pf rules
kalin m
hi all...
doing testing with pf...
how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25
i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
........... etc .......
pf.conf contetns:
tcp_in = "{ www, https }"
ftp_in = "{ ftp }"
udp = "{ domain, ntp }"
ping = "echoreq"
set skip on lo
scrub in
antispoof for eth0 inet
block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh
thanks....
S4mmael
pass in proto udp to any port $udp
"pass proto udp to any port $udp" passes traffic in any direction
(ingoing and outgoing).
2010/1/22 kalin m <ka...@el.net>:
> _______________________________________________
> freebsd-...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"
>
Patrick Proniewski
> how is it possible that if i have these rules below in pf.conf if i
> do:
> telnet that.host.org 25
>
> i get:
> Trying xx.xx.xx.xx...
> Connected to that.host.org.
> Escape character is '^]'.
> ........... etc .......
quite strange.
What does `pfctl -s all` return?
patpro
Laurent Frigault
> doing testing with pf...
>
> how is it possible that if i have these rules below in pf.conf if i do:
> telnet that.host.org 25
>
> i get:
> Trying xx.xx.xx.xx...
> Connected to that.host.org.
> Escape character is '^]'.
> ........... etc .......
>
>
> pf.conf contetns:
> set skip on lo
....
You are in a jail and/or that.host.org is a local ip routed via lo0 ?
--
Laurent Frigault | <url:http://www.agneau.org/>
Jason V. Miller
questions), but:
> pass out all keep state
You're allowing out the initial TCP SYN, and creating a state entry for the
connection here. You should be able to make outgoing connections anywhere
with this rule.
Once a state entry gets created, the state table will match on the traffic
for the session, and the rules list won't have to be evaluated.
J.
--
Jason V. Miller
kalin m
not sure if that would affect smtp. would it? how so?
kalin m
yea.. all shows a lot... which part would you like to see? i just sent
out the current rules out to the list...
kalin m
Laurent Frigault wrote:
> On Fri, Jan 22, 2010 at 02:50:58AM -0500, kalin m wrote:
>
>> doing testing with pf...
>>
>> how is it possible that if i have these rules below in pf.conf if i do:
>> telnet that.host.org 25
>>
>> i get:
>> Trying xx.xx.xx.xx...
>> Connected to that.host.org.
>> Escape character is '^]'.
>> ........... etc .......
>>
>>
>> pf.conf contetns:
>>
> ...
>
>> set skip on lo
>>
> ....
>
> You are in a jail and/or that.host.org is a local ip routed via lo0 ?
>
>
kalin m
# pfctl -s rules
scrub in all fragment reassemble
block drop in on ! bge0 inet from xxx.xxx.xxx.xxx/28 to any
block drop in inet from xxx.xxx.xxx.xxx to any
block drop in all
pass out all flags S/SA keep state
pass out inet proto udp from any to any port 33433 >< 33626 keep state
pass proto udp from any to any port = domain keep state
pass proto udp from any to any port = ntp keep state
pass inet proto icmp all icmp-type echoreq keep state
pass in inet proto tcp from any to any port = http flags S/FSA synproxy
state
pass in inet proto tcp from any to any port = https flags S/FSA synproxy
state
pass proto tcp from any to any port = ssh flags S/SA keep state
R�mi LAURENT wrote:
> Hi,
>
> Maybe you can give us the result of a pfctl -s rules because i don't see
> how you can have this connection.
kalin m
thanks... i was under the impression that if you have everything
blocked the initial syn request will be ignored. it doesn't make sense
otherwise....