On Sat, Aug 26, 2006 at 09:57:31PM -0500, [EMAIL PROTECTED] wrote: > For some reason, I'm not "getting it" when it comes to pf... Two > things I can't figure out: (1) filtered vs blocked for some TCP > ports and (2) rules for tun0, my vpn interface. > > First, my /etc/pf.conf: > > int_if = "vr1" > ext_if = "vr0" > vpn_if = "tun0" > tcp_services = "{ 22 }" > udp_services = "{ 1194 }" > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" > set block-policy return > set loginterface $ext_if > scrub in all > scrub out on $ext_if all max-mss 1452 > nat on $ext_if from $int_if:network to any -> ($ext_if) > #nat on $ext_if from $vpn_if:network to any -> ($ext_if) > block log all > pass quick log on lo0 all
Do you *really* want to log this? > #pass quick on { lo, $int_if, $vpn_if } > antispoof quick log for { lo0 $int_if $vpn_if } See below. > block drop in quick log on $ext_if from $priv_nets to any > block drop out quick log on $ext_if from any to $priv_nets > pass in log on $ext_if inet proto tcp from any to ($ext_if) \ > port $tcp_services flags S/SA keep state Again, do you want to log here? Also, the flags directive is redundant with scrub, unless I am mistaken. > pass in log on $ext_if inet proto udp from any to ($ext_if) \ > port $udp_services keep state > pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) \ > user proxy flags S/SA keep state This will break on FTP servers that do not connect from port 20, but okay. > pass in log on $int_if from $int_if:network to any keep state > pass out log on $int_if from any to $int_if:network keep state Again, no need to log. Also, what do you intend the second rule to do? Keep state on the first rule does most of the required work; and I'd use a dedicated, and much clearer, and more specific, rule to allow traffic from the VPN to the internal net, if required. > pass in log on $vpn_if from any to any keep state > pass out log on $vpn_if from any to any keep state As above. > pass out log on $ext_if proto tcp all modulate state flags S/SA > pass out log on $ext_if proto { udp, icmp } all keep state Drop the flags, and write pass out log on $ext_if modulate state you might want to drop log, again. Also, you could do more aggressive egress filtering, but there are also good reasons for not doing that, I'll admit. > Now, regarding issue (1), if I do a "nmap -v -A <my obsd box>" from > another computer, I get this: > > ... > Interesting ports on <my obsd box>: > (The 1663 ports scanned but not shown below are in state: closed) > PORT STATE SERVICE VERSION > 22/tcp open ssh OpenSSH 4.1 (protocol 1.99) > 25/tcp filtered smtp > 135/tcp filtered msrpc > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 445/tcp filtered microsoft-ds > 593/tcp filtered http-rpc-epmap > 1080/tcp filtered socks > ... > > Why are all those ports (except 22) "filtered" instead of closed? > Does one of my pf rules above implicitly allow those ports to be > filtered? I don't use or run any of those services on this box, so > I'd prefer those ports just be closed. As noted before, this is probably your ISP filtering stuff. Try without pf(4) - you'll likely get the same results. > Now, regarding (2), I'm trying to set up OpenVPN. I've got a mostly > default setup (i.e. followed the openvpn HOWTO almost verbatim). I > can establish the VPN tunnel, but cannot ping the obsd box. > > So, if I do a "tcpdump -n -e -ttt -i pflog0" while trying to ping > the obsd box from the vpn client, I see this: > > Aug 26 21:08:49.371324 rule 4/(match) block in on tun0: \ > 192.168.2.6 > 192.168.2.1: icmp: echo request (DF) > > How can I tell which rule is "rule 4"? > > pfctl -s rules: > > 0 scrub in all fragment reassemble > 1 scrub out on vr0 all max-mss 1452 fragment reassemble > 2 block return log all > 3 pass log quick on lo0 all > 4 block drop in log quick on ! lo0 inet6 from ::1 to any > 5 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any > 6 block drop in log quick on ! vr1 inet from 192.168.0.0/16 to any > 7 block drop in log quick on vr1 inet6 from fe80::240:63ff:fed9:3f9f \ > 8 to any > 9 block drop in log quick inet from 192.168.1.1 to any > block drop in log quick on ! tun0 inet from 192.168.2.1 to any > block drop in log quick inet from 192.168.2.1 to any > block drop in log quick on vr0 inet from 127.0.0.0/8 to any > block drop in log quick on vr0 inet from 192.168.0.0/16 to any > block drop in log quick on vr0 inet from 172.16.0.0/12 to any > block drop in log quick on vr0 inet from 10.0.0.0/8 to any > block drop out log quick on vr0 inet from any to 127.0.0.0/8 > block drop out log quick on vr0 inet from any to 192.168.0.0/16 > block drop out log quick on vr0 inet from any to 172.16.0.0/12 > block drop out log quick on vr0 inet from any to 10.0.0.0/8 > pass in log on vr0 inet proto tcp from any to (vr0) port = ssh flags \ > S/SA keep state > pass in log on vr0 inet proto udp from any to (vr0) port = 1194 keep \ > state > pass in log on vr0 inet proto tcp from any port = ftp-data to (vr0) > user = 71 flags S/SA keep state > pass in log on vr1 inet from 192.168.0.0/16 to any keep state > pass out log on vr1 inet from any to 192.168.0.0/16 keep state > pass in log on tun0 all keep state > pass out log on tun0 all keep state > pass out log on vr0 proto tcp all flags S/SA modulate state > pass out log on vr0 proto udp all keep state > pass out log on vr0 proto icmp all keep state > > (I added the numbers and line breaks.) So it looks to me like line > 6 is responsible for blocking the ping... but where does that rule > come from in my pf.conf file? Possibly antispoof, as noted before - but I would check your netmask if this is indeed the case. Joachim