login
Login / Register
Header Space

 
 

Home » Mailing list archives » openbsd-misc » 2008 » March » 3

pf tag goes missing post sshd tcp decapsulization

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: scott <8f27e956@...>
To: <misc@...>
Subject: pf tag goes missing post sshd tcp decapsulization
Date: Monday, March 3, 2008 - 5:00 am

openBSD(4.2) and 4.3-beta

/etc/pf.conf fragment
# ---v---
pass in log quick on em0 inet proto tcp \
 from !<ssh_pests> to (em0:0) port 22 \
 tag SSHVPN flags S/SA keep state \
 (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \
 label R1
#
pass out log quick on em1 tagged SSHVPN keep state \
 label R2
#
block log all label R3
# ---^---

In the above rule set, "R2" does not "matches" anything/ever. It is
silent to pflog0.  The traffic that should be passed by R2 instead posts
in pflog0 as blocked by R3.

Something about the sshd's tcp decapsulization or pf's relationship with
it is loosing the tag SSHVPN.

Without the ability to tag the ssh tunneled traffic post
decapsulization, I don't know how to do the differentiated handling I
need.  e.g. sshd -w from inside via my wifi vs. sshd -w from outside to
inside. 

I've posted a form of this question before but I've focused it further
here.  The ssh mail-list folks allege it's a pf issue.

Now, I know that ssh -w flows via tun(n) interfaces.  The following
rules set flows the outside to inside traffic BUT THERE'S NO LINKAGE
BETWEEN R1 AND R2. Putting "tagged SSHVPN" on R2 will cause R2 to "not
match" and therefore "not pass" the tun traffic.
# ---v---
pass in log quick on em0 inet proto tcp \
 from !<ssh_pests> to (em0:0) port 443 \
 tag SSHVPN flags S/SA keep state \
 (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \
 label R1
#
pass in log quick on tun inet \
 from (tun:peer) to any \
 tag VTUNPKTS keep state label R2
#
pass out log quick on inside inet \
 tagged VTUNPKTS keep state label R3
# ---^---

Is is this a bug or is there a way that R2 can "know" where the tun
traffic is ingressing from.

What I think I want to be able to effect is...
# ---v---
pass in log quick on em0 inet proto tcp \
 from !<ssh_pests> to (em0:0) port 443 \
 tag SSHVPN flags S/SA keep state \
 (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \
 label R1
#
pass in log quick on tun inet \
 tagged SSHVPN \
 tag VTUNPKTS keep state label R2
#
pass out log quick on inside inet \
 tagged VTUNPKTS keep state label R3
# ---^---


Thanks,
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
pf tag goes missing post sshd tcp decapsulization, scott, (Mon Mar 3, 5:00 am)
Re: pf tag goes missing post sshd tcp decapsulization, Giancarlo Razzolini, (Mon Mar 3, 9:30 am)
Re: pf tag goes missing post sshd tcp decapsulization, Henning Brauer, (Mon Mar 3, 11:19 am)
Re: pf tag goes missing post sshd tcp decapsulization, Giancarlo Razzolini, (Mon Mar 3, 12:02 pm)
Re: pf tag goes missing post sshd tcp decapsulization, scott, (Mon Mar 3, 12:56 pm)
Re: pf tag goes missing post sshd tcp decapsulization, Giancarlo Razzolini, (Mon Mar 3, 2:02 pm)
Re: pf tag goes missing post sshd tcp decapsulization, scott, (Mon Mar 3, 12:41 pm)
Re: pf tag goes missing post sshd tcp decapsulization, Reyk Floeter, (Tue Mar 4, 6:15 am)
Re: pf tag goes missing post sshd tcp decapsulization, Konrad, (Thu Mar 6, 2:08 am)
Re: pf tag goes missing post sshd tcp decapsulization , Theo de Raadt, (Thu Mar 6, 2:35 am)
Re: pf tag goes missing post sshd tcp decapsulization, Henning Brauer, (Mon Mar 3, 9:08 am)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Colocation donated by:
Who's online
There are currently 3 users and 1093 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary