# Packet Filter blocking



## ddclxvi (Jun 4, 2009)

Currently 7.2 PF under BSD under a firewall traditional C class the nattolÃ¡s works perfectly inside an IP province. But present LAN 169.254.182.0/24 An IP works on a province, the nattolÃ¡s is out of order however on this !

Ahead thank you for the help!

NÃ©meth Attila PÃ©ter


----------



## mk (Jun 4, 2009)

Please make your post more clear. You have some problem with C class network? What problem?


----------



## SirDice (Jun 4, 2009)

What the heck is a nattolas and an IP province?!?

Please don't use a translator program to translate your native language into English. Most of them are crap, especially when it comes to "technical" terms. This makes it really, really hard to understand.


----------



## ddclxvi (Jun 4, 2009)

*Nat problem*

The nat in FreeBSD 7.2 don't work 169.254.182.0/24 !
But C classes 192.168.1.0/24 OK...

Why ?

NÃ©meth Attila PÃ©ter


----------



## DutchDaemon (Jun 4, 2009)

Post your [cmd=]ifconfig -a[/cmd] and your /etc/pf.conf (or the NAT rules from it).


----------



## ddclxvi (Jun 4, 2009)

```
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:1d:0f:ff:ae:15
	inet 169.254.182.251 netmask 0xffffff00 broadcast 169.254.182.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 00:1d:0f:ff:9d:cd
	inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
```


```
# macros
ext_if="rl1"
int_if="rl0"
lo_if="lo0"

# SAMBA 137,138,139,445
# SSH   22
# DNS   53
# RNDC 953

tcp_services="{ 22, 53, 113, 137, 138, 139, 445, 953 }"
icmp_types="echoreq"

# comp3="192.168.0.3"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)

# nat-anchor "ftp-proxy/*"
# rdr-anchor "ftp-proxy/*"

#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules
block in
pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# pass in on $ext_if inet proto tcp from any to $comp3 port 80 \

# synproxy state
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state
```

My interfaces and pf.conf

NÃ©meth Attila PÃ©ter


----------



## DutchDaemon (Jun 4, 2009)

Also post the output of [cmd=]pfctl -s nat[/cmd] and [cmd=]pfctl -s rules[/cmd]. Please post the output in 

```
tags[/url]. Oh, and I don't need a PM ..
```


----------



## ddclxvi (Jun 4, 2009)

```
#----------------------- PF RULES ----------------------
scrub in all fragment reassemble
block return in all
pass out all flags S/SA keep state
anchor "ftp-proxy/*" all
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! rl0 inet from 169.254.182.0/24 to any
block drop in quick inet from 169.254.182.251 to any
pass in on rl1 inet proto tcp from any to (rl1) port = ssh flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = domain flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = auth flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-ns flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-dgm flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-ssn flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = microsoft-ds flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = rndc flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass quick on rl0 all no state

#----------------------- NAT ----------------------
nat on rl1 from ! (rl1) to any -> (rl1:0)
```


----------



## SirDice (Jun 4, 2009)

169.254.182.0/24 is a link-local IPv4 address (RFC-3927) and non-routable. Use RFC-1918 addresses.


----------



## DutchDaemon (Jun 4, 2009)

You'd expect a complaint from either pfctl or ifconfig for that ..


----------



## SirDice (Jun 4, 2009)

DutchDaemon said:
			
		

> You'd expect a complaint from either pfctl or ifconfig for that ..



It is a valid IP address but I'm not sure how PF would handle it.


----------



## CmdLnKid (Jul 20, 2009)

Not enough information disclosed.


----------



## mecano (Jul 20, 2009)

could that mean that his rtl0 interface was not "explicitly" set and get a dumb IP by default ?


----------



## DutchDaemon (Jul 20, 2009)

As far as I know only Windows PCs do something like that (saddle you with a link-local adress when you boot without a network).


----------



## mecano (Jul 21, 2009)

inet6 on lo and not on real interfaces maybe ?


----------

