Reflective routing issues w/ 2.0

dlstrout

@ermal:

can you retry next snapshot.

I am testing SNAP:

http://snapshots.pfsense.org/FreeBSD7/RELENG_1/pfSense-Full-Update-2.0-ALPHA-ALPHA-20081116-1850.tgz

Will be back with an update shortly.

dlstrout

@ermal:

can you retry next snapshot.

No luck.  It passes on test 1&2 (ping and traceroute), but I cannot VNC or SSH into the VE segment to either of the hosts VE1 or 2.

I see the traffic passing the intermediate router (Vyatta) and is see the host getting the packets (via windump on ve2 and tcpdump on VE1) and I see the traffic getting to the default gateway (via pfTop) in the VE segment (pfSense 2.0).

Then it seem to trigger blocking on the pfSense box and I see the denial of traffic as follows :

dst(target-VE1)/dst-port(VNC-tcp5900/SSH-tcp22) > src(originator-PE1)/random-port(>1023) == block
or if you prefer …
Nov 16 19:46:15  LAN  192.168.22.22:5900  192.168.1.20:33722  TCP

And when I show the "triggering" rule (click on the "X") .. here's what I get :

The rule that triggered this action is:

@3 block drop in log all label "Default deny rule"
@30 pass in on le0 inet proto udp from any port = bootpc to 192.168.22.2 port = bootps keep state label "allow access to DHCP server"
@31 pass out on le0 inet proto udp from 192.168.22.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
@32 anchor "spoofing" all
@33 anchor "loopback" all
@34 pass in on lo0 all flags S/SA keep state label "pass loopback"
@35 pass out on lo0 all flags S/SA keep state label "pass loopback"
@36 anchor "firewallout" all
@37 pass out all flags S/SA keep state label "let out anything from firewall host itself"
@38 anchor "anti-lockout" all
@39 pass in quick on le0 from any to (le0:2) flags S/SA keep state label "anti-lockout rule"

eri--

can you send me your ruleset and config.xml to ermal @ pfsense nospam .org

dlstrout

@ermal:

can you send me your ruleset and config.xml to ermal @ pfsense nospam .org

I have no issue with posting here either, but can't post a pdf ???, as this environment is torn down and completely segmented from the enterprise facets.

For all intents and purposes .. the test platform (pfSense 2.0) is basically a "default setup".  The only real configuration data I keep between SNAP updates and configuration restores is the WAN IP (obviously :o)) and the cert and ssh port setup.  The rest of the config is pretty plain jane and default.

There are two pdf files on their way to you …. and thanks for your assistance on this!!!!!!
;D ;D

eri--

Try next snapshot and tell me how it went.

dlstrout

@ermal:

Try next snapshot and tell me how it went.

I tried the below version when I saw your post and it has the same results …

Latest Version  : Wed Nov 19 12:52:13 EST 2008

Sorry .. I forgot to post the results ...

Nov 20 06:23:56  LAN  192.168.22.22:5900  192.168.1.20:18340  TCP

The rule that triggered this action is:

@3 block drop in log all label "Default deny rule"
@30 anchor "spoofing" all
@31 anchor "loopback" all
@32 pass in on lo0 all flags S/SA keep state label "pass loopback"
@33 pass out on lo0 all flags S/SA keep state label "pass loopback"
@34 anchor "firewallout" all
@35 pass out all flags S/SA keep state label "let out anything from firewall host itself"
@36 anchor "anti-lockout" all
@37 pass in quick on le0 from any to (le0:2) flags S/SA keep state label "anti-lockout rule"
@38 anchor "packagelate" all
@39 block drop in log quick proto tcp from sshlockout:0to any port = rsh-spx label "sshlockout"</sshlockout:0>

eri--

Not sure which if that update has the change in.
Can you check you have rules with 'no state' in them and verify that they have quick in them?

dlstrout

@ermal:

Can you check you have rules with 'no state' in them and verify that they have quick in them?

Are you talking about all of the rules or just the ones that are getting hit on when I try the test??

I will upgrade to SNAP - New version: Thu Nov 20 19:48:23 EST 2008 … and try this one.

dlstrout

@ermal:

Can you check you have rules with 'no state' in them and verify that they have quick in them?

It is still not working with the latest SNAP - Thu Nov 20 19:19:44 EST 2008

Here are the rules:

cat /tmp/rules.debug

#System aliases

loopback = "{ lo0 }"
WAN = "{ le1 }"
LAN = "{ le0 }"

User Aliases

netbios = "{ 135 137 138 139 445 }"

set loginterface le1
set loginterface le0
set optimization aggressive
set limit states 51000

scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble

nat-anchor "ftp-proxy/"
nat-anchor "natearly/"
nat-anchor "natrules/*"

Outbound NAT rules

Subnets to NAT

tonatsubnets  = "{ 192.168.168.0/24 192.168.10.0/26 192.168.22.0/24  }"
no nat on $WAN to port tftp
nat on $WAN from $tonatsubnets port 500 to any port 500 -> x.x.x.134/32 port 500
nat on $WAN from $tonatsubnets port 4500 to any port 4500 -> x.x.x.134/32 port 4500
nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> x.x.x.134/32 port 5060
nat on $WAN from $tonatsubnets to any -> x.x.x.134/32

#SSH Lockout Table
table <sshlockout>persist

Load balancing anchor

rdr-anchor "relayd/*"

FTP proxy

rdr-anchor "ftp-proxy/"
rdr-anchor "tftp-proxy/"

IMSpector rdr anchor

rdr-anchor "imspector"

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "ftpsesame/"
anchor "relayd/"
anchor "firewallrules"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

snort2c

table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

package manager early specific hook

anchor "packageearly"

carp

anchor "carp"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

anchor "wanbogons"
block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
antispoof for le1

block anything from private networks on interfaces with the option set

antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
antispoof for le0

allow access to DHCP server on LAN

anchor "dhcpserverLAN"
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.2.2 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.2.2 port = 67 to any port = 68 label "allow access to DHCP server"
anchor "spoofing"

loopback

anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

anchor "firewallout"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

anchor "anti-lockout"
pass in quick on le0 from any to (le0) keep state label "anti-lockout rule"

NAT Reflection rules

package manager late specific hook

anchor "packagelate"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 222 label "sshlockout"
anchor "ftp-proxy/*"

enable ftp-proxy

User-defined aliases follow

User-defined rules follow

block  in  quick  on $LAN  proto { tcp udp }  from 192.168.2.0/24 to any  port $netbios  label "USER_RULE: block netbios"
pass  in  quick  on $LAN  from 192.168.2.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
pass  in  quick  on $LAN  from {  192.168.1.0/24 } to 192.168.2.2 keep state  label "USER_RULE"

VPN Rules

anchor "limitingesr"

IMSpector

anchor "imspector"

uPnPd

anchor "miniupnpd"</sshlockout></bogons></bogons></virusprot></virusprot></snort2c></snort2c></snort2c></sshlockout>

sullrich

Not sure what ermal is after but no state only appears on rules that are added when "Bypass firewall rules for traffic on the same interface" is checked in System -> Advanced.

cmb

the bypass rules aren't even being added anymore in 2.0.

dlstrout

@sullrich:

Not sure what ermal is after but no state only appears on rules that are added when "Bypass firewall rules for traffic on the same interface" is checked in System -> Advanced.

That is what I understood to be the case, and for these tests I don't have that option checked.

databeestje

They should be added again after checking it.

dlstrout

I just updated to the latest SNAP:

2.0-ALPHA-ALPHA
built on Tue Nov 25 14:59:09 EST 2008
FreeBSD 7.1-PRERELEASE

and the issue still exists.  As before tests one and two pass fine but then I get stopped dead at test three (SSH) and four (VNC test).

Here's the logging output …..

Nov 27 10:11:56     LAN     192.168.22.22:5900     192.168.1.20:18340     TCP

The rule that triggered this action is:

@3 block drop in log all label "Default deny rule"
@30 anchor "spoofing" all
@31 anchor "loopback" all
@32 pass in on lo0 all flags S/SA keep state label "pass loopback"
@33 pass out on lo0 all flags S/SA keep state label "pass loopback"
@34 anchor "firewallout" all
@35 pass out all flags S/SA keep state label "let out anything from firewall host itself"
@36 anchor "anti-lockout" all
@37 pass in quick on le0 from any to (le0:2) flags S/SA keep state label "anti-lockout rule"
@38 anchor "packagelate" all
@39 block drop in log quick proto tcp from sshlockout:0to any port = rsh-spx label "sshlockout"</sshlockout:0>