struggling with pf

matthew . garman Sat, 26 Aug 2006 20:05:51 -0700

For some reason, I'm not "getting it" when it comes to pf...  Two
things I can't figure out: (1) filtered vs blocked for some TCP
ports and (2) rules for tun0, my vpn interface.


First, my /etc/pf.conf:

    int_if = "vr1"
    ext_if = "vr0"
    vpn_if = "tun0"
    tcp_services = "{ 22 }"
    udp_services = "{ 1194 }"
    priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
    set block-policy return
    set loginterface $ext_if
    scrub in all
    scrub out on $ext_if all max-mss 1452
    nat on $ext_if from $int_if:network to any -> ($ext_if)
    #nat on $ext_if from $vpn_if:network to any -> ($ext_if)
    block log all
    pass quick log on lo0 all
    #pass quick on { lo, $int_if, $vpn_if }
    antispoof quick log for { lo0 $int_if $vpn_if }
    block drop in  quick log on $ext_if from $priv_nets to any
    block drop out quick log on $ext_if from any to $priv_nets
    pass in log on $ext_if inet proto tcp from any to ($ext_if) \
        port $tcp_services flags S/SA keep state
    pass in log on $ext_if inet proto udp from any to ($ext_if) \
        port $udp_services keep state
    pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) \
        user proxy flags S/SA keep state
    pass in  log on $int_if from $int_if:network to any keep state
    pass out log on $int_if from any to $int_if:network keep state
    pass in  log on $vpn_if from any to any keep state
    pass out log on $vpn_if from any to any keep state
    pass out log on $ext_if proto tcp all modulate state flags S/SA
    pass out log on $ext_if proto { udp, icmp } all keep state


Now, regarding issue (1), if I do a "nmap -v -A <my obsd box>" from
another computer, I get this:

    ...
    Interesting ports on <my obsd box>:
    (The 1663 ports scanned but not shown below are in state: closed)
    PORT     STATE    SERVICE        VERSION
    22/tcp   open     ssh            OpenSSH 4.1 (protocol 1.99)
    25/tcp   filtered smtp
    135/tcp  filtered msrpc
    137/tcp  filtered netbios-ns
    138/tcp  filtered netbios-dgm
    139/tcp  filtered netbios-ssn
    445/tcp  filtered microsoft-ds
    593/tcp  filtered http-rpc-epmap
    1080/tcp filtered socks
    ...

Why are all those ports (except 22) "filtered" instead of closed?
Does one of my pf rules above implicitly allow those ports to be
filtered?  I don't use or run any of those services on this box, so
I'd prefer those ports just be closed.

Now, regarding (2), I'm trying to set up OpenVPN.  I've got a mostly
default setup (i.e. followed the openvpn HOWTO almost verbatim).  I
can establish the VPN tunnel, but cannot ping the obsd box.

So, if I do a "tcpdump -n -e -ttt -i pflog0" while trying to ping
the obsd box from the vpn client, I see this:

    Aug 26 21:08:49.371324 rule 4/(match) block in on tun0: \
    192.168.2.6 > 192.168.2.1: icmp: echo request (DF)

How can I tell which rule is "rule 4"?

pfctl -s rules:

  0 scrub in all fragment reassemble
  1 scrub out on vr0 all max-mss 1452 fragment reassemble
  2 block return log all
  3 pass log quick on lo0 all
  4 block drop in log quick on ! lo0 inet6 from ::1 to any
  5 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
  6 block drop in log quick on ! vr1 inet from 192.168.0.0/16 to any
  7 block drop in log quick on vr1 inet6 from fe80::240:63ff:fed9:3f9f \
  8 to any
  9 block drop in log quick inet from 192.168.1.1 to any
    block drop in log quick on ! tun0 inet from 192.168.2.1 to any
    block drop in log quick inet from 192.168.2.1 to any
    block drop in log quick on vr0 inet from 127.0.0.0/8 to any
    block drop in log quick on vr0 inet from 192.168.0.0/16 to any
    block drop in log quick on vr0 inet from 172.16.0.0/12 to any
    block drop in log quick on vr0 inet from 10.0.0.0/8 to any
    block drop out log quick on vr0 inet from any to 127.0.0.0/8
    block drop out log quick on vr0 inet from any to 192.168.0.0/16
    block drop out log quick on vr0 inet from any to 172.16.0.0/12
    block drop out log quick on vr0 inet from any to 10.0.0.0/8
    pass in log on vr0 inet proto tcp from any to (vr0) port = ssh flags \
    S/SA keep state
    pass in log on vr0 inet proto udp from any to (vr0) port = 1194 keep \
    state
    pass in log on vr0 inet proto tcp from any port = ftp-data to (vr0)
    user = 71 flags S/SA keep state
    pass in log on vr1 inet from 192.168.0.0/16 to any keep state
    pass out log on vr1 inet from any to 192.168.0.0/16 keep state
    pass in log on tun0 all keep state
    pass out log on tun0 all keep state
    pass out log on vr0 proto tcp all flags S/SA modulate state
    pass out log on vr0 proto udp all keep state
    pass out log on vr0 proto icmp all keep state

(I added the numbers and line breaks.)  So it looks to me like line
6 is responsible for blocking the ping... but where does that rule
come from in my pf.conf file?

Thanks in advance for any assistance!

Matt

struggling with pf

Reply via email to