[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-misc
Subject: PF and IPSEC - friends or foes?
From: "Jason Haag" <jason () macrosys ! com>
Date: 2001-11-30 16:59:57
[Download RAW message or body]
Hi,
Synopsis: After upgrade from 2.9-stable to 3.0-stable, Ipsec/VPN sessions
start to fail after 10 sec. to 1 min. When this happens, pings from internal
machines to firewall start to time out as well in irregular intervals (~66%
packet loss). Non-VPN traffic resumes after about 30 sec.
Same behaviour when I change pf.conf to pass all traffic.
Yes, it did work just fine under 2.9-stable (was CVS from Nov. 21).
Some (hopefully helpful) information posted below (more available upon
request). Please don't include those in replies.
My best guess is there is an issue with dynamically created routes
somewhere?
Thanks for any help/pointers.
-Jason
Upgrade from 2.9-stable to 3.0-stable (both as of Nov. 21):
- built release tarballs from Nov. 21 CVS (-rOPENBSD_3_0)
this happened on a separate box
- copied the .tgz files and generic kernel to the box being upgraded
- followed the instructions found in /faq/upgrade-minifaq.html.
added users and groups
- Merged /etc changes found via "cvs diff -u -rOPENBSD_2_9 -rOPENBSD_3_0".
copied netstart, rc, rc.conf, rc.local, services, inetd.conf over
2.9 versions
- Untarred the tgz files (base30, comp30, man30, misc30) via "tar xzpf ...
-C /"
- Copied generic kernel to /bsd and reboot.
- Made all devices (in /dev: "# ./MAKEDEV all")
- (re-)enabled pf and isakmpd via /etc/rc.conf.local
= no changes to /etc/isakmpd
- converted ipnat.rules to nat.conf and ipf.rules to pf.conf
- reboot
DMESG
=====
OpenBSD 3.0 (GENERIC) #3: Thu Nov 22 03:33:38 EST 2001
macro@bsd30:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Am5x86 W/T 133/160 ("AuthenticAMD" 486-class)
cpu0: FPU
real mem = 16658432 (16268K)
avail mem = 10182656 (9944K)
using 228 buffers containing 933888 bytes (912K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 04/14/95
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc0000/0x6000
isa0 at mainbus0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
vga0 at isa0 port 0x3b0/48 iomem 0xa0000/131072
wsdisplay0 at vga0: console (80x25, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: <Maxtor 7345 AT>
wd0: 32-sector PIO, CHS, 329MB, 790 cyl, 15 head, 57 sec, 675450 sectors
wd0(wdc0:0:0): using BIOS timings
ep0 at isa0 port 0x210/16 irq 11: address 00:20:af:37:87:d7, utp/aui
(default utp)
ep1 at isa0 port 0x300/16 irq 10: address 00:20:af:05:6a:67, utp/aui
(default utp)
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 4040 netmask 4c40 ttymask 4cc2
pctr: no performance counters in CPU
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
/etc/nat.conf:
==============
# cat /etc/nat.conf
ext_if = "ep0"
int_if = "ep1"
# redirect incoming RealAudio
rdr on $ext_if proto tcp from any to any port 554 -> 192.168.1.2 port 554
rdr on $ext_if proto tcp from any to any port 4040 -> 192.168.1.2 port 4040
rdr on $ext_if proto tcp from any to any port 7070 -> 192.168.1.2 port 7070
# redirect WWW ports
rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.2 port 80
rdr on $ext_if proto tcp from any to any port 443 -> 192.168.1.2 port 443
rdr on $ext_if proto tcp from any to any port 8080 -> 192.168.1.4 port 80
rdr on $ext_if proto tcp from any to any port 8443 -> 192.168.1.4 port 443
# redirect ftp ports
rdr on $ext_if proto tcp from any to any port 20 -> 192.168.1.2 port 20
rdr on $ext_if proto tcp from any to any port 21 -> 192.168.1.2 port 21
rdr on $ext_if proto tcp from any to any port 2121 -> 192.168.1.103 port 21
# redirect pptp ports
rdr on $ext_if proto tcp from any to any port 1723 -> 192.168.1.2 port 1723
# Map Internal range to external ip for clients
nat on $ext_if from 192.168.1.0/24 to any -> $ext_if
/etc/pf.conf:
==============
# cat /etc/nat.conf
ext_if = "ep0"
int_if = "ep1"
block in log all
pass out all
# Let all in coming from the inside
pass in on $int_if all
pass in on lo0 all
# block those which should not come in (unrouteable)
block in log quick on $ext_if from 0.0.0.0/32 to any
block in log quick on $ext_if from 255.255.255.255/32 to any
block in log quick on $ext_if from 127.0.0.0/8 to any
block in log quick on $ext_if from any to 0.0.0.0/32
block in log quick on $ext_if from any to 255.255.255.255/32
block in log quick on $ext_if from any to 127.0.0.0/8
# more unroutables
block in log on $ext_if from 192.168.0.0/16 to any
block in log quick on $ext_if from 172.16.0.0/12 to any
block in log on $ext_if from 10.0.0.0/8 to any
# block spoof addresses
block in log quick on $ext_if from [external IP]/32 to any
#allow certain icmp replies
pass in quick on $ext_if inet proto icmp all icmp-type 0
pass in quick on $ext_if inet proto icmp all icmp-type 3
pass in quick on $ext_if inet proto icmp all icmp-type 8
pass in quick on $ext_if inet proto icmp all icmp-type 11
#Prevent machines outside from starting connections with the inside net.
block in on $ext_if proto tcp all flags S/SA
block out on $ext_if proto tcp all flags SA/SA
# allow ssh to the firewall from the outside
pass in quick on $ext_if proto tcp from any to any port = 22 flags S/SA keep
state
# allow PPTP to NT server
pass in quick on $ext_if proto tcp from any to 192.168.1.2 port = 1723 flags
S/SA keep state
pass in on $ext_if proto gre from any to any
# allow Napster on Router (104), Ali-Docking (103), Ali-Xircom (105)
pass in quick on $ext_if proto tcp from any to 192.168.1.104 port = 6698
flags S/SA keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.103 port = 6699
flags S/SA keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.105 port = 6698
flags S/SA keep state
# allow ftp to the NT server
#pass in quick on $ext_if proto tcp from any to 192.168.1.103 port = 21
flags S/SA keep state
#pass in quick on $ext_if proto tcp from any to 192.168.1.103 port = 20
flags S/SA keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.2 port = 21 flags
S/SA keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.2 port = 20 flags
S/SA keep state
# allow http for the two servers
pass in quick on $ext_if proto tcp from any to 192.168.1.2 port = 80 flags
S/SA keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.4 port = 80 flags
S/SA keep state
# allow https for the two servers
pass in quick on $ext_if proto tcp from any to 192.168.1.2 port = 443 flags
S/SA keep state
pass in quick on $ext_if proto tcp from any to 192.168.1.4 port = 443 flags
S/SA keep state
# allow smtp on one server
pass in quick on $ext_if proto tcp from any to 192.168.1.4 port = 25 flags
S/SA keep state
# allow ISAKMPD and ESP from any
pass in quick on $ext_if proto udp from any to any port = 500
pass in quick on $ext_if proto esp from any to any
pass out quick on $ext_if proto esp from any to any
pass in quick on enc0 all
pass out quick on enc0 all
# allow return packets from connections we initated
pass out on $ext_if proto tcp all keep state
pass out on $ext_if proto udp all keep state
# allow RealAudio to server
pass in on $ext_if proto tcp from any to 192.168.1.2 port = 7070 flags S/SA
keep state
pass in on $ext_if proto tcp from any to 192.168.1.2 port = 554 flags S/SA
keep state
Ipsec routes:
=============
# netstat -nrf encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
10.10.10/24 0 192.168.1/24 0 0 partner_2/50/use/in
192.168.0/24 0 192.168.1/24 0 0 partner_1/50/use/in
192.168.1/24 0 10.10.10/24 0 0
partner_2/50/require/out
192.168.1/24 0 192.168.0/24 0 0
partner_1/50/require/out
Ping test (internal LAN, after ipsec session failed):
=====================================================
# ping 192.168.1.104
PING 192.168.1.104 (192.168.1.104): 56 data bytes
64 bytes from 192.168.1.104: icmp_seq=2 ttl=128 time=1.866 ms
64 bytes from 192.168.1.104: icmp_seq=6 ttl=128 time=1.863 ms
64 bytes from 192.168.1.104: icmp_seq=8 ttl=128 time=1.951 ms
64 bytes from 192.168.1.104: icmp_seq=9 ttl=128 time=2.489 ms
64 bytes from 192.168.1.104: icmp_seq=12 ttl=128 time=1.864 ms
64 bytes from 192.168.1.104: icmp_seq=13 ttl=128 time=1.894 ms
64 bytes from 192.168.1.104: icmp_seq=15 ttl=128 time=1.855 ms
64 bytes from 192.168.1.104: icmp_seq=19 ttl=128 time=2.077 ms
64 bytes from 192.168.1.104: icmp_seq=22 ttl=128 time=1.892 ms
64 bytes from 192.168.1.104: icmp_seq=25 ttl=128 time=1.866 ms
--- 192.168.1.104 ping statistics ---
27 packets transmitted, 10 packets received, 62% packet loss
round-trip min/avg/max/std-dev = 1.855/1.961/2.489/0.194 ms
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic