Hi All, Without *block return label "block stateless traffic"* and *pass # establish keep-state*, my NAT / redirect rules from external into LAN do not work. Neither do rules that permit RDP to Windows Workstations on Tun0 interface. FWIW: Wireguard uses this tun0 interface.
TCPDump shows the destination IP sending a RST packet. Although the Internal LAN interface shows no packet passing. That does not quite make sense to me - but that is what happens. I have read online and man pages etc, and all say that the "block return" and "pass" rules are not necessary. In fact the example given at https://www.openbsd.org/faq/pf/filter.html does not have these two initial rules. These default rules were carried over from the /etc/example/pf.conf Event moving the *block return* default rule to lower in the rulebase - results in the same symptoms. Syn packets pass out of Tun0 but Rst sent back almost immediately. Any assistance greatly appreciated. (Public IP addresses mangled. Only retained for readability) Regards dirk ___________________________________________________________________________________ mrac-prx01# cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf # ---== Skip firewalling on these interfaces ===--- set skip on { lo lo0 } # ---=== Default Policy ===--- block return label "block stateless traffic" block in quick log from urpf-failed # block reverse patch verify failures block in quick log from no-route to any # block non routable traffic block in log (all, to pflog0) # block traffic not matched explicitly below pass # establish keep-state # ---=== Global Options ===--- match in all scrub (reassemble tcp no-df max-mss 1450) match out all scrub (random-id) set reassemble yes set limit { tables 10000 table-entries 1000000 states 400000 frags 100000 src-nodes 10000 } set block-policy drop set loginterface pflog0 set optimization high-latency set state-policy if-bound set syncookies adaptive (start 25%, end 12%) set timeout { adaptive.start 6000, adaptive.end 12000 } set ruleset-optimization basic set fingerprints "/etc/pf.os" antispoof log quick for { lo0 re0 vl60 vl61 tun0 } #antispoof log quick for em0 # ---=== Macros ===--- ext_if = "{ re0 }" ext_ip = "{ re0:0 }" int_if = "{ em0 }" int_ip = "{ 192.168.50.1 192.168.50.24 }" int_net = em0:network tun0_if = "{ tun0 }" tun0_ip = "{ tun0:0 }" tun0_net = tun0:network vl60_if = "{ vlan60 }" vl60_ip = "{ vlan60:0 }" vl60_net = "{ vlan60 }" vl61_if = "{ vlan61 }" vl61_ip = "{ vlan61:0 }" vl61_net = "{ vlan61 }" # ---=== Alias IP ===--- best_bme = "{ 222.172.111.114, 115.170.122.119 }" best_knx = "{ 211.118.196.174 }" monitoring = "{ 135.201.115.116 }" bcastnet = "{ 192.168.50.255, 255.255.255.255, 224.0.0.0/24, 239.255.255.250, 239.255.255.253 }" mrac_dc = "{ 192.168.50.21 }" # ---=== Alias Protocols ===--- bcastprt = "{ 287, 68:69,137:139, 168, 546:547, 1900, 1947, 3702, 5353, 5355, 5678, 7680, 10001 }" icmp_required = "{ echoreq, timex, paramprob, unreach code needfrag }" # ---=== Tables ===--- table <lockout> persist table <fqdn_kaspersky_labs> { kaspersky-labs.com } table <fqdn_wanada> { wanada.epiccloud.com.au } table <bruteforcers> persist file "/etc/pf.files/bruteforcers.txt" table <blockedcountries> persist file "/etc/pf.files/blockedcountries.txt" table <blockedbadhosts> persist file "/etc/pf.files/blockedbadhosts.txt" # table <martians> const { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/3 } # ---=== Block SSH Access from Abusers ===--- block quick log on any proto { tcp udp icmp } from <lockout> label "BlockSshAbusers" # ---=== Blocked Countries and malicious hosts ===--- block quick log from <blockedcountries> label "From Blocked_Countries" block quick log to <blockedcountries> label "To Blocked_Countries" block quick log from <blockedbadhosts> label "From Blocked_Badhosts" block quick log to <blockedbadhosts> label "To Blocked_Badhosts" # ---=== Outbound from Firewall to anywhere on any interface ===--- block return in on ! lo0 proto tcp to port 6000:6010 # By default, do not permit remote connections to X11 block return out log proto {tcp udp} user _pbuild # Port build user does not need network pass out quick on any from self to any modulate state # ---=== Outbound Port-NAT Rules ===--- match out on $ext_if from $int_net nat-to $ext_ip source-hash match out on $vl60_if from $int_net nat-to $ext_ip source-hash match out on $vl61_if from $int_net nat-to $ext_ip source-hash # ---=== Inbound from External Interface Port Redirect through Firewall ===--- # block in quick log on $ext_if inet proto tcp from any os "NMAP" label "NMAPScanHost" # block in quick log on $ext_if inet6 proto tcp from any os "NMAP" label "NMAPScanHost" pass in quick log on $ext_if inet proto tcp from $best_bme port >1023 to port 3389 rdr-to $mrac_dc port 3389 keep state # (max-src-conn 40, max-src-conn-rate 10/30, overload <bruteforcers> flush global) pass in quick log on $ext_if inet proto tcp from $best_bme port >1023 to port 9676 rdr-to $mrac_dc port 9676 keep state # (max-src-conn 40, max-src-conn-rate 10/30, overload <bruteforcers> flush global) pass in quick log on $ext_if inet proto tcp from $best_knx port >1023 to port 9676 rdr-to $mrac_dc port 9676 keep state # (max-src-conn 40, max-src-conn-rate 10/30, overload <bruteforcers> flush global) # ---=== Inbound from External Interface to Firewall ===--- pass in quick log on $ext_if inet proto udp from any port >1023 to $ext_ip port 51820 keep state (max-src-conn 40, max-src-conn-rate 10/10, overload <bruteforcers> flush global) pass in quick log on $ext_if inet proto tcp from $best_bme port >1023 to $ext_ip port 22 synproxy state (max-src-conn 40, max-src-conn-rate 10/10, overload <bruteforcers> flush global) pass in quick log on $ext_if inet proto tcp from $monitoring port >1023 to $ext_ip port 22 synproxy state (max-src-conn 40, max-src-conn-rate 10/10, overload <bruteforcers> flush global) pass in quick log on $ext_if inet proto icmp from $monitoring to $ext_ip icmp-type { echoreq, unreach } max-pkt-rate 100/10 pass in quick log on $ext_if inet proto icmp from $best_bme to $ext_ip icmp-type { echoreq, unreach } max-pkt-rate 100/10 # block in quick log on $ext_if inet from <martians> label "Block Martians" block in quick log on $ext_if from any label "Block External Access in" # ---=== Inbound from Internal LAN Interface _terminating_ on Firewall ===--- pass in quick log on $int_if inet proto tcp from $int_net port >1023 to $int_ip port 22 synproxy state pass in quick log on $int_if inet proto tcp from $int_net port >1023 to $int_ip port 25 keep state pass in quick on $int_if inet proto { tcp udp } from $int_net port >1023 to $int_ip port 53 keep state pass in quick on $int_if inet proto tcp from $int_net port >1023 to $int_ip port 80 keep state pass in quick log on $int_if inet proto udp from $int_net port >1023 to $int_ip port 123 pass in quick log on $int_if inet proto udp from $mrac_dc port >1023 to $int_ip port 161 pass in quick on $int_if inet proto udp from $int_net port >1023 to $int_ip port 514 pass in quick on $int_if inet proto tcp from $int_net port >1023 to $int_ip port { 3126 3127 3128 3129 } keep state # ---=== Squid Rules. Redirect traffic to Squid - for clients that do not have proxy explicitly set ===--- pass in quick on $int_if inet proto tcp from $int_net port >1023 to any port { 80, 81, 8080 } divert-to 127.0.0.1 port 3127 keep state (sloppy) # ---=== Inbound from Internal Interface _through_ Firewall ===--- pass in quick log on $int_if inet proto tcp from $int_net port >1023 to any port 993 keep state pass in quick log on $int_if inet proto tcp from $int_net port >1023 to any port 5938 keep state pass in quick log on $int_if inet proto tcp from $int_net port >1023 to <fqdn_kaspersky_labs> port 13111 keep state pass in quick log on $int_if inet proto udp from $int_net port >1023 to <fqdn_kaspersky_labs> port 15111 pass in quick log on $int_if inet proto tcp from $int_net port >1023 to <fqdn_wanada> port 54468 keep state pass in quick log on $int_if inet proto udp from $int_net port >1023 to any port 33433 >< 33625 keep state label "Traceroute" pass in quick log on $int_if inet proto icmp from any to any icmp-type $icmp_required block in quick log on $int_if inet proto icmp from any to any block in quick on $int_if inet proto { tcp udp } from any to $int_ip port 7680 # ---=== Tagged Rules Inbound from Internal Interface ===--- pass in quick log on $int_if inet proto tcp from $int_net port >1023 to any port 80 pass in quick log on $int_if inet proto tcp from $int_net port >1023 to any port 443 # ---=== Inbound from VPN Adapter Tun0 to internal network ===--- pass in quick on $tun0_if inet proto tcp from $tun0_net port >1023 to $int_net port 22 keep state (max-src-conn 40, max-src-conn-rate 10/10, overload <bruteforcers> flush global) label "RA VPN SSH to LAN" pass in quick on $tun0_if inet proto { tcp udp } from $tun0_net port >1023 to $int_ip port 53 keep state pass in quick log on $tun0_if inet proto { tcp udp } from $tun0_net port >1023 to $int_net port 3389 keep state (max-src-conn 40, max-src-conn-rate 10/10, overload <bruteforcers> flush global) label "RA VPN RDP to LAN" pass in quick log on $tun0_if inet proto icmp from $tun0_net to $int_net icmp-type $icmp_required label "RA VPN ICMP to LAN" block in quick log on $tun0_if inet from $tun0_net to any label "RA VPN IPv4 Block In Clean Up" block out quick log on $tun0_if inet from $tun0_net to any label "RA VPN IPv4 Block Out Clean Up" block in quick log on $tun0_if inet6 from any to any label "RA VPN IPv6 Block In Clean Up" block out quick log on $tun0_if inet6 from any to any label "RA VPN IPv6 Block Out Clean Up" # ---=== Inbound from VLAN60 to Internet (Guests Wifi) ===--- pass in quick on $vl60_if inet proto { tcp udp } from $vl60_net port >1023 to $vl60_ip port 53 keep state pass in quick on $vl60_if inet proto tcp from $vl60_net port >1023 to $vl60_ip port { 3127 3128 3129 } synproxy state pass in quick on $vl60_if inet proto tcp from $vl60_net port >1023 to any port { 80, 81, 443, 8080 } divert-to 127.0.0.1 port 3127 keep state pass in quick log on $vl60_if inet proto icmp from $vl60_net to any icmp-type $icmp_required block in quick log on $vl60_if from $vl60_net to $int_net block in quick log on $vl60_if from $vl60_net to $vl61_net # ---=== Inbound from VLAN61 to Internet (Doctors Wifi) ===--- pass in quick on $vl61_if inet proto { tcp udp } from $vl61_net port >1023 to $vl61_ip port 53 keep state pass in quick on $vl61_if inet proto tcp from $vl61_net port >1023 to $vl61_ip port { 3127 3128 3129 } synproxy state pass in quick on $vl61_if inet proto tcp from $vl61_net port >1023 to any port { 80, 81, 443, 8080 } divert-to 127.0.0.1 port 3127 keep state pass in quick log on $vl61_if inet proto icmp from $vl61_net to any icmp-type $icmp_required block in quick log on $vl61_if from $vl61_net to $int_net block in quick log on $vl61_if from $vl61_net to $vl60_net # ---=== Block NoLog ===--- block in quick from any to $bcastnet label "BlockNoLog-BroadcastNetworks" block in quick from any to $bcastnet label "BlockNoLog-BroadcastNetworks" block in quick inet proto udp to any port $bcastprt label "BlockNoLog-BroadcastIpv4Ports" block in quick inet6 proto udp to any port $bcastprt label "BlockNoLog-BroadcastIpv6Ports" # ---=== Cleanup time ===--- block in quick log from no-route to any label "Block-NonRoutable" # block packets that have no return route block in quick log from any no state label "Block-NoState" # block packets that have no state block in quick log inet from any label "CLEANUP4" block in quick log inet6 from any label "CLEANUP6" mrac-prx01#
