trouble converting from ipfilter to pf

[Louis Guillaume <lguillaume%berklee.edu@localhost>]

Hi,

I recently upgraded my service and decided to take the opportunity to 
switch over to pf instead of ipfilter. In retrospect it was a bad idea 
to do both at the same time! But anyway... I switched back to ipfilter 
and I have the system working on the new service.

With pf, all the redirection rules work fine. What doesn't work has to 
do with NAT and is strange: there is intermittent, or really slow 
service to random web sites. And I can only find this problem using 
browsers on the internal net. For example, I get a hang, trying to get 
at http://www.wikipedia.org or http://www.noaa.gov, But 
http://netbsd.org and http://www.usdoj.gov comes up right away. Also if 
I telnet on port 80 to any of these "bad" sites and do a "GET" it works 
without any problem. Really, really weird.

This problem goes away when using ipfilter.

The question is, what's going wrong w/ my pf configuration? I've tried 
to replicate what I had in the ipfilter rules in pf, but I must have 
gone wrong somewhere.

Any help will be great.

Louis


This is the working ipfilter/ipnat configuration, followed by the pf 
configuration...

############################################
# ipf.conf
############################################
pass  in all
pass  out all

block in     on sip2
block in     quick on sip2 from 192.168.0.0/16 to any
block in     quick on sip2 from 172.16.0.0/12 to any
block in     quick on sip2 from 10.0.0.0/8 to any
block in     quick on sip2 from 127.0.0.0/8 to any
block in     quick on sip2 from 0.0.0.0/8 to any
block in     quick on sip2 from 169.254.0.0/16 to any
block in     quick on sip2 from 192.0.2.0/16 to any
block in     quick on sip2 from 204.152.64.0/23 to any
block in     quick on sip2 from 224.0.0.0/3 to any

pass out     quick on sip2 proto tcp/udp from any to any keep state
pass out     quick on sip2 proto icmp from any to any keep state

pass in     quick on sip2 proto tcp from any to any port = 22 flags S 
keep state
pass in     quick on sip2 proto tcp from any to any port = 25 flags S 
keep state
pass in     quick on sip2 proto tcp from any to any port = 53 flags S 
keep state
pass in     quick on sip2 proto tcp from any to any port = 80 flags S 
keep state
pass in     quick on sip2 proto tcp from any to any port = 110 flags S 
keep state
pass in     quick on sip2 proto tcp from any to any port = 143 flags S 
keep state
pass in     quick on sip2 proto tcp from any to any port = 993 flags S 
keep state
pass in     quick on sip2 proto tcp from any to any port = 443 flags S 
keep state

pass in     quick on sip2 proto udp from any to any port = 53 keep state
pass in     quick on sip2 proto icmp from any to any

pass out proto tcp all keep state

############################################
# ipnat.conf
############################################
rdr sip2 0/0 port 80    -> 192.168.1.100 port 80
rdr sip2 0/0 port 8080  -> 192.168.1.110 port 80
rdr sip2 0/0 port 22    -> 192.168.1.110 port 22
rdr sip2 0/0 port 25    -> 192.168.1.100 port 25
rdr sip2 0/0 port 109   -> 192.168.1.100 port 109
rdr sip2 0/0 port 110   -> 192.168.1.100 port 110
rdr sip2 0/0 port 143   -> 192.168.1.100 port 143
rdr sip2 0/0 port 443   -> 192.168.1.100 port 443
rdr sip2 0/0 port 993   -> 192.168.1.100 port 993

map sip2 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map sip2 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map sip2 192.168.1.0/24 -> 0/32




############################################
# pf.conf
############################################

# Interfaces/Networks

int_if = "sip0"
int_net = "192.168.1.0/24"

dmz_if = "sip1"
dmz_net = "192.168.0.0/24"

ext_if = "sip2"
ext_addr = "xx.xx.xx.xx"

# RFC 3330 http://tools.ietf.org/html/rfc3330
special_nets = "{ 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, 24.0.0.0/8, 
39.0.0.0/8, 127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, 172.16.0.0/12, 
191.255.0.0/16, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 
192.168.0.0/16, 198.18.0.0/15, 223.255.255.0/24, 224.0.0.0/4, 240.0.0.0/4 }"

# Internal Hosts
web_server = "192.168.1.100"
mail_server = "192.168.1.100"
staging_server = "192.168.1.110"

#set block-policy return

set loginterface $ext_if
set skip on lo0
scrub in

# NAT/Redirection...

nat on $ext_if from $int_net -> $ext_if

rdr on $ext_if proto tcp from any to any port 80 -> $web_server port 80
rdr on $ext_if proto tcp from any to any port 443 -> $web_server port 443
rdr on $ext_if proto tcp from any to any port 8080 -> $staging_server 
port 80
rdr on $ext_if proto tcp from any to any port 22 -> $staging_server port 22
rdr on $ext_if proto tcp from any to any port 25 -> $mail_server port 25
rdr on $ext_if proto tcp from any to any port 110 -> $mail_server port 110
rdr on $ext_if proto tcp from any to any port 143 -> $mail_server port 143
rdr on $ext_if proto tcp from any to any port 993 -> $mail_server port 993

# Filtering...

block in
pass out keep state
pass in quick on $int_if

block in quick on $ext_if from $special_nets to any
block out quick on $ext_if from any to $special_nets

pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA 
keep state
pass in quick on $ext_if proto tcp from any to any port 25 flags S/SA 
keep state
pass in quick on $ext_if proto tcp from any to any port 53 flags S/SA 
keep state
pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA 
keep state
pass in quick on $ext_if proto tcp from any to any port 110 flags S/SA 
keep state
pass in quick on $ext_if proto tcp from any to any port 143 flags S/SA 
keep state
pass in quick on $ext_if proto tcp from any to any port 993 flags S/SA 
keep state
pass in quick on $ext_if proto tcp from any to any port 443 flags S/SA 
keep state

pass in quick on $ext_if proto udp from any to any port 53 keep state
pass in quick on $ext_if proto icmp from any to any