Subject: pf, icmp, and max-mss
To: None <current-users@netbsd.org>
From: M Graff <explorer@flame.org>
List: current-users
Date: 07/25/2006 17:51:02
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I switched from ipf to pf, since that seems to be the wave of the
present, and am having problems.

"fxp0" is my external interface, and "vlan13" is more or less my
internal.  "vlan14" is my wpa2 "protected" wireless, and "vlan15" is the
public, unencrypted wireless, which I want to treat as external.

Before I added the "max-mss 1200" part, I could not reach some web sites
or, when I could reach them, post forms to them reliably.  I tried it
both with and without the no-df part.

The problem seems to be that the icmp "must fragment" response is acting
oddly...  For one, it seems my firewall is GENERATING them at times.
This is odd since no fragmentation should be necessary coming from an
interface with 1500 MTU onto one with 1500 MTU.  For two, the ICMP must
fragment is not being passed across the firewall to the machines on the
private wire vlans.

Does anyone have any suggestions on what to try, or see any filtering
I'm doing badly or omitting entirely?  pf is a very strange beast...
Can't wait for it to work with altq...  :)

Here are the (basic, probably lacking) rules I have installed:

tcp_services = "{ 22, 53, 113, 8000 }"
udp_services = "{ 53, 123 }"
table <priv_nets> { 127.0.0.0/8, 192.196.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

# options
set block-policy return
set loginterface fxp0
set fingerprints "/etc/pf.os"

#scrub in all no-df fragment reassemble
scrub in all fragment reassemble max-mss 1200

nat on fxp0 from !(fxp0) to 192.168.100.1 -> 192.168.100.5
nat on fxp0 from !(fxp0) to any -> (fxp0:0)
rdr pass on fxp0 proto tcp from any to any port 7882:7884 -> 10.42.120.3
port 7882:7884
rdr pass on fxp0 proto udp from any to any port 7882:7884 -> 10.42.120.3
port 7882:7884

block log all
pass quick on lo0 all
pass out quick keep state

#
# Allow certain specific ports from the world or our public
# wireless.  Let all ICMP types through.
#
pass in quick on fxp0 inet proto tcp from any to (fxp0) \
   port $tcp_services flags S/SA keep state
pass in quick on vlan15 inet proto tcp from any to (vlan15) \
   port $tcp_services flags S/SA keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) \
   port $udp_services keep state
pass in quick on vlan15 inet proto udp from any to (vlan15) \
   port $udp_services keep state
pass in quick inet proto icmp all keep state

pass in on fxp0 inet proto tcp from any to 10.42.120.3 port 7882:7884
flags S/SA synproxy state
pass in on fxp0 inet proto udp from any to 10.42.120.3 port 7882:7884

#
# Let us talk to the modem...
#
pass in quick on fxp0 from 192.168.100.1/32 to any
pass out quick on fxp0 from any to 192.168.100.1/32

#
# Don't leak any other private wire addresses.
#
block drop in log quick on fxp0 from { <priv_nets> } to any
block drop out log quick on fxp0 from any to { <priv_nets> }

pass in quick on vlan12
pass in quick on vlan13
pass in quick on vlan14

pass out on fxp0 proto tcp all keep state flags S/SA
pass out on fxp0 proto { udp, icmp } all keep state
pass out on vlan15 proto tcp all modulate state flags S/SA
pass out on vlan15 proto { udp, icmp } all keep state
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFExqBRuzMQWQwZDN0RAiE4AKC8X0txTEYvNILn2m6g452Abf2gowCffg5K
so/hSLHVzRacK8a6Cg/3n0U=
=pfKm
-----END PGP SIGNATURE-----