On Thu, Aug 09, 2007 at 10:29:19AM -0700, David Newman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 8/9/07 10:24 AM, David Newman wrote:
> > On 8/9/07 3:22 AM, Joachim Schipper wrote:
> >
> >>> # Allow quick valid traffic to ssh but log all attempts as well
> >>> pass in log quick on $unpro inet proto tcp from ! <scanners> \
> >>> to $unpro port ssh $SSH_LIMIT
> >> Skip '! <scanners>' unless it's intended as documentation; you have
> >> already filtered this traffic in the rule above.
> >
> >> It's not surprising that this rule fails to limit ssh connections to
> >> another host; that's what 'to $unpro' tells pf to do, after all.
> >
> > Couple of clarification questions:
> >
> > 1. When you say "skip" something, you mean just delete the string '!
> > <scanners>' and not the whole rule, correct?
Yes.
> > If you
> >> do remove 'to $unpro', you might want to add something like 'from !
> >> $unpro:network'. (Do note that 'from ! { $unpro:network <scanners> }' is
> >> legal syntax, but not sensible.)
> >
> > 2. Shouldn't it be 'to $unpro:network' here since we're substituting one
> > 'to' condition with another?
> >
> > Thanks -- your comments make great sense.
>
> Sorry, scratch question 2. Obviously 'from' is correct.
>
> Is this what you meant:
>
> pass in log quick on $unpro inet proto tcp \
> from ! $unpro:network port ssh flags S/SA \
> keep state $SSH_LIMIT
No, more along the lines of
pass in log quick on $unpro inet proto tcp \
to port ssh keep state $SSH_LIMIT
(Note that 'flags S/SA' and 'keep state' are the default in 4.1 and
later, but 'keep state' must be explicitly given for $SSH_LIMIT -
'(max-src-conn-rate 3/30, overload <scanners>)' - to be legal.)
Or, if you want to add ! $unpro:network,
pass in log quick on $unpro inet proto tcp \
from ! $unpro:network to port ssh keep state $SSH_LIMIT
where my $SSH_LIMIT is different from yours, missing 'flush global'.
All of this looks a lot like IPTables-in-pf, though [1]. And only works
because you have a 'default allow' policy (the above rule does not match
on traffic from the local network, but with a 'default deny' policy this
would mean you would be unable to ssh from the local network at all.
Which is not what you want.) The way I'd write this rule would be
pass in on $unpro inet proto tcp to port ssh \
keep state (max-src-conn-rate 3/30, overload <scanners>)
pass in on $unpro inet proto tcp from $unpro:network to port ssh
which a) works with a 'default deny' policy, should you ever implement
one, and b) also avoid defining a macro that's only used once and does
not necessarily clarify matters.
Joachim
[1] I should know, I spent half the day writing pf-in-IPTables. Debian
is fine, for some values of fine, for webservers, but firewalls... well,
just note there's no MoTD below.
--
It can be difficult to translate into iptables the artistic intent of a
pf rule that says "pass out quick on $cheap_gin"
-- Anthony de Boer, in ASR
