Hi all,
I've a boxe called nagios which does some services checks; the usual
form would be:
$ nmap -p <port_service> <target>
This nagios-machine is outside of the FW. The main idea is allow nagios
to do these checks. And the problem is that the scan results are,
randomly, open or filtered as I show here:
[EMAIL PROTECTED] [/usr/local/home/jespasac] [19:46]
# nmap -p 143
xxx.xxx.xxx.xxx
Starting Nmap 4.20 ( http://insecure.org ) at 2008-03-04 19:46 CET
Interesting ports on 212.36.75.80:
PORT STATE SERVICE
143/tcp filtered imap
MAC Address: 00:16:3E:33:AA:FD (Xensource)
Nmap finished: 1 IP address (1 host up) scanned in 1.019 seconds
[EMAIL PROTECTED] [/usr/local/home/jespasac] [19:46]
# nmap -p 143
xxx.xxx.xxx.xxx
Starting Nmap 4.20 ( http://insecure.org ) at 2008-03-04 19:46 CET
Interesting ports on 212.36.75.80:
PORT STATE SERVICE
143/tcp open imap
MAC Address: 00:16:3E:33:AA:FD (Xensource)
My complete pf.conf is:
# 1. Macros
ext_if="em1"
int_if="em0"
bridge="{" $ext_if $int_if "}"
admin_if="em2"
pfsync_if="em3"
oficines="xxx.xxx.xxx.xxx"
nagios="xxx.xxx.xxx.xxx"
umok01="xxx.xxx.xxx.xxx"
umok02="xxx.xxx.xxx.xxx"
troll="xxx.xxx.xxx.xxx"
proxy="xxx.xxx.xxx.xxx"
entrada="xxx.xxx.xxx.xxx"
# 2. Tables
table <http_servers> persist file "/etc/pf_files/http_servers.pf"
table <smtp_servers> persist file "/etc/pf_files/smtp_servers.pf"
table <remote_mail_servers> persist file
"/etc/pf_files/remote_mail_servers.pf"
table <mysql_servers> persist file "/etc/pf_files/mysql_servers.pf"
table <postgresql_servers> persist file
"/etc/pf_files/postgresql_servers.pf"
table <ssh_servers> persist file "/etc/pf_files/ssh_servers.pf"
table <snmp_servers> persist file "/etc/pf_files/snmp_servers.pf"
table <dns_servers> persist file "/etc/pf_files/dns_servers.pf"
table <ftp_servers> persist file "/etc/pf_files/ftp_servers.pf"
table <bacula_clients> persist file "/etc/pf_files/bacula_clients.pf"
table <munin_clients> persist file "/etc/pf_files/munin_clients.pf"
# brutes tables
table <ssh_brutes> persist
table <mysql_brutes> persist
table <http_brutes> persist
table <dns_brutes> persist
# 3. Options
set skip on lo
set skip on em2
set skip on em3
set fingerprints "/etc/pf.os"
set optimization aggressive
# 4. Scrub traffic
scrub in all
no scrub in from $nagios
# 5. QUEUEING
# Not used.
# 6. TRANSLATION
# Not used.
# 7. FILTER RULES
# antispoof
antispoof quick for lo
# allow ping/tracert tools
pass in inet proto icmp from any to any
# permit all outbound traffic
pass out quick
# turning away the brutes
block quick from <ssh_brutes>
block quick from <mysql_brutes>
block quick from <http_brutes>
block quick from <dns_brutes>
# allow without restrictions
pass quick on $bridge inet proto { tcp, udp } from { $oficines $troll
$entrada $proxy $nagios } to any
# permit communication between UltraMonkeys
pass quick on $bridge inet proto { tcp, udp } from $umok02 to $umok01
allow-opts
# www with brute control method
pass quick on $bridge inet proto tcp from any to <http_servers> port {
80, 8080, 443 } keep state \
(max-src-conn 200, max-src-conn-rate 15/1, \
overload <http_brutes> flush global)
# smtp
pass quick on $bridge inet proto tcp from any to <smtp_servers> port {
25, 578 }
# pop3, pop3s, imap4, imap4s
pass quick on $bridge inet proto tcp from any to <remote_mail_servers>
port { 110, 143, 993, 995 } allow-opts
# DNS
pass quick on $bridge inet proto { tcp, udp } from any to <dns_servers>
port 53
# FTP passive
anchor "ftpsesame/*" in on $bridge proto tcp from any to <ftp_servers>
anchor "ftpsesame/*" out on $bridge proto tcp from any to <ftp_servers>
# FTP active
anchor "ftpsesame/*" in on $bridge proto tcp from <ftp_servers> to any
anchor "ftpsesame/*" out on $bridge proto tcp from <ftp_servers> to any
pass in on $bridge inet proto tcp from any to <ftp_servers> port 21
# mysql with brutes control
pass quick on $bridge inet proto tcp from any to <mysql_servers> port
3306 keep state \
(max-src-conn 25, max-src-conn-rate 10/5, \
overload <mysql_brutes> flush global)
# PostgreSQL
pass quick on $bridge inet proto tcp from any to <postgresql_servers>
port 5432
# SSH
pass quick on $bridge inet proto tcp from any to <ssh_servers> port 22
keep state \
(max-src-conn 10, max-src-conn-rate 3/1, \
overload <ssh_brutes> flush global)
# SNMP
pass quick on $bridge inet proto udp from $nagios to <snmp_servers> port
161><163
pass quick on $bridge inet proto { tcp, udp } from $nagios to
<snmp_servers> port 199
# Bacula-clients
pass quick on $bridge inet proto tcp from any to <bacula_clients> port {
9101, 9102, 9103 }
# munin-clients
pass quick on $bridge inet proto { tcp, udp } to <munin_clients> port 4949
As you can see I've tried:
* no scrub in from $nagios
* pass quick on $bridge inet proto { tcp, udp } from { $oficines $troll
$entrada $proxy $nagios } to any
* pass quick on $bridge inet proto tcp from any to <remote_mail_servers>
port { 110, 143, 993, 995 } allow-opts
But no one of these seems to works as I expect. On the other hand, If I
disable de pf, the nmap scans ouput always are:
Nmap finished: 1 IP address (1 host up) scanned in 1.019 seconds
[EMAIL PROTECTED] [/usr/local/home/jespasac] [19:46]
# nmap -p 143
xxx.xxx.xxx.xxx
Starting Nmap 4.20 ( http://insecure.org ) at 2008-03-04 19:46 CET
Interesting ports on 212.36.75.80:
PORT STATE SERVICE
143/tcp open imap
MAC Address: 00:16:3E:33:AA:FD (Xensource)
¿Why the nmap output is randomly open or filtered when pf is enabled?
I understand (according to this Henning's message:
http://www.monkey.org/openbsd/archive/misc/0204/msg00510.html) that I'm
using the correct settings.
More info:
$ uname -a
OpenBSD ares.cdmon.com 4.2 GENERIC#0 amd64
--
Thanks,
Jordi Espasa Clofent
