05:16:22PM +1100, Cameron Simpson wrote:
| > [var/log]#root@jothee*> pfctl -s rules
| > block return all
| > pass quick proto tcp from any to any port = ssh flags S/SA keep state
| > pass in quick proto icmp all keep state
|              ^^
| How are the packets supposed to get OUT of the firewall? You have to
| think of the traffic crossing both interfaces.

I was imagining the keep state stuff handled that. So - for my mental
model - a packet being forwarded traverses the rules twice: once on the
way in and once on the way out?

My original attempt was stateless - I just wanted echoreq and echoreply to
have free passage, and so it had no directions or state.

| > (I have also tried "pass quick proto icmp all" with no useful effect.)
|
| With the simple ruleset above, or something more complicated?

The latter. I'll try some more systematic experiments now.

| This should work (as should the above without the direction)

Ok.

| > Also, I have seen elsewhere in list archives debug output showing what rules
| > got applied. I have not found out how to produce such debugging myself.
|
| Add the 'log' keyword to at least your block rule, and maybe your pass
| rules as well. Then do:
|
| # tcpdump -vvvpleni pflog0 -s 1518

Ah. I'd been trying without the -s and getting data format complaints.

| > I'm loading up the rules like this:
| > pfctl -F rules -v && pfctl -xm -f /etc/pf.conf -v && echo YES
|
| Don't explicitly flush the ruleset like this, pf does that for you and
| with such a command you're running without any ruleset at all for at
| least a moment, more if your new ruleset is buggy and fails to load.

Indeed. The "pf -F" was again my growing paranoia. The pfctl man page
seemed to suggest the flush was automatic, since there were options to not
flush things, but wasn't explicit in the positive. So I was just trying
to ensure I really was discarding the old set of rules entirely. Glad
to know it's wasteful and dangerous.

| > What else can I do to further debug this?
|
| tcpdump on the pflog interface is probably the most powerful tool; you
| can also look at pfctl -si to see if packets are being dropped for some
| other reason than ruleset evaluation, and perhaps do tcpdump on the
| physical interfaces you think the traffic should be crossing, to see if
| it's maybe actually coming out on the other side but being dropped
| elsewhere on your network.

Well I'd reduced my test to pinging the firewall itself. An earlier
tcpdump was showing pings coming in and no replies. Would that imply pings
arriving and being dropped, and thus no replies attempted by the OS?

Anyway, I'll proceed not with better debugging and return with a diagnosis or
at least more data:-(

Thanks!
--
Cameron Simpson <[hidden email]> DoD#743
http://www.cskk.ezoshosting.com/cs/

Hello, my name is Yog-Sothoth, and I'll be your eldritch horror today.
        - Heather Keith <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: pf beginner: my firewall passes tcp but not icmp

Ryan McBride-3
On Fri, Nov 04, 2005 at 07:22:33PM +1100, Cameron Simpson wrote:
> I was imagining the keep state stuff handled that. So - for my mental
> model - a packet being forwarded traverses the rules twice: once on the
> way in and once on the way out?

Yes.

> Well I'd reduced my test to pinging the firewall itself. An earlier
> tcpdump was showing pings coming in and no replies. Would that imply pings
> arriving and being dropped, and thus no replies attempted by the OS?

Maybe. The replies could also be happening, but be dropped by pf.  You
can look at 'netstat -sp icmp' to see if they're getting beyond pf and
what the kernel is doing with them.


bpf (and thus tcpdump) happens before pf incoming, and after pf
outgoing:

wire -> interface -> bpf -> pf -> routing -> pf -> bpf -> interface -> wire

Reply | Threaded
Open this post in threaded view
|

Re: pf beginner: my firewall passes tcp but not icmp

Cameron Simpson
In reply to this post by Ryan McBride-3
I'm an idiot. I was pinging with some ip-options set (route tracking)
and pf was dropping packets with such options. Not the rules at all.

Thanks for the help!
--
Cameron Simpson <[hidden email]> DoD#743
http://www.cskk.ezoshosting.com/cs/

alt.skunks      A newsgroup for enthusiasts of skunks and other mustelidae.