Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

freebsd-pf Digest, Vol 270, Issue 2

0 views
Skip to first unread message

freebsd-p...@freebsd.org

unread,
Nov 24, 2009, 7:00:13 AM11/24/09
to freeb...@freebsd.org
Send freebsd-pf mailing list submissions to
freeb...@freebsd.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
or, via email, send a message with subject or body 'help' to
freebsd-p...@freebsd.org

You can reach the person managing the list at
freebsd-...@freebsd.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-pf digest..."


Today's Topics:

1. block ip's and ports (Sife Mailling)
2. Re: block ip's and ports (olli hauer)
3. Re: sending mail with attachments always fails (FreeBSD/pf)
(David DeSimone)


----------------------------------------------------------------------

Message: 1
Date: Mon, 23 Nov 2009 07:35:08 -0800 (PST)
From: Sife Mailling <sife.m...@yahoo.com>
Subject: block ip's and ports
To: freeb...@freebsd.org
Message-ID: <745127....@web113110.mail.gq1.yahoo.com>
Content-Type: text/plain; charset=us-ascii

Salamo Alikom
i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports .
this my pf.conf :
net_card="sis0"
tcp_ports="{80 ,https ,domain ,auth ,21}"
udp_ports="{domain}"
table <banned> file "/etc/pf/banned"
table <banned2> {www.google.com}
block in log (all) on $net_card proto {tcp ,udp} all
pass in on $net_card proto tcp from any to any port $tcp_ports
pass in on $net_card proto udp from any to any port $udp_ports
pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16
block in on $net_card proto tcp from { <banned>, <banned2> } to any port $tcp_ports
pass out on $net_card proto tcp from any to any port $tcp_ports
pass out on $net_card proto udp from any to any port $udp_ports
pass out on $net_card inet proto tcp from any to any port ftp
pass out on $net_card inet proto tcp from any to any port > 1023

now skype is work and the both tables banned and banned2 i can browse sites including theme .


------------------------------

Message: 2
Date: Mon, 23 Nov 2009 17:22:41 +0100
From: olli hauer <oha...@gmx.de>
Subject: Re: block ip's and ports
To: Sife Mailling <sife.m...@yahoo.com>
Cc: freeb...@freebsd.org
Message-ID: <4B0AB6D1...@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Sife Mailling wrote:
> Salamo Alikom
> i setup a firewall for personnel home computer ,now i want every packets block if it is not pass to specified ports .
> this my pf.conf :
> net_card="sis0"
> tcp_ports="{80 ,https ,domain ,auth ,21}"
> udp_ports="{domain}"
> table <banned> file "/etc/pf/banned"
> table <banned2> {www.google.com}
> block in log (all) on $net_card proto {tcp ,udp} all
> pass in on $net_card proto tcp from any to any port $tcp_ports
> pass in on $net_card proto udp from any to any port $udp_ports
> pass in on $net_card proto tcp from 192.168.0.0/16 to 192.168.0.0/16
> block in on $net_card proto tcp from { <banned>, <banned2> } to any port $tcp_ports
> pass out on $net_card proto tcp from any to any port $tcp_ports
> pass out on $net_card proto udp from any to any port $udp_ports
> pass out on $net_card inet proto tcp from any to any port ftp
> pass out on $net_card inet proto tcp from any to any port > 1023
>
> now skype is work and the both tables banned and banned2 i can browse sites including theme .
>

Try the quick keyword, so traffic is not allowed in later rules.

Additional disable outgoing traffic since if you create a connect from
inside to <banned> a state which permits incoming traffic is created.

example ordering:

table <banned> file "/etc/pf/banned"
table <banned2> {www.google.com}
block in log (all) on $net_card proto {tcp ,udp} all
block in quick on $net_card proto tcp from { <banned>, <banned2> } \
to any port $tcp_ports label blockin
block out quick on $net_card proto tcp from { <banned>, <banned2> } \
to any port $tcp_ports label blockout
pass in on $net_card proto tcp from any to any port $tcp_ports


------------------------------

Message: 3
Date: Mon, 23 Nov 2009 16:17:18 -0600
From: "David DeSimone" <f...@verio.net>
Subject: Re: sending mail with attachments always fails (FreeBSD/pf)
To: <freeb...@freebsd.org>
Message-ID: <2009112322...@verio.net>
Content-Type: text/plain; charset="US-ASCII"

Victor Lyapunov <fullbla...@gmail.com> wrote:
>
> After that i tried to send mail to a server that does not require ssl
> and i got this:
>
> rule 1/0(match): pass in on em0: 192.168.0.5.2035 > 94.100.177.1.25: S
> 237079791:237079791(0) win 65535 <mss 1460,nop,nop,sackOK>
> rule 1/0(match): pass out on em0: 192.168.0.5.2035 > 94.100.177.1.25:
> S 237079791:237079791(0) win 65535 <mss 1460,nop,nop,sackOK>
> 2 packets captured
> 2 packets received by filter
> 0 packets dropped by kernel

This doesn't appear to be the same problem you originally submitted,
about SMTP connections with no attachments working fine, but with
attachments they fail. Seems like you are now describing that SMTP
doesn't work at all.

> 192.168.0.1 -- Router
> 192.168.0.3 -- The FreeBSD box
> 192.168.0.5 -- Windows machine with default gateway set to 192.168.0.3

This is probably the source of your problems. Your router and your
firewall and your firewalled client are all on the same subnet together.
There is nothing preventing the router from sending packets directly
back to the Windows box, bypassing your firewall.

As such, the firewall cannot see any of the reply traffic, and so it
cannot follow the TCP state correctly, so eventually it begins to block
the traffic. If you turn on logging with "pfctl -x loud" you will
probably see a lot of messages about TCP state mismatches.

The proper way to fix this is to rearchitect your network so that your
firewall has two interfaces, one public, one private. The public
interface connects only to your router, while the private interface
connects to all your firewall clients. This forces the firewall to be
the only path to and from the network, giving enhanced security.

--
David DeSimone == Network Admin == f...@verio.net
"I don't like spinach, and I'm glad I don't, because if I
liked it I'd eat it, and I just hate it." -- Clarence Darrow


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.


------------------------------

End of freebsd-pf Digest, Vol 270, Issue 2
******************************************

0 new messages