# PF rules not allowing certain traffic to pass



## enslaved (Dec 19, 2011)

Hi 

I am sure there is a very simple explanation as to what I am getting wrong, dealing with various versions of freebsd FreeBSD means that the rules for pf vary from version to version. I am currently dealing with a pair of freebsd FreeBSD 8.2 routers configured to connect two LANs together. To save bandwidth I am only allowing certain traffic through. I'm not using NAT in this case because all hosts on both LANs need to be aware of each other. 


```
#interfaces
wan_if=""fxp0"
lan_if="em0"
#networks 
rocko="10.0.252.0/28"
penrith="192.168.13.0/24"
viiresss="192.168.13.1"
block out log label "Block Out"
block in log label "Block In"

#viress
pass in on $lan_if inet proto tcp from $viiresss to $rocko port 700
pass out on $wan_if inet proto tcp from $viiresss to $rocko port 700
```

When running tcpdump to troubleshoot the connection I am still getting it blocked even though I have allowed it to pass. Is it possible this is because I'm not using NAT?

[CMD=]tcpdump"]per-roc-wa-gw# tcpdump -nettti pflog0 port 700[/cmd]

```
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
00:00:00.000000 rule 18/0(match): block in on fxp0: 10.0.252.3.4596 > 192.168.13.1.700:  tcp 28 [bad hdr length 0 - too short, < 20]
00:00:06.015672 rule 18/0(match): block in on fxp0: 10.0.252.3.4596 > 192.168.13.1.700:  tcp 28 [bad hdr length 0 - too short, < 20]
```

I have read several examples and I know this will work with the block all removed, any help or suggestions would be appreciated.


----------



## SirDice (Dec 19, 2011)

Traffic is coming in on fxp0 ($wan_if) not on em0 ($lan_if).

In other words, your pass rules are the wrong way around.


----------



## enslaved (Dec 20, 2011)

Thanks for the prompt response SirDice. I have reversed the rules as per suggestion. However I still get the 
	
	



```
block in on fxp0: 10.0.252.3.4596 > 192.168.13.1.700:
```
 when checking the logs via [cmd=]tcdump -nettti pflog0 port 700[/cmd]


----------



## SirDice (Dec 20, 2011)

What traffic do you want to allow and where does it come in?


----------



## enslaved (Dec 20, 2011)

Sir Dice Thank you for your time and assistance. 
The problem was in the way the question was asked. I actually had the rule mixed up in the original post. Just to correct the original posting. I have two lans Perth and Rocko which are connected via a fibre link. The perth lan is the lan where the services are located  and connections from the rocko lan need to be made to the various servers in perth network. I have the service working fine without putting a block in the /etc/pf.conf rule set.  When I add the block rule I see traffic getting to the perth wan interface and getting dropped. Here are the macro's defining networks and the interfaces 

```
#interfaces
lan_if="em0"
wan_if="fxp0"
#networks
rocko="10.222.252.0/28"
perth="192.168.1.0/24"
voipnet="10.222.253.0/28"
```
Followed by the block statement
	
	



```
block in log label "block in"
block out log label "block out"
```
And finally the rule to exclude traffic from the *10.222.252.0/28 network* on *port 700*

```
pass in log on $wan_if inet proto tcp from any  to $iress port 700 queue trade
pass in log on $lan_if inet proto tcp from $iress to any  port 700
```
Now when I check perth end using tcpdump -s 256 -nettti pflog0 port 700

```
00:00:00.000000 rule 0/0(match): block in on fxp0: 10.222.252.3.1352 > 192.168.1.1.700: Flags [S], seq 3010816873, win 65535, options [mss 1460,nop,nop,sackOK], length 0
```
 It was suggested that the I needed to include scrub below the macro definitions as the packets needed to be reassembled before they would pass through the filter. I have made that change and have connectivity to the router from the perth network when the block rule is activated.


----------



## SirDice (Dec 20, 2011)

Which network is connected to em0 and which network is connected to fxp0?


----------



## gkontos (Dec 20, 2011)

```
pass in log on $wan_if inet proto tcp from any  to $iress port 700 queue trade
```

should be changed to:


```
pass in log on $wan_if inet proto tcp from any  to $[B]perth[/B] port 700 queue trade
```

if you want to allow this traffic.

It is in your logs:


```
00:00:00.000000 rule 0/0(match): block in on fxp0: 10.222.252.3.1352 > [B]192.168.1.1[/B].700:
```


----------



## kpa (Dec 20, 2011)

You can simplify the rules further by using interface:network syntax:


```
pass in log on $wan_if inet proto tcp from any  to $lan_if:network port 700 queue trade
```


----------

