On Sat, Aug 26, 2006 at 09:57:31PM -0500, [EMAIL PROTECTED] wrote:
> For some reason, I'm not "getting it" when it comes to pf... Two
> things I can't figure out: (1) filtered vs blocked for some TCP
> ports and (2) rules for tun0, my vpn interface.
>
> First, my /etc/pf.conf:
>
> int_if = "vr1"
> ext_if = "vr0"
> vpn_if = "tun0"
> tcp_services = "{ 22 }"
> udp_services = "{ 1194 }"
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
> set block-policy return
> set loginterface $ext_if
> scrub in all
> scrub out on $ext_if all max-mss 1452
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> #nat on $ext_if from $vpn_if:network to any -> ($ext_if)
> block log all
> pass quick log on lo0 all
Do you *really* want to log this?
> #pass quick on { lo, $int_if, $vpn_if }
> antispoof quick log for { lo0 $int_if $vpn_if }
See below.
> block drop in quick log on $ext_if from $priv_nets to any
> block drop out quick log on $ext_if from any to $priv_nets
> pass in log on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state
Again, do you want to log here?
Also, the flags directive is redundant with scrub, unless I am mistaken.
> pass in log on $ext_if inet proto udp from any to ($ext_if) \
> port $udp_services keep state
> pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) \
> user proxy flags S/SA keep state
This will break on FTP servers that do not connect from port 20, but
okay.
> pass in log on $int_if from $int_if:network to any keep state
> pass out log on $int_if from any to $int_if:network keep state
Again, no need to log.
Also, what do you intend the second rule to do? Keep state on the first
rule does most of the required work; and I'd use a dedicated, and much
clearer, and more specific, rule to allow traffic from the VPN to the
internal net, if required.
> pass in log on $vpn_if from any to any keep state
> pass out log on $vpn_if from any to any keep state
As above.
> pass out log on $ext_if proto tcp all modulate state flags S/SA
> pass out log on $ext_if proto { udp, icmp } all keep state
Drop the flags, and write
pass out log on $ext_if modulate state
you might want to drop log, again.
Also, you could do more aggressive egress filtering, but there are also
good reasons for not doing that, I'll admit.
> Now, regarding issue (1), if I do a "nmap -v -A <my obsd box>" from
> another computer, I get this:
>
> ...
> Interesting ports on <my obsd box>:
> (The 1663 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 4.1 (protocol 1.99)
> 25/tcp filtered smtp
> 135/tcp filtered msrpc
> 137/tcp filtered netbios-ns
> 138/tcp filtered netbios-dgm
> 139/tcp filtered netbios-ssn
> 445/tcp filtered microsoft-ds
> 593/tcp filtered http-rpc-epmap
> 1080/tcp filtered socks
> ...
>
> Why are all those ports (except 22) "filtered" instead of closed?
> Does one of my pf rules above implicitly allow those ports to be
> filtered? I don't use or run any of those services on this box, so
> I'd prefer those ports just be closed.
As noted before, this is probably your ISP filtering stuff. Try without
pf(4) - you'll likely get the same results.
> Now, regarding (2), I'm trying to set up OpenVPN. I've got a mostly
> default setup (i.e. followed the openvpn HOWTO almost verbatim). I
> can establish the VPN tunnel, but cannot ping the obsd box.
>
> So, if I do a "tcpdump -n -e -ttt -i pflog0" while trying to ping
> the obsd box from the vpn client, I see this:
>
> Aug 26 21:08:49.371324 rule 4/(match) block in on tun0: \
> 192.168.2.6 > 192.168.2.1: icmp: echo request (DF)
>
> How can I tell which rule is "rule 4"?
>
> pfctl -s rules:
>
> 0 scrub in all fragment reassemble
> 1 scrub out on vr0 all max-mss 1452 fragment reassemble
> 2 block return log all
> 3 pass log quick on lo0 all
> 4 block drop in log quick on ! lo0 inet6 from ::1 to any
> 5 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any
> 6 block drop in log quick on ! vr1 inet from 192.168.0.0/16 to any
> 7 block drop in log quick on vr1 inet6 from fe80::240:63ff:fed9:3f9f \
> 8 to any
> 9 block drop in log quick inet from 192.168.1.1 to any
> block drop in log quick on ! tun0 inet from 192.168.2.1 to any
> block drop in log quick inet from 192.168.2.1 to any
> block drop in log quick on vr0 inet from 127.0.0.0/8 to any
> block drop in log quick on vr0 inet from 192.168.0.0/16 to any
> block drop in log quick on vr0 inet from 172.16.0.0/12 to any
> block drop in log quick on vr0 inet from 10.0.0.0/8 to any
> block drop out log quick on vr0 inet from any to 127.0.0.0/8
> block drop out log quick on vr0 inet from any to 192.168.0.0/16
> block drop out log quick on vr0 inet from any to 172.16.0.0/12
> block drop out log quick on vr0 inet from any to 10.0.0.0/8
> pass in log on vr0 inet proto tcp from any to (vr0) port = ssh flags \
> S/SA keep state
> pass in log on vr0 inet proto udp from any to (vr0) port = 1194 keep \
> state
> pass in log on vr0 inet proto tcp from any port = ftp-data to (vr0)
> user = 71 flags S/SA keep state
> pass in log on vr1 inet from 192.168.0.0/16 to any keep state
> pass out log on vr1 inet from any to 192.168.0.0/16 keep state
> pass in log on tun0 all keep state
> pass out log on tun0 all keep state
> pass out log on vr0 proto tcp all flags S/SA modulate state
> pass out log on vr0 proto udp all keep state
> pass out log on vr0 proto icmp all keep state
>
> (I added the numbers and line breaks.) So it looks to me like line
> 6 is responsible for blocking the ping... but where does that rule
> come from in my pf.conf file?
Possibly antispoof, as noted before - but I would check your netmask if
this is indeed the case.
Joachim
