Unfortunately, pfctl -sl -v says nothing. So, now I have a ruleset like the
one
below. I have added a specific pass statement for the gre protocol. This
works, however, I fear that it is insecure.
set skip on {lo, gre0, enc0}
anchor "ftp-proxy/*"
block in all
pass out all
antispoof for tun0
table <bruteforce> persist
table <trustednets> {10.40.60.0/24, 10.40.65.0/24}
match out on tun0 from 10.40.60.0/24 to any nat-to (tun0)
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick proto tcp from localhost to any port {http,https} rdr-to 127.0.0.1
port 3128
pass quick proto gre from any
block log quick from <bruteforce>
pass inet proto icmp all icmp-type {echoreq, unreach}
pass in on tun0 inet proto tcp from any to any port ssh keep state (max-src-conn
6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to 10.40.60.1
pass on em0 from <trustednets> to any
Penned by Matt S on 20110411 16:59.09, we have:
| Okay, I did that but apparently I spoke too soon as a tcpdump reveals packets
| are still being blocked. Here is an example from a tcpdump on the pflog0
| interface:
|
| Apr 11 14:57:43.943764 rule 1/(match) block in on tun0: 172.16.254.2 >
| 10.40.60.1: icmp: echo request (gre encap)
|
| I guess I need to specifically allow GRE traffic?
Since you're not skipping on tun(4) that seems to be accurate.
| Thanks,
| Matt
|
| On 04/11/11 23:34, Matt S wrote:
| > Hello Everyone:
| >
| > I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able
to
| > tell me why gre0 is not being skipped?
| >
| > set skip on lo
| > set skip on gre0
| > set skip on enc0
|
| You need to combine them, or they override each other.
|
| set skip on { lo0, gre0, enc0 }
|
| /Alexander
|
| >
| > anchor "ftp-proxy/*"
| >
| > block in all
| > pass out all
| >
| > antispoof for tun0
| > table <bruteforce> persist
| > table <trustednets> {10.40.60.0/24, 10.40.65.0/24}
| >
| > match out on tun0 from 10.40.60.0/24 to any nat-to (tun0)
| >
| >
| > block log quick from <bruteforce>
| > pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
| > pass in quick proto tcp from localhost to any port {http,https} rdr-to
| >127.0.0.1
| >
| > port 3128
| > pass inet proto icmp all icmp-type {echoreq, unreach}
| > pass in on tun0 inet proto tcp from any to any port ssh keep state
| >(max-src-conn
| >
| > 6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to
| 10.40.60.1
| > pass on em0 from {trustednets} to any
| >
| >
| > In order for in-bound packets from 10.40.65.1 not to be dropped, I have to
ping
| >
| > it 10.40.64.1 from 10.40.60.1 to set a state. Any help that you can
provide
| > would be appreciated.
| >
| > Thanks,
| > Matt
--
Todd Fries .. t...@fries.net
_____________________________________________
| \ 1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \ 1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX)
| 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net
| "..in support of free software solutions." \ sip:4052279...@ekiga.net
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt
