pf - strange behavior

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

pf - strange behavior

Hagen Volpers
Hello,

I wrote this mail [hidden email], but perhaps this is the right place.
It looks like there is a problem in statefull nat (or I'm to dummy for
it ;-)):

Hello,

I have a problem I have no explanation for. Here's the situation: I have
a Windows XP client pinging (ping -t) an internet host (nat through my
obsd testsystem). That's my pf.conf:

# cat /etc/pf.conf
ext_if="pppoe0"
int_if="sis1"
set block-policy return
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port { 22 }
flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick proto { tcp, udp } from { 192.168.122.0/24 } to
192.168.122.2 port { 53 }
pass quick on $int_if

After rebooting my obsd system (while ping is running), then ping
cannot get through when the system comes up again. The obsd system
sends out icmp packages without nat. The source ip address is
192.168.122.128, but it should be the public ip-address of the
obsd system (first line):


# pfctl -ss
all icmp 192.168.122.128:512 -> 193.99.144.85       0:0
all udp 84.60.163.18:3790 -> 194.88.212.200:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 -> 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 -> 83.229.141.2:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 -> 83.67.64.230:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 -> 82.165.43.21:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 -> 72.1.138.113:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 -> 69.182.190.97:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 -> 69.59.178.92:123       MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
all tcp 84.60.163.18:22 <- 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52556 -> 84.60.163.18:55884 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52557 -> 84.60.163.18:54733 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52558 -> 84.60.163.18:53237 -> 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52559 -> 84.60.163.18:55113 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52562 -> 84.60.163.18:58754 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52563 -> 84.60.163.18:54019 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52569 -> 84.60.163.18:62152 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52570 -> 84.60.163.18:61073 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52574 -> 84.60.163.18:51917 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52575 -> 84.60.163.18:53399 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2


The really strange thing is the windows server 2003 (192.168.122.16).
He's also running the ping all the time. His packages get caught by the
nat rule correctly.
If I stop the ping on the windows xp system, wait 10sec (icmp.error
value)
and ping again, everything is working fine:

after 10sec:
all icmp 192.168.122.128:512 -> 84.60.163.18:5939 -> 193.99.144.85
0:0


And here's my question: WHY? =) As you can see the windows server
created several connections. I think that the icmp packages get
caught by nat because he creates other connections, too.

Btw, I'm using kernel based pppoe (using spppcontrol) to get a
connection to my isp.

Before you ask, here some more informations =):

# pfctl -sa
TRANSLATION RULES:
nat on pppoe0 from ! (pppoe0) to any -> (pppoe0:0)

FILTER RULES:
scrub in all fragment reassemble
block return in all
pass out all keep state
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick inet6 from ::1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick on ! sis1 inet from 192.168.122.0/24 to any
block drop in quick inet from 192.168.122.2 to any
block drop in quick on sis1 inet6 from fe80::20d:b9ff:fe04:5ea5 to any
pass in on pppoe0 inet proto tcp from any to (pppoe0) port = ssh flags
S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick inet proto tcp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass in quick inet proto udp from 192.168.122.0/24 to 192.168.122.2 port
= domain
pass quick on sis1 all
No queue in use

STATES:
all udp 84.60.163.18:3790 -> 194.88.212.200:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:33159 -> 131.174.122.206:123
MULTIPLE:MULTIPLE
all udp 84.60.163.18:40242 -> 83.229.141.2:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:31316 -> 83.67.64.230:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:9757 -> 82.165.43.21:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:17612 -> 72.1.138.113:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:24708 -> 69.182.190.97:123       MULTIPLE:MULTIPLE
all udp 84.60.163.18:42679 -> 69.59.178.92:123       MULTIPLE:MULTIPLE
all icmp 192.168.122.16:512 -> 84.60.163.18:34545 -> 193.99.144.85
0:0
all tcp 84.60.163.18:22 <- 212.46.125.234:2840
ESTABLISHED:ESTABLISHED
all tcp 192.168.122.16:52582 -> 84.60.163.18:65442 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all icmp 192.168.122.128:512 -> 84.60.163.18:5939 -> 193.99.144.85
0:0
all tcp 192.168.122.16:52585 -> 84.60.163.18:52933 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52587 -> 84.60.163.18:57017 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52588 -> 84.60.163.18:51838 -> 151.189.21.113:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52589 -> 84.60.163.18:54659 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52591 -> 84.60.163.18:53183 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52592 -> 84.60.163.18:51607 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52593 -> 84.60.163.18:54610 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52595 -> 84.60.163.18:51144 -> 213.35.101.4:21
TIME_WAIT:TIME_WAIT
all tcp 192.168.122.16:52597 -> 84.60.163.18:63712 -> 212.227.85.5:110
FIN_WAIT_2:FIN_WAIT_2
all icmp 84.60.163.18:256 <- 84.184.202.84       0:0
all tcp 192.168.122.16:52601 -> 84.60.163.18:51174 -> 212.227.15.161:110
FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.122.16:52602 -> 84.60.163.18:63336 -> 213.35.101.4:21
ESTABLISHED:ESTABLISHED

INFO:
Status: Enabled for 0 days 00:04:18           Debug: Urgent

State Table                          Total             Rate
  current entries                       24
  searches                            6559           25.4/s
  inserts                              234            0.9/s
  removals                             210            0.8/s
Counters
  match                               3296           12.8/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           1            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start                0 states
adaptive.end                  0 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   100000

TABLES:

OS FINGERPRINTS:
382 fingerprints loaded


Regards
  Hagen Volpers