Hi,
I've found something that perhaps someone could explain to me...
Previously I had problems allowing traffic to pass via my gif
interface.. as far as the gif tunnel is setup, it works 100% as when I
flushed my ruleset or disabled PF, there wasn't a problem. Before I
started out blocking outbound services , I had a
pass out on $ext_if from any to any keep state
rule, and the gif seemed to work fine...
Once I had blocked all traffic in/out on the $ext_if and $int_if, I
had to open ports one by one on both so that traffic could pass...
The initial rule for the tunnel was:
###tunnel filters
pass in on $gif_if all
pass out on $gif_if all
pass in on $ext_if inet proto ipencap from any to any
pass out on $ext_if inet proto ipencap from any to any
Once I was logging stuff properly, and using tcpdump, I noticed i had
to open $int_if/rl0 to allow traffic on ports 135,137-139 so my
windows boxes from behind firewall could talk to the windows boxes on
the other side of the tunnel... this makes sense as traffic would have
to enter the box per se, via my NIC, before being routed to the other
lan through the gif tunnel.
000000 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61411, offset 0, flags [DF], length: 48) 10.0.88.23.3736 >
10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 <mss
1460,nop,nop,sackOK>
000483 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61412, offset 0, flags [DF], length: 48) 10.0.88.23.3737 >
10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 <mss
1460,nop,nop,sackOK>
530734 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61413, offset 0, flags [DF], length: 48) 10.0.88.23.3736 >
10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 <mss
1460,nop,nop,sackOK>
000230 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61414, offset 0, flags [DF], length: 48) 10.0.88.23.3737 >
10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 <mss
1460,nop,nop,sackOK>
437281 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61419, offset 0, flags [DF], length: 48) 10.0.88.23.3736 >
10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 <mss
1460,nop,nop,sackOK>
000247 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61420, offset 0, flags [DF], length: 48) 10.0.88.23.3737 >
10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 <mss
1460,nop,nop,sackOK>
000477 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61421, offset 0, flags [none], length: 78) 10.0.88.23.137 >
10.0.89.1.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0x864C
OpCode=0
NmFlags=0x0
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=
WARNING: Short packet. Try increasing the snap length
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel
So I added rules for the $int_if/$int_if:
###tunnel filters
pass in on $gif_if all
pass out on $gif_if all
pass in on $ext_if inet proto ipencap from any to any
pass out on $ext_if inet proto ipencap from any to any
pass in on $int_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
pass out on $int_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
and ran tcpdump again:
Tue Apr 19 09:17:10 [EMAIL PROTECTED]:/home/stephen# tcpdump -n -e -ttt -vv -i
pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture size 96 bytes
000000 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id
34146, offset 0, flags [DF], length: 48) 165.165.153.89.3479 >
165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800
<mss 1440,nop,nop,sackOK>
395435 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id
34156, offset 0, flags [DF], length: 48) 165.165.153.89.3479 >
165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800
<mss 1440,nop,nop,sackOK>
-snipped out some other packets that were not relevant-
546633 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id
34194, offset 0, flags [DF], length: 48) 165.165.153.89.3479 >
165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800
<mss 1440,nop,nop,sackOK>
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
The way I see it traffic destined for 10.0.89.0 should be allowed to
enter via the NIC (10.0.88.254) as PF is allowing any source IP to
reach any destination IP if ports are 135,137-139,445
But now here's what I don't get..
I then had to allow traffic to pass via the same ports on
$ext_if/tun0, when the routing table is routing the traffic via the
gif tunnel (routing is set up fine, when ruleset flushed, works 100%).
So I thought let me just try it out (as thats what tcpdump is telling
me is blocked) even though it sounds a little sketchy...
###tunnel filters
pass in on $gif_if all
pass out on $gif_if all
pass in on $ext_if inet proto ipencap from any to any
pass out on $ext_if inet proto ipencap from any to any
pass in on $int_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
pass out on $int_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
pass in on $ext_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
pass out on $ext_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
and that works perfectly.
The only thing I can think of is that pf sees the gif interface as a
virtual device and doesnt apply the rule to the virtual device but
rather the physical device the virtual device uses (tun0/$ext_if)
which seems very unlikely but i can't think what else it could be as i
see references to the tun0 device in tcpdump (the rl0/$int_if
references in tcpump in the first instance seems obvious... have to
allow the traffic in via the NIC to the local lan before being able to
transport it to the other lan via the gif tunnel)
Any comments/ views on this?
Perhaps there is something not 100% with my conf? (although it is
working now, it's not really ideal passing netbios traffic from any to
any)
Tue Apr 19 09:26:53 [EMAIL PROTECTED]:/home/stephen# uname -a
FreeBSD bollox.soh.local 5.3-STABLE FreeBSD 5.3-STABLE #2: Mon Mar 7
18:09:46 SAST 2005
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/BOLLOX i386
Tue Apr 19 10:21:13 [EMAIL PROTECTED]:/home/stephen# cat /etc/pf.conf
########## /etc/pf.conf
##### macros
int_if = "rl0"
ext_if = "tun0"
gif_if = "gif3"
icmp_types = "echoreq"
dns = "{ 196.25.1.1 }"
mail1 = "{ dbn.stormnet.co.za }"
mail2 = "{ smtp.saix.net }"
p2p_ports = " { 6346 }"
p2p_clients = "{ 10.0.88.5 , 10.0.88.11 , 10.0.88.12 , 10.0.88.23 }"
studio = "{ 10.0.88.5 , 10.0.88.11 , 10.0.88.12 }"
sh = "10.0.88.23/24"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
soh ="{ 10.0.88.1 , 10.0.88.2 , 10.0.88.3 , 10.0.88.4 , 10.0.88.5 ,
10.0.88.6 , 10.0.88.7 , 10.0.88.8 , 10.0.88.9 , 10.0.88.10 ,
10.0.88.11 , 10.0.88.12 , 10.0.88.13 , 10.0.88.14 , 10.0.88.15 ,
10.0.88.16 , 10.0.88.17 , 10.0.88.18 , 10.0.88.19 , 10.0.88.20 ,
10.0.88.21 , 10.0.88.22 , 10.0.88.23 , 10.0.88.24 , 10.0.88.25 ,
10.0.88.26 , 10.0.88.27 , 10.0.88.28 , 10.0.88.29 , 10.0.88.30 }"
vpn_conf = "{ x.y.z.237 }"
##### aliases
int_net = "{" $int_if:network "}"
##### behavior options
set optimization aggressive
set block-policy return
set loginterface $ext_if
set fingerprints "/etc/pf.os"
##### scrub
scrub in all
##### nat/rdr
nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
##### anti spoofing protection
#antispoof quick for $int_if inet
#antispoof quick for $ext_if inet
#antispoof quick for lo0
#block drop in on $ext_if from $priv_nets to any
#block drop out on $ext_if from any to $priv_nets
#####filter rules
###default block and log all
block log all
block in log quick inet6 all
block out log quick inet6 all
pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass out quick inet proto icmp all icmp-type $icmp_types keep state
pass quick on lo0 all
###filter rules for $int_if inbound
block in log on $int_if all
#pass in on $int_if from $soh to $int_if keep state
pass in on $int_if proto tcp from any to $int_if port 2222 keep state
#pass in on $int_if proto tcp from any to $dns keep state
pass in on $int_if proto { udp,tcp } from $int_net to any port = 53 keep state
pass in on $int_if proto tcp from $soh to any port = 3128 flags S/SA
keep state
pass in on $int_if proto tcp from $soh to any port = 443 flags S/SA keep state
#pass in on $int_if proto tcp from $int_net to $int_if port { 21,20 } keep state
#pass in on $int_if proto tcp from $int_net to any port 8021 keep state
pass in on $int_if proto tcp from $soh to $int_if port 25 keep state
pass in on $int_if proto tcp from $soh to $int_if port 110 keep state
pass in on $int_if proto { udp,tcp } from $int_net to any port 6346 keep state
pass in on $int_if proto tcp from $int_net to ($ext_if) port { 25,110
} keep state
pass in on $int_if proto tcp from $int_net to $mail1 port { 25,110 } keep state
pass in on $int_if proto tcp from $int_net to $mail2 port { 25,110 } keep state
pass in on $int_if proto tcp from $int_net to any port { 2222 } keep state
###filter rules for $int_if outbound
block out log on $int_if all
#pass out on $int_if all keep state
#pass out on $int_if inet proto tcp from $int_if to $int_net port 20 keep state
###filter rules for $ext_if inbound
block in log on $ext_if all
#pass in on $ext_if inet proto tcp from any to ($ext_if) port 20 keep state
#pass in on $ext_if inet proto tcp from any to ($ext_if) port 21 keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 25 keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 110 keep state
#pass in on $ext_if inet proto tcp from any to ($ext_if) port 2222 keep state
#pass in on $ext_if inet proto tcp from any to any port 55000:57000 keep
state
##block nmap's fingerprinting attempt(FIN, URG, PSH)
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
###filter rules for $ext_if outbound
block out log on $ext_if all
pass out on $ext_if inet proto udp from any to $dns port 53 keep state
#pass out on $ext_if inet proto tcp from any to $dns port 53 flags
S/SA keep state
pass out on $ext_if inet proto tcp from ($ext_if) to $vpn_conf flags
S/SA keep state
#pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 keep state
#pass out on $ext_if inet proto tcp from ($ext_if) to any port 20 keep state
#pass out on $ext_if inet proto tcp from ($ext_if) to any port 8021 keep state
pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 keep state
pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110
keep state
pass out on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any port 443 keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any port 6346 keep state
pass out on $ext_if inet proto tcp from ($ext_if) to any port {
22,2222 } keep state
###tunnel filters
pass in on $gif_if all
pass out on $gif_if all
pass in on $ext_if inet proto ipencap from any to any
pass out on $ext_if inet proto ipencap from any to any
pass in on $int_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
pass out on $int_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
pass in on $ext_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
pass out on $ext_if proto { udp,tcp } from any to any port {
135,137:139,445 } keep state
ps: the reason ports and hosts are seperated is because of labelling
pps: everything related to ftp has been commented out because I cant
get it working, but thats another battle for another day =]
Thanks,
Stephen
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
