Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

freebsd-pf Digest, Vol 266, Issue 5

0 views
Skip to first unread message

freebsd-p...@freebsd.org

unread,
Nov 1, 2009, 7:00:26 AM11/1/09
to freeb...@freebsd.org
Send freebsd-pf mailing list submissions to
freeb...@freebsd.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
or, via email, send a message with subject or body 'help' to
freebsd-p...@freebsd.org

You can reach the person managing the list at
freebsd-...@freebsd.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-pf digest..."


Today's Topics:

1. Re: freebsd-pf Digest, Vol 266, Issue 4 (Nico De Dobbeleer)
2. Re: freebsd-pf Digest, Vol 266, Issue 4 (Tom Uffner)


----------------------------------------------------------------------

Message: 1
Date: Sat, 31 Oct 2009 22:00:04 +0100 (CET)
From: Nico De Dobbeleer <ni...@elico-it.be>
Subject: Re: freebsd-pf Digest, Vol 266, Issue 4
To: freeb...@freebsd.org
Message-ID: <3350817.188221257022804727.JavaMail.root@zimbra-store>
Content-Type: text/plain; charset=utf-8

Hello,

I have an issue with pf bridge.
This is my setup

Wan --> pf-bridge --> servers (mail, webserver with public IP)

When I activate my pf-bridge FW It allows the things as it should be (http, rdp, ssh, ...) But when I try to send a mail for example it cannot find hostname or when I'm connected to the webserver over RDP I cannot browse.

It's like I can get in to the correct ports but from the inside I'm not allowed to do stuff.

Here's pf-bridge.conf:


#
####################
# Macro's
####################

ext_if="em0"
int_if="em1"
mng_if="rl0"
loop_if="lo0"


public_services="{ ssh, http, https, smtp, pop3, imap, 7071, 53, 3389 }"

admin_services="{ ssh, http, https }"

power_services="{ telnet, http }"

# TCP Options
#TCP_Options="flags S/SAFRUP modulate state"

# UDP Options
#UDP_Options="keep state"

#######################
# Tables
#######################

table <all_public_ips> { 62.213.196.XXX/xx }
table <customer_ips> { 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx }
table <admin_ips> { 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx }
table <power_ips> { 62.213.196.xxx, 62.213.196.xxx }

############################################################################
# Normalization rules:
############################################################################
#set block-policy drop
#set fingerprints "/etc/pf.os"
set block-policy return

# scrub incoming packets

scrub in on { $ext_if, $int_if } all fragment reassemble min-ttl 15 max-mss 1400
scrub in on { $ext_if, $int_if } all no-df
scrub on { $ext_if, $int_if } all reassemble tcp

# Don't filter on the loopback interface
set skip on $loop_if

# this should block OS fingerprints??
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF

# thwart nmap scans
block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP
block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP

############################################################################
# Filter rules:
############################################################################

# Allow public services to customers IP
pass in quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to <customer_ips> port $public_services
pass out quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to <customer_ips> port $public_services


# Allow admin services to admin servers
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to <admin_ips> port $admin_services
pass out quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to <admin_ips> port $admin_services

# Allow access to powerboots
pass in quick on { $ext_if, $int_if } inet proto tcp from any to <power_ips> port $power_services
pass out quick on { $ext_if, $int_if } inet proto tcp from any to <power_ips> port $power_services

block drop in on $ext_if all
block drop out on $ext_if all
block drop in on $int_if all
block drop out on $int_if all


Any idea's?


------------------------------

Message: 2
Date: Sat, 31 Oct 2009 17:52:15 -0400
From: Tom Uffner <t...@uffner.com>
Subject: Re: freebsd-pf Digest, Vol 266, Issue 4
To: freeb...@freebsd.org
Message-ID: <4AECB18...@uffner.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Nico De Dobbeleer wrote:

> # this should block OS fingerprints??
> block in log quick proto tcp flags FUP/WEUAPRSF
> block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
> block in log quick proto tcp flags SRAFU/WEUAPRSF
> block in log quick proto tcp flags /WEUAPRSF
> block in log quick proto tcp flags SR/SR
> block in log quick proto tcp flags SF/SF
>
> # thwart nmap scans
> block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP
> block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP
>
> Any idea's?

yeah. replace all of the strange flag combinations with a simple
"block log all" rule.

get basic firewall functionality working first, then add the fancy
stuff back one rule at a time & test to see what breaks.

and when adding the above rules, think about whether you really
want "quick". i'm amazed that any TCP gets through that ruleset
in either direction.

------------------------------

End of freebsd-pf Digest, Vol 266, Issue 5
******************************************

0 new messages