(please see my in-line comments)
On Fri, Nov 12, 2010 at 12:09 PM, Kenneth Gober <kgo...@gmail.com> wrote:
> is it this?
>># redirect external ssh traffic from ?????
>>pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\
>> rdr-to 127.0.0.1 port 22
> to me, that rule looks like it will accept any inbound traffic on the
> external interface and redirect it to 127.0.0.1:22. but I don't know what
> the question marks do; I've never seen them used in a pf rule before. my
> guess is, if pf accepts them at all, it treats them as a wildcard.
> -ken
The ????? marks are just replacements for the actual port number. This
rule should forward outside traffic from port ????? to the SSH server
but I think you are probably on the right track. I really don't
understand the new rdr-to and match nat-to rules as well as the older
pre 4.6 syntax.
However, if I comment that rule out, an nmap still shows a bunch open
ports. If I try manually connecting to one of the ports that are
listed as open by nmap I get a "Could not open connection to the host,
on port 7800: Connect failed". Is it possible that nmap is just full
of crap?
> On Fri, Nov 12, 2010 at 3:41 PM, woolsherpahat <woolsherpa...@gmail.com>
> wrote:
>>
>> Hello @misc!
>>
>> I have a lovely little Soekris 4501 running OpenBSD 4.7 (Release).
>> However, I get some strange results if I run a nmap scan on it from
>> work. I get hundreds of ports listed as open. Now it's likely that I
>> have mis-configured my firewall but I can' see exactly where.
>> Hopefully someone here on @misc can hit me with the clue stick.
>>
>> $ext_if (sis0) is my external facing interface. $int_if and $apple_if
>> (sis1 and sis2, respectively) are my internal subnets. The Soekris is
>> obviously doing NAT for all my internal subnets -- NAT works, as does
>> the restrictions on sis1 and sis2 from being able to send traffic to
>> sis0's subnet. Now unless I am terribly mistaken the 'block in log'
>> should by default block any inbound packets on any interface unless
>> there is a subsequent rule that matches that packet as the packet will
>> do whatever the last matching rule told it too. So all inbound traffic
>> will either A) be blocked or B) match an "exception" later on in the
>> ruleset right? So how come a scan from the "outside", reveals hundreds
>> of unfiltered ports?
>>
>> Advice would be much welcome.
>> Thank you!
>>
>>
>>
>> /etc/pf.conf:
>>
>> # macros
>> ext_if="sis0"
>> int_if="sis1"
>> apple_if="sis2"
>> wifi_if="ral0"
>>
>> table <bogons> persist file "/etc/bogon-bn-agg.txt"
>>
>> # options
>> set require-order yes
>> set block-policy drop
>> set optimization normal
>> set skip on lo0
>>
>>
>>
>> # flag packets from all internal interfaces for NAT
>> match out on $ext_if inet from !($ext_if:network) to any nat-to
>> ($ext_if:0)
>>
>> # policy: default deny on all inbound traffic on all interfaces
>> block in log
>>
>> # immediately pass out traffic on external interface, modulate state to
>> make
>> # ISNs (initial sequence numbers) harder to guess
>> pass out quick on $ext_if proto tcp modulate state
>>
>> # policy: default allow on all outbound traffic on all interfaces
>> pass out
>>
>> # antispoofing for internal interfaces
>> antispoof quick for { $int_if $apple_if $wifi_if }
>>
>> # ingress/egress bogon filtering
>> block in quick log on $ext_if from <bogons>
>> block out quick log on $ext_if from <bogons>
>>
>> # allow internal traffic in, except from untrusted --> trusted
>> pass in on $int_if from $int_if:network
>> pass in on $apple_if from $apple_if:network to !$int_if:network
>> pass in on $wifi_if from $wifi_if:network to !$int_if:network
>>
>> # allow ssh traffic on trusted interface
>> pass in log on $int_if inet proto tcp from $int_if:network to $int_if port
>> 22
>>
>> # redirect external ssh traffic from ?????
>> pass in log on $ext_if inet proto tcp to ($ext_if) port ?????\
>> rdr-to 127.0.0.1 port 22
