Here is a copy of my current pf.conf ruleset. I would like to log two
different things. I would like to log external connections to tcp port
22 (SSH), and I would like to log the tcp/udp packets that are blocked
coming from the internal network going outbound (the connections going
outbound that aren't specified in tcp_ports or udp_ports, things on
unusual ports like if there is a virus or something trying to go
outbound).
---------------------------------------------------------------------------------
######################
# Macros
######################
ext_if = "fxp0"
int_if = "sis0"
unfiltered = "{ lo0, sis0 }"
network = "10.10.0.0/16"
nat_protocols = "{ icmp, tcp, udp }"
proto_options = "modulate state"
tcpsrv_options = "flags S/SA"
icmp_types = "{ 8, 10, 13, 15, 17 }"
tcp_services = "{ 22 }"
tcp_ports = "{ 21, 22, 25, 53, 80, 110, 443, 5190, 5999 }"
udp_ports = "{ 53, 67, 123 }"
######################
# Tables
######################
table <unroutable> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, \
255.255.255.255 }
######################
# Options
######################
set loginterface $ext_if
set limit { frags 500, states 10000 }
set optimization aggressive
set block-policy drop
######################
# Packet Normalization
######################
scrub in on $ext_if all
scrub out on $ext_if all random-id
######################
# Packet Queueing
######################
######################
# Packet Redirection
######################
# Rules for internal interfaces
######################
no nat on $unfiltered inet proto $nat_protocols from any to any
no rdr on $unfiltered inet proto $nat_protocols from any to any
# Rules for external interface
# nat private network to single routable address
nat on $ext_if inet proto $nat_protocols from $network to any -> ($ext_if)
# ftp-proxy redirection
rdr on $int_if inet proto tcp from $network to any port 21 ->
127.0.0.1 port 8021
######################
# Packet Filtering
######################
# Rules for internal interfaces
######################
# pass on unfiltered interfaces
pass quick on $unfiltered
# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
block return-rst quick inet proto tcp all flags /S
block return-rst quick inet proto tcp all flags A/A
# block everything by default
block in all
block out log all
# Rules for external interface
######################
# silently drop broadcasts
block in quick on $ext_if inet from any to { 255.255.255.255 }
# block incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
block in quick on $ext_if inet from <unroutable> to any
# block outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
block out quick on $ext_if inet from !$ext_if to any
# ICMP
# internal hosts can send icmp queries and accept echo replies to
# external hosts
pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type $icmp_types $proto_options
# UDP
pass out on $ext_if inet proto udp from $ext_if to any \
port $udp_ports $proto_options
# TCP
# log external connections to ssh
pass in log on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services $tcpsrv_options $proto_options
# external FTP servers (on port 20) to respond to the proxy's
# active ftp requests
pass in on $ext_if inet proto tcp from any to $ext_if \
port 55000 >< 57000 user proxy $tcpsrv_options $proto_options
# allow firewall to contact ftp server on behalf of passive ftp
# clients on standard unprivileged port ( > 1024 )
pass out on $ext_if inet proto tcp from $ext_if to any \
port > 1023 $tcpsrv_options $proto_options
# allow these services outbound
pass out on $ext_if inet proto tcp from $ext_if to any \
port $tcp_ports $tcpsrv_options $proto_options
---------------------------------------------------------------------------------
Let me know how I can do what I want. Thanks for any help.
Phusion
On Fri, 12 Nov 2004 14:31:36 -0600, Kevin <[EMAIL PROTECTED]> wrote:
> On Fri, 12 Nov 2004 10:31:13 -0600, Phusion <[EMAIL PROTECTED]> wrote:
>
>
> > I have a question about logging certain packets. On my internal
> > network I allow the following traffic outbound: tcp
> > 21,22,25,53,80,110,443,5999 and udp 53,67,123. I was wondering how I
> > can log all the blocked outbound traffic like to tcp and udp port
> > 1214, 4662, and the rest. I'm having a problem because when I tried
> > AOL Instant Messenger, it should have been blocked, logged and not
> > been able to connect because it makes an outbound connection to tcp
> > port 5190 which isn't allowed, but it still works. This is what I have
> > right now in my config files.
>
> Can you send your complete unexpurgated "pf.conf" file?
>
>
>
> >
> > /etc/inetd.conf
> > 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy
> > ftp-proxy -n -u proxy -m 55000 -M 57000 -t 180
> >
> > /etc/pf.conf
> > tcp_ports = "{ 21, 22, 25, 53, 80, 110, 443, 5999 }"
> >
> > block in all
> > block out log all
> >
> > # for FTP
> > pass in on $ext_if inet proto tcp from any to $ext_if \
> > port 55000 >< 57000 user proxy $tcpsrv_options $proto_options
> >
> > for FTP
> > pass out on $ext_if inet proto tcp from $ext_if to any \
> > port > 1023 $tcpsrv_options $proto_options
> >
> > pass out on $ext_if inet proto tcp from $ext_if to any \
> > port $tcp_ports $tcpsrv_options $proto_options
> >
> > Let me know how I can log the outbound traffic that is blocked. Thanks.
> >
>
