1. Home
  2. Networking Firewalls
  3. pf and citrix ica

pf and citrix ica

I posted this in the BSD group as well but hoping someone here can help with this. If you can, many thanks!!

Running OpenBSD 3.7 and PF.

I am having trouble creating a rule to allow connections to a Citrix server through my pf firewall. I see multiple matches to my rules but I can never establish a connection with the Citrix server. If I bypass the pf firewall I can connect. When I sniff my external if or my pflog0 interface I do not see anything being blocked or reset - the connection never gets established.

I am using the new Citrix client which tries 3 times to connect on tcp 2598 then tries the tcp 1494 port. This Citrix server is using 1494.

Anyone have any ideas what I am doing wrong? Here is my config (you'll see some rules that are commented out that I have tried but without success): ext_if="xl0" int_if="fxp0" lan_net = "192.168.11.0/24" nattwo = "192.168.11.50" citrix = "xxx.xxx.xxx.xxx"

scrub in

nat on $ext_if from !($ext_if) -> ($ext_if:0) rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 #rdr on $ext_if proto tcp from any to any port 1494 -> $nattwo #rdr on $ext_if proto tcp from any to any port 2598 -> $nattwo #rdr on $ext_if from $citrix -> $nattwo

block in log all pass out log keep state

pass quick log on { lo $int_if } #antispoof quick for { lo $int_if }

pass in log on $ext_if proto tcp to ($ext_if) port ssh keep state #pass in log on $ext_if proto tcp to ($ext_if) port 1494 keep state #pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state #pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state #pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state #pass out on $ext_if proto tcp all modulate state flags S/SA #pass out on $ext_if proto { udp, icmp } all keep state pass in on $int_if from $lan_net to any pass out log on $int_if from any to $lan_net pass out log on $ext_if proto tcp all modulate state flags S/SA pass out log on $ext_if proto { udp, icmp } all keep state #pass in on $ext_if proto tcp to ($ext_if) port 1494 keep state #pass in log on $ext_if from $citrix to any #pass out log on $ext_if from $citrix to any

Reply to
CG
Loading thread data ...

Ever heard about crossposting?

I don't do BSD, so I'm not much help here, sorry.

Joachim

Reply to
Joachim Schipper

Greg -

Thanks for your tips. I tried them but still wasn't able to get the Citrix ICA client to pass. Routing is indeed enabled.

This one is very odd.

Reply to
CG

Have you sniffed on both the ingress and egress interfaces to confirm that routing is indeed enabled ?

The above I assume is citrix, a portforward through NAT is not going to work with out it.

A basic 'keep state' on its own is not secure as any packet can be used to establish state.

You should be using 'flags S/SA' at the end so that only the 1st part of the 3 way handshake can establish state.

Ditto

And ditto * 3

Recommend you look closely at using pf tags instead, it makes for much shorter and easier to debug policies.

e.g from a running policy here, tagging removes the need to create individual egress rules & also does classification for shaping.

pass out log quick to ! user root $KS tag normpri queue\\ (q_def, q_pri)

pass in log quick on $Int $TCP from to ! $KSF tag\\ outbound queue (q_p2p, q_pri) pass in log quick on $Int $UDP from to ! $KS tag\\ outbound queue q_p2p

# pass tagged traffic on the outside interface.

pass in log quick on $Int $TCP from to ! port {\\ $UsefulServices } $KSF tag normpri queue (q_def, q_pri)

pass out quick on $Ext $TCP $KSF tagged normpri queue (q_def, q_pri) pass out quick on $Ext $UDP $KS tagged normpri queue q_def

greg

Reply to
Greg Hennessy

Greg - thanks agin for the reply. Here is a capture of my inside interface (I have replaced the name of the actual citrix server): # tcpdump -vv -i fxp0 host xxx.xxx.xxx.xxx tcpdump: listening on fxp0, link-type EN10MB

10:24:02.828185 192.168.11.50.2039 > citrx.replaced.com.2598: S [tcp sum ok] 1293194921:1293194921(0) win 16384 (DF) (ttl 127, id 8016, len 48) 10:24:05.716313 192.168.11.50.2039 > citrx.replaced.com.2598: S [tcp sum ok] 1293194921:1293194921(0) win 16384 (DF) (ttl 127, id 8044, len 48) 10:24:11.752032 192.168.11.50.2039 > citrx.replaced.com.2598: S [tcp sum ok] 1293194921:1293194921(0) win 16384 (DF) (ttl 127, id 8102, len 48) 10:24:23.725325 192.168.11.50.2039 > citrx.replaced.com.1494: S [tcp sum ok] 3003329965:3003329965(0) win 16384 (DF) (ttl 127, id 8422, len 48) 10:24:26.740755 192.168.11.50.2039 > citrx.replaced.com.1494: S [tcp sum ok] 3003329965:3003329965(0) win 16384 (DF) (ttl 127, id 8456, len 48) 10:24:32.776494 192.168.11.50.2039 > citrx.replaced.com.1494: S [tcp sum ok] 3003329965:3003329965(0) win 16384 (DF) (ttl 127, id 8504, len 48)

outside inteface: # tcpdump -vv -i xl0 host xxx.xxx.xxx.xxx tcpdump: listening on xl0, link-type EN10MB

10:26:47.738555 my.outside.ip.com.56756 > citrx.replaced.com.2598: S [tcp sum ok] 217683357:217683357(0) win 16384 (DF) (ttl 126, id 10520, len 48) 10:26:50.709934 my.outside.ip.com.56756 > citrx.replaced.com.2598: S [tcp sum ok] 217683357:217683357(0) win 16384 (DF) (ttl 126, id 10548, len 48) 10:26:56.645028 my.outside.ip.com.56756 > citrx.replaced.com.2598: S [tcp sum ok] 217683357:217683357(0) win 16384 (DF) (ttl 126, id 10608, len 48) 10:27:08.718154 my.outside.ip.com.62213 > citrx.replaced.com.1494: S [tcp sum ok] 339210338:339210338(0) win 16384 (DF) (ttl 126, id 10710, len 48) 10:27:11.734320 my.outside.ip.com.62213 > citrx.replaced.com.1494: S [tcp sum ok] 339210338:339210338(0) win 16384 (DF) (ttl 126, id 10744, len 48) 10:27:17.770042 my.outside.ip.com.62213 > citrx.replaced.com.1494: S [tcp sum ok] 339210338:339210338(0) win 16384 (DF) (ttl 126, id 11016, len 48)

Reply to
CG

Have you sniffed on both interfaces using tcpdump to see if the initial SYN packet transitted and got a SYN/ACK back ?

greg

Reply to
Greg Hennessy

Routing is fine because any other host at the same location as this Citrix box is reachable (http/https/smtp/pop3). If I bypass my pf firewall I can open up connections all day long.

I see the same thing you are saying - it doesn't look as if this Citrix server is replying. Although, if I go directly to the Internet it is fine. Also, I tried this with a Cisco PIX and was able to reach it fine as well (PIX 501 6.3).

I'm baffled.

Your capture requests (I replaced my IP and Citrix server IP): # tcpdump -s 96 -n -i xl0 port 1494 tcpdump: listening on xl0, link-type EN10MB

16:22:09.184622 my.ip.address.55820 > citrix.server.ip.1494: S 1951175996:1951175996(0) win 16384 (DF) 16:22:12.198769 my.ip.address.55820 > citrix.server.ip.1494: S 1951175996:1951175996(0) win 16384 (DF) 16:22:18.133853 my.ip.address.55820 > citrix.server.ip.1494: S 1951175996:1951175996(0) win 16384 (DF)

16:22:09.184374 192.168.11.50.4380 > citrix.server.ip.1494: S

3516593264:3516593264(0) win 16384 (DF) 16:22:12.198572 192.168.11.50.4380 > citrix.server.ip.1494: S 3516593264:3516593264(0) win 16384 (DF) 16:22:18.133649 192.168.11.50.4380 > citrix.server.ip.1494: S 3516593264:3516593264(0) w>
Reply to
CG

Try it with just

tcpdump -s 96 -n -i fxp0 port 1494

& the same on xl0

to ensure that you're capturing both parts of the conversation.

FWICS here, your citrix box is not replying to the inbound traffic, do you have some form of win32 ipsec policy based packet filtering on it ?

Or is routing configured correctly ?

Greg

Reply to
Greg Hennessy

Is the netmask on the citrix box set correctly for the subnet ?

It wouldnt be the 1st time a typo had me scratching head for hours on end.

Recommend installing windump

formatting link
on the citrix box and sniffing to see what it's recieving if at all.

That confirms it, the remote server is not answering. Time to sniff on it.

Greg

Reply to
Greg Hennessy

Greg - thanks again for the reply.

I'm almost giving up. I know the mask is OK on the Citrix server. I'm many hops away and if I use the same IP address as the pf firewall for my client (move my box to the outside and shutdown the fw) I can establish a session with the Citrix server. I don't understand why I am not seeing any return traffic. I don't own theCitrix server so I can't really sniff traffic on it.

Any other ideas? This is a weird one.

I can telnet to port 1494 (citrix) on the Citrix server and I get a connect. I see the two way traffic then.

Reply to
CG

Greg - someone from the openbsd mailing lists sent me this line (which works!): nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port

Reply to
CG

Hmmm, that would appear to indicate that the replies are not being statefully matched from the internal citrix server.

a

rdr pass

is implicitly stateful, so it shouldnt match against an egress nat.

greg

Reply to
Greg Hennessy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.