[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (U) More problems with pf

To: "'james.wilde@telia.com'" <james.wilde@telia.com>
Subject: Re: (U) More problems with pf
From: Strickland Joshua A Amn 690ISS/DOR <Joshua.Strickland2@LACKLAND.AF.MIL>
Date: Thu, 21 Mar 2002 03:17:50 -0600
Cc: "'misc@openbsd.org'" <misc@openbsd.org>
Classification: UNCLASSIFIED

You'll notice that when you specify more than one port-using 
a set of {}'s, the '=' needn't be there. That's why your entry 
related to the {a, b, c} structure isn't working-it doesn't 
need an '=' sign. 
-Josh

-----Original Message-----
From: James Wilde [mailto:james.wilde@telia.com]
Sent: Thursday, March 21, 2002 12:31 AM
To: Robert Schwartz; misc @ OpenBSD.org
Subject: Re: More problems with pf


Thanks to Robert who has solved most of my problems.  The only one remaining
is that I can't do dns lookups _from_ the firewall but I can do them
_through_ the firewall!  And that behaviour is the same even if I disable
pf, so it is nothing to do with my rules.  I'm now very suspicious of this
installation of OpenBSD now, not just because of this, so I'm going to
re-install tonight and start over.  However, thanks to the many replies, I
now have a firmer base on which to work.

BTW from many messages which I have received privately there seems to be a
widespread misunderstanding that one can not use = in port statements, such
as my port = { 137, 138, 139 }.  I quote from pf.conf(5):


     The host and port specifications are optional, as the following
examples
     show:

         pass in all
         pass in from any to any
         pass in proto tcp from any port <= 1024 to any
         pass in proto tcp from any to any port = 25
         pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port !=
22

So not only can - should? - you use 'port =' but you can use < and > also.
Besides, all my other lines have port = nn and they work.  The bit that
doesn't work is the macro expansion, and that seems to be related to the {
a, b, c } structure since $spoofs doesn't work either.

mvh/regards

James


> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
> Robert Schwartz
> Sent: Wednesday, March 20, 2002 10:19 PM
> To: james.wilde@telia.com; misc @ OpenBSD.org
> Subject: Re: More problems with pf
>
>
> See in-line comments on the pf file.  Hope this helps.
>
> I always log all new rules, then check the functionality against pflog
> and pfctl -s all to see if there are redundant rules or rules that
> aren't required then prune them out.
>
>
> > -----Original Message-----
> > From: James Wilde [mailto:james.wilde@telia.com]
> > Sent: Wednesday, March 20, 2002 12:48 PM
> > To: misc @ OpenBSD.org
> > Subject: More problems with pf
> >
> > I'm wondering if the spec of pf has been changed since the various
> guides
> > have been published.  I'm having a great deal of trouble getting it to
> > work
> > as I wish.  I have used ip-filter on FreeBSD before but I'm new to
> both pf
> > and OpenBSD, so I hope you will bear with me, especially as I have
> noted
> > from the mailing list that pf seems to account for a significant share
> of
> > the messages.
> >
> > My set up is that I have ADSL on the outside, which will soon be
> taking
> > over
> > from the old ISDN link.  I have an OpenBSD firewall directly behind
> the
> > ADSL
> > modem, with three NICs, one for the outside, one for the hosts on the
> > inside
> > and one for the only app server (OpenBSD) on a DMZ.  On this machine
> I'm
> > planning to run dns, smtp and my pop and imap servers, using redirect
> in
> > the
> > nat.conf but that's another story.
> >
> > On both OpenBSD machines I am running Openssh protocol 2 with RSA and
> DSA
> > keys.
> >
> > At the bottom of this message I have my pf.conf and I have several
> > problems
> > with it.
> >
> > 1) It won't expand the two macros, spoofs and noise.  You can where I
> want
> > to use $spoofs and $noise as I have the original rows commented out.
> >
> > 2) The last line, passing out dns to the DMZ is intended for the case
> > where
> > the firewall itself wants to do a dns lookup.  Since the only other
> rules
> > for dns pass in on any, I assume there must be a rule to pass out when
> the
> > dns query originates from within the firewall and no inwards traffic
> is
> > involved.  But still it doesn't work.
> >
> > 3) Notwithstanding the last line on the int_if, which should allow any
> tcp
> > traffic to anywhere on any port so long as it comes from the inside
> > network,
> > I can't ssh to the app machine when pf is running.  As soon as I
> disable
> > it,
> > I can ssh without problem.  If this was IP-Filter, I would say that I
> > needed
> > a corresponding line out on the dmz_if, but according to the
> > documentation,
> > I shouldn't need that.
> >
> > Suggestions welcome.  I'm actually wondering if I have a corrupt setup
> on
> > the firewall machine, and am planning to reinstall.
> >
> > TIA
> >
> > mvh/regards
> >
> > James
> >
> >
> >
> > # cat pf.conf
> >
> > snip
> >
> > ext_if = "fxp0"
> > int_if = "fxp1"
> > dmz_if = "vr0"
> >
> > # some other definitions:
> >
> > ext_ip = "123.456.789.012/32"
> > int_ip = "192.168.0.254/32"
> > dmz_ip = "192.168.1.254/32"
> > inside = "192.168.0.0/24"
> > office = "195.123.456.0/24"
> > dmz    = "192.168.1.0/24"
> > # spoofs = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
> > 255.255.255.255/32 }"
>
> #add 127.0.0.1/8 to your list of potential spoofed addresses
>
> > # noise  = "{ 137, 138, 139 }"
> >
> > # default is to block and log everything
> >
> > block in log all
> # This is the heart of one or two of your problems.
> # For simplicity, try this instead: (makes many of the suggested rules
> # redundant).  Theres a lot more blocking rules you
> # can have here also.
>
> block out log on $ext_if all
> block in log on $ext_if all
>
> >
> > # allow incoming DNS queries on any interface
> >
> > pass  in     quick            inet proto tcp from any     to any port
> = 53
> > keep state
> > pass  in     quick            inet proto udp from any     to any port
> = 53
> >
> #try to keep state here and allow them out too (for problem #2)
> pass in log quick inet proto udp from any to any port = domain keep
> state
> pass out log quick inet proto udp from any to any port = domain keep
> state
>
> > # normalize incoming packets on external interface
> >
> > scrub in           on $ext_if all
> >
> > # block packets from spoofs
> >
> > #block in  log quick on $ext_if inet           from $spoofs
> to
> > any
>
> #try (for problem #1):
> block in log quick on $ext_if from $spoofs to any
> block out log quick on $ext_if from any to $spoofs
>
> > block in  log quick on $ext_if inet           from 10.0.0.0/8
> to
> > any
> > block in  log quick on $ext_if inet           from 172.16.0.0/12
> to
> > any
> > block in  log quick on $ext_if inet           from 192.168.0.0/16
> to
> > any
> > block in  log quick on $ext_if inet           from 255.255.255.255/32
> to
> > any
> > block out log quick on $ext_if                from ! 123.456.789.012
> to
> > any
> >
> > # allow incoming ssh and smtp on external interface
> >
> > pass  in     quick on $ext_if inet proto tcp from $office to any port
> = 22
> > keep state
> #for problem #3, you're allowing anyone from the "office" net to ssh to
> your # external nic.  Add a "log" to this rule (and keep that log'ed
> forever)
> # to ssh to it from the "inside" network:
> pass in log quick on $int_if inet proto tcp from $inside to $int_ip port
> 22
>
> > pass  in     quick on $ext_if inet proto tcp from any     to any port
> = 25
> > keep state
> > pass  in     quick on $ext_if inet proto tcp from any     to any port
> =
> > 113
> > keep state
> > pass  out    quick on $ext_if inet proto tcp from any     to any port
> = 53
> > keep state
> >
> > # allow all incoming traffic except Windows noise on internal
> interface
> >
> > #block in     quick on $int_if inet proto udp from $inside to any port
> =
> > $noise
> > block in     quick on $int_if inet proto udp from $inside to any port
> =
> > 137
> > block in     quick on $int_if inet proto udp from $inside to any port
> =
> > 138
> > block in     quick on $int_if inet proto udp from $inside to any port
> =
> > 139
> > #block in     quick on $int_if inet proto tcp from $inside to any port
> =
> > $noise
> > block in     quick on $int_if inet proto tcp from $inside to any port
> =
> > 137
> > block in     quick on $int_if inet proto tcp from $inside to any port
> =
> > 138
> > block in     quick on $int_if inet proto tcp from $inside to any port
> =
> > 139
> > pass  in     quick on $int_if inet proto tcp from $inside to any
> > keep state
> >
> > # allow outgoing dns from gw1 to app1
> >
> > pass  out    quick on $dmz_if inet proto tcp from any     to any port
> = 53
> > keep state
>
> #probably don't need this here now, but add "log" to it and use pflog to
> determine if it's redundant.
> >
> > # EOF

Classification: UNCLASSIFIED
Prev by Date: network setup question
Next by Date: Re: pf does not pass esp?
Prev by thread: Re: (U) More problems with pf
Next by thread: vim
Index(es):
- Date
- Thread