Hi there, I am trying to setup a simple PF firewall with dummynet and
despite all my efforts I am failing. I would appreciate a helping
hand, thank you. Below is the setup description and all the details
that might be useful. I've been trying to apply pass rule for the pipe
on different interfaces, in and out, for global addresses, subnets and
local addresses and nothing seems to work. My client machine gets the
internet and everything is ok except for the fact that I can't use
dummynet with it. Please let me know if any other info needed. Thank
you
My setup is raspberry pi 3b with two interfaces ue0 (EXT) and ue1 (INT)
No bridge
ue1 spinning dhcpd and dnsmasq to control clients IP ranges and add some custom DNS resolution.
ue0 running NAT (PAT) for the ue1:network
despite all my efforts I am failing. I would appreciate a helping
hand, thank you. Below is the setup description and all the details
that might be useful. I've been trying to apply pass rule for the pipe
on different interfaces, in and out, for global addresses, subnets and
local addresses and nothing seems to work. My client machine gets the
internet and everything is ok except for the fact that I can't use
dummynet with it. Please let me know if any other info needed. Thank
you
My setup is raspberry pi 3b with two interfaces ue0 (EXT) and ue1 (INT)
No bridge
ue1 spinning dhcpd and dnsmasq to control clients IP ranges and add some custom DNS resolution.
ue0 running NAT (PAT) for the ue1:network
Code:
rc.conf
Skipped generic stuff
# IF
ifconfig_ue1="inet 192.168.31.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dnsmasq_enable="YES"
# Firewall
gateway_enable="YES"
pf_enable="YES"
pflog_enable="YES"
dnctl_enable="YES"
dnctl_program="/sbin/dnctl"
Code:
pf.conf
# Macros and tables
ext_if = "ue0"
int_if = "ue1"
localnet = $int_if:network
# Options
set block-policy drop
set skip on lo0
# Normalization
scrub in all
# NAT (comment out if adding ext_if to bridge)
nat on $ext_if inet from ($localnet) to any -> ($ext_if)
#nat on $ext_if inet6 from ($localnet) to any -> ($ext_if:0)
# RDR anchors, mostly for port forwarding
#rdr-anchor "reggae/*" on $ext_if
#rdr-anchor "services/*" on $ext_if
# rdr-anchor "service/*" on $ext_if
antispoof quick log for ($ext_if) # comment out if adding ext_if to bridge
#anchor "blacklistd/*" in on $ext_if
# Quick rules
#block out quick inet6 all user torrent
pass in quick inet from 192.168.31.12 to any dnpipe 1
# Rules
block in log from any to (self)
pass in inet proto udp to any port bootpc
#pass in inet6 proto udp from fe80::/10 port dhcpv6-server to
fe80::/10 port dhcpv6-client
pass in proto tcp to any port ssh
pass in proto { icmp, igmp, icmp6 }
pass in on $int_if proto { tcp, udp } from any to (self)
pass out
Code:
dnctl.conf
pipe 1 config bw 100Kbit
Code:
dnctl pipe show
00001: 100.000 Kbit/s 0 ms burst 0
q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
sched 65537 type FIFO flags 0x0 0 buckets 0 active
Code:
ifconfig
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ue0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP>
metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether b8:27:eb:ec:b9:ed
inet 192.168.2.70 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=2b<PERFORMNUD,ACCEPT_RTADV,IFDISABLED,AUTO_LINKLOCAL>
ue1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=68009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:ce:c8:5e:c7:1d
inet 192.168.31.1 netmask 0xffffff00 broadcast 192.168.31.255
media: Ethernet autoselect (none)
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Code:
pf -s all
FILTER RULES:
scrub in all fragment reassemble
block drop in log quick on ! ue0 from (ue0:network) to any
block drop in log quick from (ue0) to any
pass in quick inet from 192.168.31.12 to any flags S/SA keep state dnpipe 1
block drop in log from any to (self)
pass in on ue1 proto tcp from any to (self) flags S/SA keep state
pass in on ue1 proto udp from any to (self) keep state
pass in inet proto udp from any to any port = bootpc keep state
pass in proto tcp from any to any port = ssh flags S/SA keep state
pass in proto icmp all keep state
pass in proto igmp all keep state
pass in proto ipv6-icmp all keep state
pass out all flags S/SA keep state
Code:
scp from target
scp root@192.168.31.12:/root/foo /root/foo
foo 0% 46MB 7.6MB/s 23:00 ETA