# Some hosts are blocking me



## johnnie_w (Apr 26, 2012)

Hi,

I have a NAT firewall that does NAT for several VLANs. From the firewall itself I can reach any IP address, but from behind the firewall, some addresses are not reachable.

One of the IPs that are not reachable is mediatemple.net (64.207.129.182). From the firewall itself no problem, but from behind the firewall I can see that there is no reply packet coming back. The outgoing icmp packet looks fine with the firewall's external IP as the source. 

Any ideas?

My firewall config:


```
int_if          = "em1"
ext_if          = "em0"
bridge          = "bridge0"
vpn             = "bridge1"
sync_if         = "re0"

#old
management_vlan ="vlan2"
installation_vlan="vlan7"

#new
internal_vlan   = "vlan10"
customer_vlan   = "vlan20"
public_vlan     = "vlan30"
icmp_types      = "{ echoreq, unreach }"
tcp_services    = "{ ssh, smtp, domain, www, https, 22, ntp, 43, ftp, ftp-data, ldap, ldaps}"
udp_services    = "{ domain, ntp }"
dell_services   = "{ 11371, 5869 }"
martians        = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"

www             = "{ 80, 443 }"
mail            = "{ 25, 143, 465, 993 }"
ssh             = "{ 22 }"


table <www> persist file "/etc/pf/www"
table <mail> persist file "/etc/pf/mail"
table <ssh> persist file "/etc/pf/ssh"

table <blockedip> persist file "/etc/pf/blocked"
table <abusive_ips> persist
table <sshguard> persist

set block-policy return
set loginterface em1
set skip on lo

#Scrub
scrub in all fragment reassemble

#NAT
nat on $ext_if from ! ($ext_if) to any -> ($ext_if)

#FTP
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

block log all
pass out keep state
pass in on $ext_if

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "Blocked SSH bruteforce"

pass in on egress inet proto tcp from any to (egress) port $ssh label "SSH outgoing"
pass in inet proto icmp all icmp-type $icmp_types label "Ping"

pass in quick on $ext_if proto tcp from any to <ssh> port $ssh flags S/SA keep state (max-src-conn-rate 2/15, overload <sshguard> flush global)
pass in quick on $ext_if proto tcp from any to <ssh> port $ssh label "Passed quick $proto port $dstport in on $if"
pass in quick on $ext_if proto tcp from any to <mail> port $mail label "Passed quick $proto port $dstport in on $if"
pass in quick on $ext_if proto tcp from any to <dns> port domain label "Passed quick $proto port $dstport in on $if"

pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151

pass in quick on $ext_if proto tcp from any to <www> port $www  \
        flags S/SA keep state (max-src-conn 150, max-src-conn-rate 200/2, overload <abusive_ips> flush) \
        label "Passed quick $proto port $dstport in on $if"

#Block RFC 1918 addresses
block drop in log (all) quick on $ext_if from $martians to any label "Blocked martians in"
block drop out log (all) quick on $ext_if from any to $martians label "Blocked martians out"

# Block all ips
# pfctl -t blockedip -T show
block drop in log (all)  quick on $ext_if from <blockedip> to any label "Blocked IPs in"
block drop out log (all) quick on $ext_if from any to <blockedip> label "Blocked IPs out"


# allow outgoing
pass out on $ext_if proto tcp to any port $tcp_services label "Passed $proto port $dstport out on $if"
pass out on $ext_if proto udp to any port $udp_services label "Passed $proto port $dstport out on $if"

#allow incoming
pass in on $ext_if proto udp from any to any port domain label "Passed $proto port $dstport in"
pass in on $ext_if proto udp from any to $ext_if port 1194 label "Passed VPN in on $if"
pass in on $ext_if proto udp from any to any port 1985 label "Passed HSRPv1 in on $if"
pass in on $ext_if proto udp from any to $ext_if port 655 label "Passed VPN in on $if"
pass in on $ext_if proto tcp from any to $ext_if port 655 label "Passed VPN in on $if"

### Internal VLAN ###
pass in on $int_if proto udp from any to any port domain label "Passed $proto port $dstport in"
pass in on $int_if proto tcp from any to any port $www label "Passed $proto port $dstport in"

pass in on $int_if proto tcp from any to any port ssh label "Passed $proto port $dstport in"
pass in on $int_if proto udp from any to any port ntp label "Passed $proto port $dstport in"
pass in on $int_if proto tcp from any to any port 11371 label "Passed $proto port $dstport in"

### Public VLAN ###
pass in on $public_vlan proto tcp to any port $tcp_services label "Passed $proto port $dstport in on $if"
pass in on $public_vlan proto udp to any port $udp_services label "Passed $proto port $dstport in on $if"

### Installation VLAN ###
pass in on $installation_vlan proto tcp to any port $tcp_services label "Passed $proto port $dstport from NAT on $if"
pass in on $installation_vlan proto udp to any port $udp_services label "Passed $proto port $dstport from NAT on $if"

### Customer VLAN ###
pass in on $customer_vlan proto tcp to any port $tcp_services label "Passed $proto port $dstport from NAT on $if"
pass in on $customer_vlan proto udp to any port $udp_services label "Passed $proto port $dstport from NAT on $if"

### Internal VLAN ###
pass in on $internal_vlan proto tcp to any port $tcp_services label "Passed $proto port $dstport from NAT on $if"
pass in on $internal_vlan proto udp to any port $udp_services label "Passed $proto port $dstport from NAT on $if"


### Management VLAN ###
pass in on $management_vlan proto udp from port { bootps, bootpc }
pass out on $management_vlan proto udp from port { bootps, bootpc }

pass in on $management_vlan proto tcp to any port $tcp_services label "Passed $proto port $dstport from NAT on $if"
pass in on $management_vlan proto udp to any port $udp_services label "Passed $proto port $dstport from NAT on $if"

### VPN ###
pass in on $vpn proto tcp to any port $tcp_services label "Passed $proto port $dstport from NAT on $if"
pass in on $vpn proto udp to any port $udp_services label "Passed $proto port $dstport from NAT on $if"
pass inet proto icmp from $vpn to any icmp-type $icmp_types label "Ping"

pass in on $vpn label "Passed VPN to Management network"
pass in on tap1 label "Passed VPN to Management network"
pass in on tap0 label "Passed VPN to Management network"

# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

pass quick on $sync_if proto pfsync keep state (no-sync)
pass quick on $sync_if proto tcp from any to any port $ssh
pass on { $int_if, $management_vlan, $installation_vlan, bridge1 } proto carp keep state

pass in proto carp keep state
```


----------



## SirDice (Apr 26, 2012)

Run tcpdump(1) on your external interface. Make the connection from the host that's causing problems and see what gets sent out.


----------



## johnnie_w (Apr 26, 2012)

I am using tcpdump, and see that it*'*s sent out OK to other hosts. But it looks like packets sent to the mentioned hosts don't send a reply. I can see the echo request coming in on the internal interface, but no reply coming back on the external interface. So I was thinking that I might do something weird with the packets, so the receiving firewall blocks them for some reason. *Bec*ause from the firewall itself there is no problem at all.


----------



## SirDice (Apr 26, 2012)

Look closely at the outgoing packets, make sure the source address is correct. It may not have been NAT'ed which would mean the destination has no way of replying.


----------



## bbzz (Apr 26, 2012)

You say there is incoming ICMP on internal interface, but is there outgoing on external? I just glanced at the rules but, for example, why do you have statement 
	
	



```
pass in on $ext_if
```
 and then after that you selectively pick what traffic will be passed? That's redundant and most likely not what you want.


----------



## johnnie_w (Apr 26, 2012)

That rule I just added to avoid that it has something to do with a rule. 

With tcpdump I see that pinging sends outgoing packets over em0 (the external interface). But when sending to the mentioned IP the packets go out over bridge0, not over em0. Bridge0 is bridging vlan30 together with em0:


```
bridge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether e2:1b:5e:f0:30:1c
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: vlan30 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 11 priority 128 path cost 2000000
	member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 2 priority 128 path cost 2000000
```

But why on earth does it behave differently with that specific IP? Can it be a cache somewhere? Like an ARP cache? Or a bridging issue?


----------



## johnnie_w (Apr 26, 2012)

Hmm, I just rebooted the firewall and the problems are gone. Thanks for the answers! This thread can be closed.


----------



## SirDice (Apr 27, 2012)

johnnie_w said:
			
		

> But why on earth does it behave differently with that specific IP? Can it be a cache somewhere? Like an ARP cache? Or a bridging issue?


It's more likely it's a static route that's causing the problems. Somebody may have added it and a reboot cleared it.


----------

