Re: About pf Rule ( pf.conf

[WATANABE Takeo]

Hi, kolipe-SAN.

on Sun, 04 Aug 2024 18:28:09 -0300
Crystal Kolipe  wrote: 

> On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
>> Dear Sirs,
>> 
>> Would you be willing to discuss how to write pf.conf?
>> 
>> I'm using OpenBSD 7.5 AMD.
>> I want to limit the packets going in and out as follows
>> 
>> 1. reject in principle : block all
>> 2. when rejecting packets, do not log them.
>> 3. there is only one interface (vio0) that goes in and out of the host.
>> Take necessary logs on this interface. 3.
>> 4. do nothing on the local loopback (lo0) interface.
>> 5. reject anti-spoofing packets on vio0.
>> 6. Allow the following protocols to pass.
>>TCP ( http, https, domain, smtp, smtps, msa, imaps, 1522 )
>>* Port 1522 is SSH.
>> 
>>UDP ( domain, ntp )
>> 
>> I've written these rules (pf.conf) in my own way
>> I am having trouble because all packets are blocked.
> 
> Are you using IPv6?
> 
> If so, you will need to pass icmp6 so that NDP works correctly.

IPv6 is being used.
As you say, we configured icmp6 to pass both input and output in pf.conf, and 
most of the packets (TCP, UDP) that were blocked are now allowed to pass. I am 
still verifying this, but I am now closer to what I wanted to do.

Thank you very much for your help.

Sincerely your,

---
WATANABE, Takeo
t...@kasaneiro.jp

Re: About pf Rule ( pf.conf

[WATANABE Takeo]

Hi.

on Mon, 5 Aug 2024 12:34:18 +0200
Marko Cupać  wrote: 

> Having only one network interface, I assume this firewall protects
> machine it resides on (a server), not network behind it (a router /
> firewall), which rules out the need for net.inet.ip.forwarding sysctl.

I see.

A lot of the material out there includes talk of nat/napt and
I don't think there was any mention of how to protect one host.
I will take into account what you taught me in the email you sent me and try to 
re-configure it.


> My general rule of the thumb is to log all blocked packets, at least
> until I get functionality I want. I have busy firewalls which block and
> log ~300 packets per second, pf handles it really well.
> 
> Try something like:
> 
> (temporarily remove `antispoof quick` until rest works, keep it above)
> block log all
> pass in  on vio0 (what you want to pass to the server)
> pass out on vio0 (what you want the server to be able to reach)
> 
> Check with `pfctl -(vv)sr` if loaded ruleset corresponds to what you
> intend.
> 
> Check `tcpdump -neqtttr /var/log/pflog` for history of blocked packets
> and `tcpdump -neqttti pflog0` for real-time log.

We will reply to you with the results,
together with replies to other users.
Thank you very much.

Best regards,

---
WATANABE, Takeo
t...@kasaneiro.jp

Re: About pf Rule ( pf.conf

[Souji Thenria]

On Mon Aug 5, 2024 at 8:24 PM BST, Mike Fischer wrote:


> Am 05.08.2024 um 20:22 schrieb WATANABE Takeo :
> 
> Hi，Souji-SAN.
> 
> Thank you so much for your advice.

> We will reply to you in due course.
> 
> 
> on Sun, 04 Aug 2024 19:56:38 +0100
> "Souji Thenria"  wrote: 
> 
>> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:

>>> I am having trouble because all packets are blocked.
>>> Please see below for a description of the problem.
>>> I would appreciate it if you could point out any problems.
>> 
>> The config looks ok so far; I don't see any problems.
>> 
>> Can you run 'pfctl -s rules' and send the command output?

>> You can also run 'tcpdump' on the interface. Can you see in-coming or
>> out-coming packages for your specified ports?
> 
> We are sending you the results of the "pfctl -s rules" run,

> the results of the "pfctl -vnf /etc/pf.conf" run
> and the original "pf.conf" as attachments, just in case.
> 
> The results of "pfctl -s rules" were difficult for me to understand,

> I am ashamed to say. As an example of what I understood,
> I also send you the result of "pfctl -vnf /etc/pf.conf".
> 
> I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be

> Most of them were DNS packets (IN/OUT).
> # This host is an authoritative DNS server, so I think it is natural.
> 
> Is it possible to understand the situation with these results?

> We look forward to your reply.
> 
> Best regards,
> 
> ---

> WATANABE, Takeo
> t...@kasaneiro.jp

Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl 
-sr` do not match. Did you actually load your config (`pfctl -f /etc/pf.conf`, 
i.e. without -n)? -n only checks the config without loading it.


+1 that you probably forgot to reload your config, and I agree with
everything else Mike mentioned below.

I mostly wanted to add that I tried to load the pf.conf file you sent;
it looks like it works. (I did a quick test to see if the HTTP- and
SMTP-server are reachable.)


The loaded rules as returned by `pfctl -sr` would not allow much of your 
desired traffic. However they do allow NDP traffic.

Your vio0 interface seem to have IPv6 and IPv4 addresses. So you probably need 
to to allow NDP traffic and your probably want to allow ICMPv6 echo as well.

One more debugging tip: Temporarily turn off pf to see if your issues are 
caused by your pf rules. `pfctl -d`. Then test and turn it back when done 
testing (`pfctl -e`).
Note (mainly for other readers): This tip works in your case, but not if NAT or 
forwarding rules are used.

PS. Do you have console access to the host? If not there is a good chance that 
you might shoot yourself in the foot with incorrect rules and loose access to 
the machine.

PPS. Your loaded rules allow SSH on port 22. Your desired rules would allow SSH 
on port 1522. Is your sshd actually listening on these ports? Oh and if you 
want to access other hosts from your machine that use port 22 using SSH then 
your new rules are missing an outgoing rule for that. One reason for mostly 
allowing all outgoing traffic and only deal with incoming packets in the rules.


HTH
Mike


Regards,
Souji

--
Souji Thenria
Website: www.souji-thenria.net


signature.asc
Description: PGP signature

Re: About pf Rule ( pf.conf

[Mike Fischer]

> Am 05.08.2024 um 20:22 schrieb WATANABE Takeo :
> 
> Hi，Souji-SAN.
> 
> Thank you so much for your advice.
> We will reply to you in due course.
> 
> 
> on Sun, 04 Aug 2024 19:56:38 +0100
> "Souji Thenria"  wrote: 
> 
>> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>>> I am having trouble because all packets are blocked.
>>> Please see below for a description of the problem.
>>> I would appreciate it if you could point out any problems.
>> 
>> The config looks ok so far; I don't see any problems.
>> 
>> Can you run 'pfctl -s rules' and send the command output?
>> You can also run 'tcpdump' on the interface. Can you see in-coming or
>> out-coming packages for your specified ports?
> 
> We are sending you the results of the "pfctl -s rules" run,
> the results of the "pfctl -vnf /etc/pf.conf" run
> and the original "pf.conf" as attachments, just in case.
> 
> The results of "pfctl -s rules" were difficult for me to understand,
> I am ashamed to say. As an example of what I understood,
> I also send you the result of "pfctl -vnf /etc/pf.conf".
> 
> I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be
> Most of them were DNS packets (IN/OUT).
> # This host is an authoritative DNS server, so I think it is natural.
> 
> Is it possible to understand the situation with these results?
> We look forward to your reply.
> 
> Best regards,
> 
> ---
> WATANABE, Takeo
> t...@kasaneiro.jp
> tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
> udp_services="{ domain, ntp }"
> 
> set block-policy drop
> set loginterface vio0
> 
> # don't filter on loopback interface
> set skip on lo0
> 
> # set up a default deny policy
> block all
> 
> # Blocking Spoofed Packets
> antispoof quick for vio0
> 
> # Allow packets
> pass log quick on vio0 proto tcp to any port $tcp_services keep state
> pass log quick on vio0 proto udp to any port $udp_services keep state
> 
> # Allow ICMP Packets
> pass quick on vio0 proto icmp to any keep state
> 
> moegi# pfctl -vnf /etc/pf.conf
> tcp_services = "{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
> udp_services = "{ domain, ntp }"
> set block-policy drop
> set loginterface vio0
> set skip on { lo0 }
> block drop all
> block drop in quick on ! vio0 inet6 from 2001:e42:102:1808::/64 to any
> block drop in quick on vio0 inet6 from fe80::9ea3:baff:fe02:a73 to any
> block drop in quick inet6 from 2001:e42:102:1808:160:16:212:251 to any
> block drop in quick on ! vio0 inet from 160.16.212.0/23 to any
> block drop in quick inet from 160.16.212.251 to any
> pass log quick on vio0 proto tcp from any to any port = 80 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 443 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 53 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 25 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 465 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 587 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 993 flags S/SA
> pass log quick on vio0 proto tcp from any to any port = 1522 flags S/SA
> pass log quick on vio0 proto udp from any to any port = 53
> pass log quick on vio0 proto udp from any to any port = 123
> pass quick on vio0 proto icmp all
> moegi#moegi# pfctl -s rules
> block drop all
> pass out inet proto icmp all icmp-type echoreq
> pass out inet proto udp from any port = 68 to any port = 67
> pass out proto tcp from any to any port = 53 flags S/SA
> pass out proto udp from any to any port = 53
> pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
> pass in proto tcp from any to any port = 22 flags S/SA
> pass in inet proto udp from any port = 67 to any port = 68
> pass on lo0 all flags S/SA
> pass inet6 proto ipv6-icmp all icmp6-type neighbradv no state
> pass out inet6 proto ipv6-icmp all icmp6-type routersol
> pass out inet6 proto udp from any port = 546 to any port = 547
> pass in inet6 proto ipv6-icmp all icmp6-type routeradv
> pass in inet6 proto udp from any port = 547 to any port = 546
> pass in proto carp all keep state (no-sync)
> pass out proto carp all !received-on any keep state (no-sync)
> moegi#

Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl 
-sr` do not match. Did you actually load your config (`pfctl -f /etc/pf.conf`, 
i.e. without -n)? -n only checks the config without loading it.

The loaded rules as returned by `pfctl -sr` would not allow much of your 
desired traffic. However they do allow NDP traffic.

Your vio0 interface seem to have IPv6 and IPv4 addresses. So you probably need 
to to allow NDP traffic and your probably want to allow ICMPv6 echo as well.

One more debugging tip: Temporarily turn off pf to see if your issues are 
caused by your pf rules. `pfctl -d`. Then test and turn it back when done 
testing (`pfctl -e`).
Note (mainly for other readers): This tip works in your case, but not if NAT or 
forwarding rules are used.

PS. Do you 

Re: About pf Rule ( pf.conf

[WATANABE Takeo]

Hi，Souji-SAN.

Thank you so much for your advice.
We will reply to you in due course.


on Sun, 04 Aug 2024 19:56:38 +0100
"Souji Thenria"  wrote: 

> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>> I am having trouble because all packets are blocked.
>> Please see below for a description of the problem.
>> I would appreciate it if you could point out any problems.
> 
> The config looks ok so far; I don't see any problems.
> 
> Can you run 'pfctl -s rules' and send the command output?
> You can also run 'tcpdump' on the interface. Can you see in-coming or
> out-coming packages for your specified ports?

We are sending you the results of the "pfctl -s rules" run,
the results of the "pfctl -vnf /etc/pf.conf" run
and the original "pf.conf" as attachments, just in case.

The results of "pfctl -s rules" were difficult for me to understand,
I am ashamed to say. As an example of what I understood,
I also send you the result of "pfctl -vnf /etc/pf.conf".

I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be
Most of them were DNS packets (IN/OUT).
# This host is an authoritative DNS server, so I think it is natural.

Is it possible to understand the situation with these results?
We look forward to your reply.

Best regards,

---
WATANABE, Takeo
t...@kasaneiro.jp
tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"

set block-policy drop
set loginterface vio0

# don't filter on loopback interface
set skip on lo0

# set up a default deny policy
block all

# Blocking Spoofed Packets
antispoof quick for vio0

# Allow packets
pass log quick on vio0 proto tcp to any port $tcp_services keep state
pass log quick on vio0 proto udp to any port $udp_services keep state

# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state

moegi# pfctl -vnf /etc/pf.conf
tcp_services = "{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services = "{ domain, ntp }"
set block-policy drop
set loginterface vio0
set skip on { lo0 }
block drop all
block drop in quick on ! vio0 inet6 from 2001:e42:102:1808::/64 to any
block drop in quick on vio0 inet6 from fe80::9ea3:baff:fe02:a73 to any
block drop in quick inet6 from 2001:e42:102:1808:160:16:212:251 to any
block drop in quick on ! vio0 inet from 160.16.212.0/23 to any
block drop in quick inet from 160.16.212.251 to any
pass log quick on vio0 proto tcp from any to any port = 80 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 443 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 53 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 25 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 465 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 587 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 993 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 1522 flags S/SA
pass log quick on vio0 proto udp from any to any port = 53
pass log quick on vio0 proto udp from any to any port = 123
pass quick on vio0 proto icmp all
moegi#moegi# pfctl -s rules
block drop all
pass out inet proto icmp all icmp-type echoreq
pass out inet proto udp from any port = 68 to any port = 67
pass out proto tcp from any to any port = 53 flags S/SA
pass out proto udp from any to any port = 53
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in proto tcp from any to any port = 22 flags S/SA
pass in inet proto udp from any port = 67 to any port = 68
pass on lo0 all flags S/SA
pass inet6 proto ipv6-icmp all icmp6-type neighbradv no state
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass out inet6 proto udp from any port = 546 to any port = 547
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
pass in inet6 proto udp from any port = 547 to any port = 546
pass in proto carp all keep state (no-sync)
pass out proto carp all !received-on any keep state (no-sync)
moegi#

Re: About pf Rule ( pf.conf

[Marko Cupać]

On Mon, 05 Aug 2024 00:36:18 +0900 (JST)
WATANABE Takeo  wrote:

> Dear Sirs,
> 
> Would you be willing to discuss how to write pf.conf?

Having only one network interface, I assume this firewall protects
machine it resides on (a server), not network behind it (a router /
firewall), which rules out the need for net.inet.ip.forwarding sysctl.

My general rule of the thumb is to log all blocked packets, at least
until I get functionality I want. I have busy firewalls which block and
log ~300 packets per second, pf handles it really well.

Try something like:

(temporarily remove `antispoof quick` until rest works, keep it above)
block log all
pass in  on vio0 (what you want to pass to the server)
pass out on vio0 (what you want the server to be able to reach)

Check with `pfctl -(vv)sr` if loaded ruleset corresponds to what you
intend.

Check `tcpdump -neqtttr /var/log/pflog` for history of blocked packets
and `tcpdump -neqttti pflog0` for real-time log.

Make sure to read complete PF FAQ:
https://www.openbsd.org/faq/pf/

There's even more in Peter N. M. Hansteen's "Book of PF".

HTH,


-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: About pf Rule ( pf.conf

[Crystal Kolipe]

On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote:
> Dear Sirs,
> 
> Would you be willing to discuss how to write pf.conf?
> 
> I'm using OpenBSD 7.5 AMD.
> I want to limit the packets going in and out as follows
> 
> 1. reject in principle : block all
> 2. when rejecting packets, do not log them.
> 3. there is only one interface (vio0) that goes in and out of the host.
> Take necessary logs on this interface. 3.
> 4. do nothing on the local loopback (lo0) interface.
> 5. reject anti-spoofing packets on vio0.
> 6. Allow the following protocols to pass.
>TCP ( http, https, domain, smtp, smtps, msa, imaps, 1522 )
>* Port 1522 is SSH.
> 
>UDP ( domain, ntp )
> 
> I've written these rules (pf.conf) in my own way
> I am having trouble because all packets are blocked.

Are you using IPv6?

If so, you will need to pass icmp6 so that NDP works correctly.

Re: About pf Rule ( pf.conf

[Souji Thenria]

On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:

I am having trouble because all packets are blocked.
Please see below for a description of the problem.
I would appreciate it if you could point out any problems.


The config looks ok so far; I don't see any problems.

Can you run 'pfctl -s rules' and send the command output?
You can also run 'tcpdump' on the interface. Can you see in-coming or
out-coming packages for your specified ports?


pf.conf

tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"

set block-policy drop
set loginterface vio0

# don't filter on loopback interface
set skip on lo0

# set up a default deny policy
block all

# Blocking Spoofed Packets
antispoof quick for vio0

# Allow packets
pass log quick on vio0 proto tcp to any port $tcp_services keep state
pass log quick on vio0 proto udp to any port $udp_services keep state

# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state

---


Regards,
Souji

--
Souji Thenria
Website: www.souji-thenria.net


signature.asc
Description: PGP signature

About pf Rule ( pf.conf

[WATANABE Takeo]

Dear Sirs,

Would you be willing to discuss how to write pf.conf?

I'm using OpenBSD 7.5 AMD.
I want to limit the packets going in and out as follows

1. reject in principle : block all
2. when rejecting packets, do not log them.
3. there is only one interface (vio0) that goes in and out of the host.
Take necessary logs on this interface. 3.
4. do nothing on the local loopback (lo0) interface.
5. reject anti-spoofing packets on vio0.
6. Allow the following protocols to pass.
   TCP ( http, https, domain, smtp, smtps, msa, imaps, 1522 )
   * Port 1522 is SSH.

   UDP ( domain, ntp )

I've written these rules (pf.conf) in my own way
I am having trouble because all packets are blocked.
Please see below for a description of the problem.
I would appreciate it if you could point out any problems.

Best regards,

---
WATANABE, Takeo
t...@kasaneiro.jp


pf.conf

tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"

set block-policy drop
set loginterface vio0

# don't filter on loopback interface
set skip on lo0

# set up a default deny policy
block all

# Blocking Spoofed Packets
antispoof quick for vio0

# Allow packets
pass log quick on vio0 proto tcp to any port $tcp_services keep state
pass log quick on vio0 proto udp to any port $udp_services keep state

# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state

---

Loading of pf rule hangs

[Axel Rau]

I just installed the recent fixes for 6.0 with syspatch.
After reboot my pf rules have not been installed.
pfctl -nvvf pf.conf shows rule loading hangs between these rules:
- - -
table  persist file "/etc/pf/black_hole.txt"
block drop in quick on $red_if from  flags any
- - -
After a minute rule loading completes.

The file exists and contains valid ips.
At the end there was an empty line.
May this be the reason?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

Re: Help with basic pf rule to open port 25

[Crystal Kolipe]

On Thu, Jan 06, 2022 at 03:39:00PM -0500, Sean McBride wrote:
> I don't actually want to use OpenSMTPD, I was just using it as a way to test
> my experimental pf rules.  I'l try to find some other way to test them.

netcat

# man nc

Re: Help with basic pf rule to open port 25

[Sean McBride]

On 5 Jan 2022, at 11:40, Crystal Kolipe wrote:

> Have you actually changed the default /etc/mail/smtpd.conf to listen for 
> external connections?

No.

> By default it only listens on the loopback interface, (and local socket).

Ah. That probably explains that then.  I don't actually want to use OpenSMTPD, 
I was just using it as a way to test my experimental pf rules.  I'l try to find 
some other way to test them.

Thanks both for your replies and links to reading materials.

Cheers,

Sean

Re: Help with basic pf rule to open port 25

[Crystal Kolipe]

On Wed, Jan 05, 2022 at 11:03:02AM -0500, Sean McBride wrote:
> pass in log quick on egress proto tcp to any port smtp

> If on the OpenBSD system itself I do `telnet
> localhost 25` I see the built-in OpenSTMPD.  But if I telnet from another
> machine on my LAN, I fail to connect.  Shouldn't that rule have opened port
> 25?

Assuming that you only have a single network card and that it is configured 
with the default routes, then yes, that rule will open port 25 to the other 
machines on your LAN.

Have you actually changed the default /etc/mail/smtpd.conf to listen for 
external connections?  By default it only listens on the loopback interface, 
(and local socket).

Re: Help with basic pf rule to open port 25

[Tom Smyth]

Hi Sean,

Happy new year to you,

do a netstat and make sure that your software is listening on an address
other than loopback  or all addresses (0.0.0.0)
run the following command

netstat -an

If you want to check active rules in pf  run the following command

pfctl -sr

if you ever want to check your rules (in a recently edited pf.conf file
run
pfctl -nvvvf /etc/pf.conf

if the rules returned match what you wish ..then you can commit / load them
by running

pfctl -vvvf /etc/pf.conf

(each v increases verbosity )

Peter Hansteen and Max Stucchi have an amazing tutorial on PF
https://home.nuug.no/~peter/pftutorial/#1
but they explain the concepts really well
recommend the class that they do in person ..

for the latest features about PF in the version of Openbsd you are running
...

man pfctl or man pf.conf will help you ...

I hope this helps and enjoy the Journey in OpenBSD ... It is awesome ...
Tom Smyth




On Wed, 5 Jan 2022 at 16:09, Sean McBride  wrote:

> Hi all,
>
> (Newbie and first time poster, please be gentle :))
>
> I'm trying to set up spamd, and I think I'm having trouble with pf.  So
> I tried to add a very basic test rule.  I added to the beginning of
> /etc/pf.conf the following:
>
> pass in log quick on egress proto tcp to any port smtp
>
> then rebooted (for luck).  If on the OpenBSD system itself I do `telnet
> localhost 25` I see the built-in OpenSTMPD.  But if I telnet from
> another machine on my LAN, I fail to connect.  Shouldn't that rule have
> opened port 25?
>
> Thanks,
>
> Sean
>


-- 
Kindest regards,
Tom Smyth.

Help with basic pf rule to open port 25

[Sean McBride]

Hi all,

(Newbie and first time poster, please be gentle :))

I'm trying to set up spamd, and I think I'm having trouble with pf.  So 
I tried to add a very basic test rule.  I added to the beginning of 
/etc/pf.conf the following:


pass in log quick on egress proto tcp to any port smtp

then rebooted (for luck).  If on the OpenBSD system itself I do `telnet 
localhost 25` I see the built-in OpenSTMPD.  But if I telnet from 
another machine on my LAN, I fail to connect.  Shouldn't that rule have 
opened port 25?


Thanks,

Sean

Re: incorrect pf rule?

[Родин Максим]

It turns out that my caring ISP really has a free firewall service
which is enabled by default.
I asked my ISP to disable it completely and now everything is OK.
Thank you!

29.11.2020 13:08, Stuart Henderson пишет:

On 2020-11-29, Родин Максим  wrote:

The problem is that only port 80 seems to be open from the outside.
I used several online port scanners to check this.
All of them tell:
port 80 OPEN
port 443 CLOSED


Could it be blocked by your ISP? Do you receive packets on your external
interface at all when you test port 443?




--
С уважением,
Родин Максим

Re: incorrect pf rule?

[Родин Максим]

It turns out that my caring ISP really has a free firewall service
which is enabled by default.
I asked my ISP to disable it completely and now everything is OK.
Thank you!

29.11.2020 14:30, Stuart Henderson пишет:

On 2020-11-29, Stuart Henderson  wrote:

On 2020-11-29, Родин Максим  wrote:

The problem is that only port 80 seems to be open from the outside.
I used several online port scanners to check this.
All of them tell:
port 80 OPEN
port 443 CLOSED


Could it be blocked by your ISP? Do you receive packets on your external
interface at all when you test port 443?





Or...if this is behind nat, do you need to add a port-forwarding on your ISP 
router?



--
С уважением,
Родин Максим

Re: incorrect pf rule?

[Stuart Henderson]

On 2020-11-29, Stuart Henderson  wrote:
> On 2020-11-29, Родин Максим  wrote:
>> The problem is that only port 80 seems to be open from the outside.
>> I used several online port scanners to check this.
>> All of them tell:
>> port 80 OPEN
>> port 443 CLOSED
>
> Could it be blocked by your ISP? Do you receive packets on your external
> interface at all when you test port 443?
>
>
>

Or...if this is behind nat, do you need to add a port-forwarding on your ISP 
router?

Re: incorrect pf rule?

[Stuart Henderson]

On 2020-11-29, Родин Максим  wrote:
> The problem is that only port 80 seems to be open from the outside.
> I used several online port scanners to check this.
> All of them tell:
> port 80 OPEN
> port 443 CLOSED

Could it be blocked by your ISP? Do you receive packets on your external
interface at all when you test port 443?

incorrect pf rule?

[Родин Максим]

Hello
I have a small 5 year old home router (upgraded to OpenBSD 6.8 stable) 
with a static white IP from my internet provider (gotten by dhcp) and a 
simple http/https server (OpenBSD httpd) in my network using VirtualBox 
VM (OpenBSD 6.8) which has a static IP 192.168.1.102.
The http server is available from the internal network on http and https 
ports when 192.168.1.102 is used.
To make the http server work from outside I'm trying to use the 
following PF rule on my router:

...
web_server = "192.168.1.102"
web_ports = "{ http https }"...
...
# Web-server
pass in log on egress inet proto tcp \
from ! to (egress) port $web_ports \
rdr-to $web_server

The problem is that only port 80 seems to be open from the outside.
I used several online port scanners to check this.
All of them tell:
port 80 OPEN
port 443 CLOSED

The whole ruleset is below:
__
"""
router root ~ # grep -v '^#' /etc/pf.conf 




int_if = "{ vether1 em1 em3 athn0 }"
beeline_tv = "{ em0 em2 }"
table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
   172.16.0.0/12 192.0.2.0/24 \
   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\
   }
table  persist file "/etc/pf/bad_ip"
asterisk_server = "192.168.1.101"
web_server = "192.168.1.102"
web_ports = "{ http https }"

block log all

set block-policy drop
set skip on lo

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from (vether1:network) to any nat-to (egress:0)

pass out quick inet
pass in on $int_if inet

pass on $beeline_tv allow-opts

pass in on egress inet proto tcp from ! \
to (egress) port 22 keep state \
(max-src-conn 2, max-src-conn-rate 2/300, \
overload  flush global)

pass in on egress inet proto udp from ! \
to (egress) port 5060 keep state \
(max-src-states 1) rdr-to $asterisk_server
pass in on $int_if inet proto udp from (vether1:network) \
to (egress) port 5060 \
rdr-to $asterisk_server


pass in on egress inet proto udp from ! \
to (egress) port 1:2 keep state \
(max-src-states 1) rdr-to $asterisk_server

pass in on $int_if inet proto udp from (vether1:network) \
to (egress) port 1:2 \
rdr-to $asterisk_server


pass in on egress inet proto { tcp udp } from ! \
to (egress) port { 5 }  rdr-to 192.168.1.65

pass in log on egress inet proto tcp from ! \
to (egress) port $web_ports \
rdr-to $web_server
"""



I added some log options to try to understand which rule can be blocking 
access to https port from the outside but the log shows the following:



"""
router root ~ # tcpdump -n -e -ttt -i pflog0 port 80 or port 443

tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Nov 29 08:28:44.602109 rule 23/(match) pass in on vether0: 
5.101.123.139.40470 > 89.179.243.222.80: S 2282440086:2282440086(0) win 
29200  (DF) [tos 0x28]

"""


Access to port http is logged successfully but access to port https is 
nowhere
There are other rdr-to rules in my ruleset and all of them work as 
expected e.g.:
port 5060 udp and port range 1:2 udp are redirected to 
VirtualBox VM (Asterisk) as expected.




--
Best regards
Maksim Rodin

Re: Replace PF rule + inetd Proxy with 2 PF rules

[Fabio Martins]

Nick,

Indeed Working.
Thanks.

>>
>> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>>
>
> Neither can I believe had forgotten it, but I think you nailed it.
> Will test monday and let know.
>
> Thanks in advance.
>
> -fm
>
>>
>> tcpdump of a successful test connection:
>> c.c.c.c = remote test client on internet

Re: Replace PF rule + inetd Proxy with 2 PF rules

[Fabio Martins]

>
> May be a dumb question, but do you have net.inet.ip.forwarding=1 set?
>

Neither can I believe had forgotten it, but I think you nailed it.
Will test monday and let know.

Thanks in advance.

-fm

>
> tcpdump of a successful test connection:
> c.c.c.c = remote test client on internet
> r.r.r.r = firewall external IP
>
> pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194
> tcpdump: listening on vmx1, link-type EN10MB
> 14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0)
> win 64240  [tos 0x20]
> 14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S
> 3178148684:3178148684(0) win 64240  8,nop,nop,sackOK> [tos 0x20]
> 14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S
> 3355699325:3355699325(0) ack 3178148685 win 16384  1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20]
> 14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0)
> ack 3178148685 win 16384  [tos 0x20]
> 14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20]
> 14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win
> 1026 [tos 0x20]
> 14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos
> 0x20]
> 14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win
> 1026 [tos 0x20]
> 14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436
> win 273 (DF) [tos 0x20]
> 14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack
> 436 win 273 (DF) [tos 0x20]
> 14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win
> 273 [tos 0x20]
> 14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436
> win 273 [tos 0x20]
>
>
>

Re: Replace PF rule + inetd Proxy with 2 PF rules

[Nick Gustas]

On 2/14/2020 11:21 AM, Fabio Martins wrote:

I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.

Unfortunately still no success.

# pf.conf:

ext_if="xnf0"

match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80

match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
$ext_if nat-to $ext_if

match out log quick on $ext_if inet all tagged RDR \
nat-to $ext_if

server_open="{ 80,110,443,25,587,465 }"

pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
port $server_open tag n_traffic

#block all to start
block all
pass quick tagged RDR
pass quick tagged n_traffic
pass out on $ext_if




On 2/14/2020 6:30 AM, Fabio Martins wrote:

Hi Nick,

Thanks. I applied both rules below, unfortunately I am still only
hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.

#1
match in on $ext_if proto tcp from  to ($ext_if) port 25 \
rdr-to 200.200.200.200 port 

#2
match out on $ext_if proto tcp to 200.200.200.200 port  received-on
\
$ext_if nat-to ($ext_if)

--
Fabio Martins


Odd, are you allowing the traffic with an appropriate pass rule later?

I use tagging for rules related to rdr and nat to keep things simple,
here is the full working setup I used to bounce port 8099 on the
external interface to www.openbsd.org port 80.

#Fun reverse redirection of www.openbsd.org
match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
rdr-to 129.128.5.194 port 80
match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
$ext_if nat-to $ext_if

#block all to start
block log all
pass quick tagged RDR
pass out on $ext_if


Make sure you are testing from an external host of course.









May be a dumb question, but do you have net.inet.ip.forwarding=1 set?


tcpdump of a successful test connection:
c.c.c.c = remote test client on internet
r.r.r.r = firewall external IP

pf# tcpdump -ni vmx1 port 8099 or host 129.128.5.194
tcpdump: listening on vmx1, link-type EN10MB
14:34:09.270237 c.c.c.c.63091 > r.r.r.r.8099: S 3178148684:3178148684(0) 
win 64240  [tos 0x20]
14:34:09.270303 r.r.r.r.62530 > 129.128.5.194.80: S 
3178148684:3178148684(0) win 64240 8,nop,nop,sackOK> [tos 0x20]
14:34:09.342800 129.128.5.194.80 > r.r.r.r.62530: S 
3355699325:3355699325(0) ack 3178148685 win 16384 1460,nop,nop,sackOK,nop,wscale 6> (DF) [tos 0x20]
14:34:09.342830 r.r.r.r.8099 > c.c.c.c.63091: S 3355699325:3355699325(0) 
ack 3178148685 win 16384  [tos 0x20]

14:34:09.372450 c.c.c.c.63091 > r.r.r.r.8099: . ack 1 win 1026 [tos 0x20]
14:34:09.372461 c.c.c.c.63091 > r.r.r.r.8099: P 1:436(435) ack 1 win 
1026 [tos 0x20]
14:34:09.372477 r.r.r.r.62530 > 129.128.5.194.80: . ack 1 win 1026 [tos 
0x20]
14:34:09.372500 r.r.r.r.62530 > 129.128.5.194.80: P 1:436(435) ack 1 win 
1026 [tos 0x20]
14:34:09.450714 129.128.5.194.80 > r.r.r.r.62530: P 1:197(196) ack 436 
win 273 (DF) [tos 0x20]
14:34:09.450716 129.128.5.194.80 > r.r.r.r.62530: . 197:1657(1460) ack 
436 win 273 (DF) [tos 0x20]
14:34:09.450759 r.r.r.r.8099 > c.c.c.c.63091: P 1:197(196) ack 436 win 
273 [tos 0x20]
14:34:09.450774 r.r.r.r.8099 > c.c.c.c.63091: . 197:1657(1460) ack 436 
win 273 [tos 0x20]

Re: Replace PF rule + inetd Proxy with 2 PF rules

[Fabio Martins]

I am trying now only with the redirect to www.openbsd.org, if it works, I
am sure it can be adapted to my case.

Unfortunately still no success.

# pf.conf:

ext_if="xnf0"

match in log on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR \
rdr-to 129.128.5.194 port 80

match out log on $ext_if proto tcp to 129.128.5.194 port 80 received-on \
$ext_if nat-to $ext_if

match out log quick on $ext_if inet all tagged RDR \
nat-to $ext_if

server_open="{ 80,110,443,25,587,465 }"

pass in log on $ext_if inet proto tcp from any port 1024:65535 to $ext_if
port $server_open tag n_traffic

#block all to start
block all
pass quick tagged RDR
pass quick tagged n_traffic
pass out on $ext_if


>
>
> On 2/14/2020 6:30 AM, Fabio Martins wrote:
>> Hi Nick,
>>
>> Thanks. I applied both rules below, unfortunately I am still only
>> hitting
>> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
>> test). I tried inverting the order, too, but no luck.
>>
>> #1
>> match in on $ext_if proto tcp from  to ($ext_if) port 25 \
>> rdr-to 200.200.200.200 port 
>>
>> #2
>> match out on $ext_if proto tcp to 200.200.200.200 port  received-on
>> \
>> $ext_if nat-to ($ext_if)
>>
>> --
>> Fabio Martins
>>
>
> Odd, are you allowing the traffic with an appropriate pass rule later?
>
> I use tagging for rules related to rdr and nat to keep things simple,
> here is the full working setup I used to bounce port 8099 on the
> external interface to www.openbsd.org port 80.
>
> #Fun reverse redirection of www.openbsd.org
> match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR
> rdr-to 129.128.5.194 port 80
> match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on
> $ext_if nat-to $ext_if
>
> #block all to start
> block log all
> pass quick tagged RDR
> pass out on $ext_if
>
>
> Make sure you are testing from an external host of course.
>
>
>
>
>

Re: Replace PF rule + inetd Proxy with 2 PF rules

[Fabio Almeida]

Hi Fabio (xará),
Apparently I achieved this with these rules:
--
pass out log on hvn0 inet proto tcp from any port 1024:65535 to 8.8.8.8
port =  flags S/SA label "TESTE LISTA"
pass in on hvn0 inet proto tcp from any port 1024:65535 to 10.101.0.17 port
= 25 flags S/SA label "TESTE LISTA" tag TESTE rdr-to 8.8.8.8 port 
match out log quick on hvn0 inet all label "TESTE LISTA" tagged TESTE
nat-to 10.101.0.17
--
Of course there's room for improvement, be it simplify the rules or make it
more specific.
Maybe I needed three rules because I use "block log" as a default rule so:
"block in" and "block out" by default.
Here is the tcpdump output:
--
rule 0/(match) match in on hvn0: 10.101.0.24.47964 > 10.101.0.17.25: S
3824310731:3824310731(0) win 42340  (DF)
rule 53/(match) match out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S
3824310731:3824310731(0) win 42340 
rule 16/(match) pass out on hvn0: 10.101.0.17.60331 > 8.8.8.8.: S
3824310731:3824310731(0) win 42340 
--
Regards,
Fabio Almeida

On Fri, Feb 14, 2020 at 8:33 AM Fabio Martins <
fm+obsd+misc+l...@phosphorusnetworks.com> wrote:

>
> Hi Nick,
>
> Thanks. I applied both rules below, unfortunately I am still only hitting
> rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
> test). I tried inverting the order, too, but no luck.
>
> #1
> match in on $ext_if proto tcp from  to ($ext_if) port 25 \
> rdr-to 200.200.200.200 port 
>
> #2
> match out on $ext_if proto tcp to 200.200.200.200 port  received-on \
> $ext_if nat-to ($ext_if)
>
> --
> Fabio Martins
>
> > Hi Fabio,
> >
> > I believe this will do what you want, seemed to work in quick testing
> > here, adjust to suit your environment.
> >
> >
> > match in on $ext_if proto tcp from  to ($ext_if) port 25
> > rdr-to 200.200.200.200 port 
> > match out on $ext_if proto tcp to 200.200.200.200 port  received-on
> > $ext_if nat-to ($ext_if)
> >
>
>
>

Re: Replace PF rule + inetd Proxy with 2 PF rules

[Nick Gustas]

On 2/14/2020 6:30 AM, Fabio Martins wrote:

Hi Nick,

Thanks. I applied both rules below, unfortunately I am still only hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.

#1
match in on $ext_if proto tcp from  to ($ext_if) port 25 \
rdr-to 200.200.200.200 port 

#2
match out on $ext_if proto tcp to 200.200.200.200 port  received-on \
$ext_if nat-to ($ext_if)

--
Fabio Martins



Odd, are you allowing the traffic with an appropriate pass rule later?

I use tagging for rules related to rdr and nat to keep things simple, 
here is the full working setup I used to bounce port 8099 on the 
external interface to www.openbsd.org port 80.


#Fun reverse redirection of www.openbsd.org
match in on $ext_if proto tcp from any to ($ext_if) port 8099 tag RDR 
rdr-to 129.128.5.194 port 80
match out on $ext_if proto tcp to 129.128.5.194 port 80 received-on 
$ext_if nat-to $ext_if


#block all to start
block log all
pass quick tagged RDR
pass out on $ext_if


Make sure you are testing from an external host of course.

Re: Replace PF rule + inetd Proxy with 2 PF rules

[Fabio Martins]

Hi Nick,

Thanks. I applied both rules below, unfortunately I am still only hitting
rule number #1 (rdr-to). nat-to is never reached (added "log" on each to
test). I tried inverting the order, too, but no luck.

#1
match in on $ext_if proto tcp from  to ($ext_if) port 25 \
rdr-to 200.200.200.200 port 

#2
match out on $ext_if proto tcp to 200.200.200.200 port  received-on \
$ext_if nat-to ($ext_if)

--
Fabio Martins

> Hi Fabio,
>
> I believe this will do what you want, seemed to work in quick testing
> here, adjust to suit your environment.
>
>
> match in on $ext_if proto tcp from  to ($ext_if) port 25
> rdr-to 200.200.200.200 port 
> match out on $ext_if proto tcp to 200.200.200.200 port  received-on
> $ext_if nat-to ($ext_if)
>

Re: Replace PF rule + inetd Proxy with 2 PF rules

[Nick Gustas]

Hi Fabio,

I believe this will do what you want, seemed to work in quick testing 
here, adjust to suit your environment.



match in on $ext_if proto tcp from  to ($ext_if) port 25 
rdr-to 200.200.200.200 port 
match out on $ext_if proto tcp to 200.200.200.200 port  received-on 
$ext_if nat-to ($ext_if)




On 2/13/2020 11:56 AM, Fabio Martins wrote:

Hi,

I am trying to redirect + NAT incoming packets without the need of a TCP
Proxy.

Currently I have the following setup to redirect hosts abusing SMTP to an
email trap:

inetd listening in 127.0.0.1:8000 and redirecting to an external host

# inetd.conf
127.0.0.1:8000  stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20
200.200.200.200 

and  + pf rule redirecting the hosts:

# pf.conf

table  persist file "/etc/pf/tables/spammers.txt

pass in log on egress proto tcp from  to any port 25 \
  rdr-to 127.0.0.1 port 8000

I am trying to remove the inetd from the setup.
With Linux iptables I would do a DNAT + MASQUERADE, but with PF I already
tried:

# pf.conf

#1
pass in log on xnf0 proto tcp from  to any port  nat-to xnf0

#2
pass in log on egress proto tcp from  to any port 25 \
  rdr-to 200.200.200.200 port 


Rule #2 is correctly applied and changes the destination address to
200.200.200.200, but rule #1 (NAT) isnt applied.

I believe it is possible to NAT an external connection without using a TCP
Proxy.

Tried also the example from here: https://www.openbsd.org/faq/pf/rdr.html

pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server
pass out on $int_if proto tcp to $server port 80 received-on $int_if
nat-to $int_if

Without success.

Thanks!

Replace PF rule + inetd Proxy with 2 PF rules

[Fabio Martins]

Hi,

I am trying to redirect + NAT incoming packets without the need of a TCP
Proxy.

Currently I have the following setup to redirect hosts abusing SMTP to an
email trap:

inetd listening in 127.0.0.1:8000 and redirecting to an external host

# inetd.conf
127.0.0.1:8000  stream tcp nowait _inetd_proxy /usr/bin/nc nc -w 20
200.200.200.200 

and  + pf rule redirecting the hosts:

# pf.conf

table  persist file "/etc/pf/tables/spammers.txt

pass in log on egress proto tcp from  to any port 25 \
 rdr-to 127.0.0.1 port 8000

I am trying to remove the inetd from the setup.
With Linux iptables I would do a DNAT + MASQUERADE, but with PF I already
tried:

# pf.conf

#1
pass in log on xnf0 proto tcp from  to any port  nat-to xnf0

#2
pass in log on egress proto tcp from  to any port 25 \
 rdr-to 200.200.200.200 port 


Rule #2 is correctly applied and changes the destination address to
200.200.200.200, but rule #1 (NAT) isnt applied.

I believe it is possible to NAT an external connection without using a TCP
Proxy.

Tried also the example from here: https://www.openbsd.org/faq/pf/rdr.html

pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server
pass out on $int_if proto tcp to $server port 80 received-on $int_if
nat-to $int_if

Without success.

Thanks!

-- 
Fabio Martins

Re: PF rule - am I being stupid ?

[Bob Smith]

> I think it is caused by the packets blocked having the RST flag set -- a
> consequence of specifying "flags S/SA" in rule @39. Check out man
> pf.conf. Look for section about "flags a/b | any" (line 317 here).

The S/SA wasn't set explicitly my me, its the default.

Out of interest, would this possibly be a PF behaviour change somewhere between 
6.1 and 6.3 ? I'm trying to troubleshoot a VoIP phone that has stopped 
functioning, and the only change has been an upgrade to 6.3.

Re: PF rule - am I being stupid ?

[Erling Westenvik]

On Wed, Sep 05, 2018 at 05:14:14PM +, Bob Smith wrote:
> I'm banging my head against a brick wall here trying to figure out why PF (on 
> OpenBSD 6.3) is allowing some packets but blocking others ?
> Here's the tcpdump:
> Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49156 
> > 198.51.100.158.20001: udp 47
> Sep 05 18:07:45.084220 rule 39/(match) pass out on em2: 192.0.2.150.49156 > 
> 198.51.100.158.20001: udp 47
> Sep 05 18:08:01.136633 rule 39/(match) pass in on vlan108: 192.0.2.150.49157 
> > 198.51.100.158.69: 47 RRQ "MainIp5340e.bin"
> Sep 05 18:08:01.136661 rule 39/(match) pass out on em2: 192.0.2.150.49157 > 
> 198.51.100.158.69: 47 RRQ "MainIp5340e.bin"
> Sep 05 18:08:25.607885 rule 11/(match) block in on vlan108: 192.0.2.150.6998 
> > 198.51.100.158.6801: R 16764161:16764161(0) ack 209207857 win 4224 [tos 
> 0x60]
> Sep 05 18:08:27.919688 rule 11/(match) block in on vlan108: 192.0.2.150.6978 
> > 198.51.100.158.6802: R 17473283:17473283(0) ack 3296254713 win 4224 [tos 
> 0x60]
> Sep 05 18:08:32.594889 rule 11/(match) block in on vlan108: 192.0.2.150.6930 
> > 198.51.100.158.6800: R 18671363:18671363(0) ack 3527351279 win 4224 [tos 
> 0x60]
> 
> Here are the rules concerned:
> @11 block drop log all
> @39 pass log quick inet from 192.0.2.150 to 198.51.100.158 flags S/SA

I think it is caused by the packets blocked having the RST flag set -- a
consequence of specifying "flags S/SA" in rule @39. Check out man
pf.conf. Look for section about "flags a/b | any" (line 317 here). 

PF rule - am I being stupid ?

[Bob Smith]

Hi,

I'm banging my head against a brick wall here trying to figure out why PF (on 
OpenBSD 6.3) is allowing some packets but blocking others ?

Here's the tcpdump:
Sep 05 18:07:45.084191 rule 39/(match) pass in on vlan108: 192.0.2.150.49156 > 
198.51.100.158.20001: udp 47
Sep 05 18:07:45.084220 rule 39/(match) pass out on em2: 192.0.2.150.49156 > 
198.51.100.158.20001: udp 47
Sep 05 18:08:01.136633 rule 39/(match) pass in on vlan108: 192.0.2.150.49157 > 
198.51.100.158.69: 47 RRQ "MainIp5340e.bin"
Sep 05 18:08:01.136661 rule 39/(match) pass out on em2: 192.0.2.150.49157 > 
198.51.100.158.69: 47 RRQ "MainIp5340e.bin"
Sep 05 18:08:25.607885 rule 11/(match) block in on vlan108: 192.0.2.150.6998 > 
198.51.100.158.6801: R 16764161:16764161(0) ack 209207857 win 4224 [tos 0x60]
Sep 05 18:08:27.919688 rule 11/(match) block in on vlan108: 192.0.2.150.6978 > 
198.51.100.158.6802: R 17473283:17473283(0) ack 3296254713 win 4224 [tos 0x60]
Sep 05 18:08:32.594889 rule 11/(match) block in on vlan108: 192.0.2.150.6930 > 
198.51.100.158.6800: R 18671363:18671363(0) ack 3527351279 win 4224 [tos 0x60]

Here are the rules concerned:
@11 block drop log all
@39 pass log quick inet from 192.0.2.150 to 198.51.100.158 flags S/SA

why is this pf rule logging?

[Mike]

OpenBSD 6.3, amd64

I am seeing this record being logged by pf.  The rule specified in the
record does not have logging enabled.  I must be missing something
simple as to why it is logging, but I can't see it.



20180623T112712.952EDT sentry pf: rule 12/(match) pass in on em0:
fe80::1a8b:9dff:fed4:7822 > ff02::1: HBH icmp6: multicast listener query
v2 [|icmp6] [class 0xe0] [hlim 1]



# pfctl -s rules -R 12
pass in quick inet6 proto ipv6-icmp all keep state (max 16,
adaptive.start 6, adaptive.end 12)


Actual pf.conf text for the rule:

pass in quick inet6 proto icmp6 from any to any keep state (max 16)


Why is it logging?

thx.

spamd pf rule question

[Markus Rosjat]

Hi there,

it's a quiet simple question :)
I have a rule like this

pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp rdr-to 
127.0.0.1 port spamd


and was wondering if it's better to use

pass in log(to $log_spamd_if) on $ext_if proto tcp to port smtp 
divert-to 127.0.0.1 port spamd


the mailserver isn't the same machine.

regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: pf rule for openvpn

[Thuban]

* Thuban  le [25-10-2016 10:41:27 +0200]:
> > # tcpdump -e -ttt -ni pflog0 action block
> >
> > You will be able to see what exactly is being blocked :)
> >

Okay, I'm just too stupid. I can access the wwweb through my VPN. I just
can't ping, which is not a problem and seems logic according to my
pf.conf.

Sorry for the noise.

Regards.
--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: pf rule for openvpn

[Thuban]

> # tcpdump -e -ttt -ni pflog0 action block
>
> You will be able to see what exactly is being blocked :)
>
That's my problem, nothing seems blocked , tcpdump returns nothing about
my requests to reach the outside web.
I'm stuck.

Please find below my full pf.conf in case I missed something :

ext_if = "re0"  # interface
tun_if = "tun0"  # vpn
ssh_port = ""   # port ssh
http_ports = "{ www https }"# ports http(s)
mail_ports = "{ submission imaps }" # ports mails
tcp_pass = "{ gopher ipp 8000 }"  # ports tcp
ouverts
udp_pass = "{ 1194 }" # ports udp ouverts
set block-policy drop   # bloque 
silencieusement
set skip on lo  # Pas de filtre 
en local
set limit table-entries 40

## tables pour les vilains bruteforceurs
table  persist
table  persist
table  persist

# antispam avec greylisting
table  persist
table  persist file "/etc/mail/nospamd"
table  persist

## Traitement des paquets ##
match in all scrub (no-df)  # Paquets partiels
block in quick from urpf-failed

## Les règles du parefeu ##
# on bloque tout par défaut
block log all

# on bloque les ip blacklistées
block in log quick proto tcp from  to any port $http_ports
block in log quick proto tcp from  to any port $ssh_port

# antispam
pass in on $ext_if proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from  to any port smtp
pass in on $ext_if proto tcp from  to any port smtp
pass in quick on $ext_if proto tcp from  to any port
smtp

# Si + de 3 connections toutes les 60 secondes sur le port ssh
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
(max-src-conn-rate 5/60, overload  flush global)

# Si + de 50 connections toutes les 5 secondes sur les ports http(s)
# ou si elle essaie de se connecter + de 100 fois
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
(max-src-conn-rate 50/5, overload  flush)

# Protection bruteforce pour les mails
pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
(max-src-conn-rate 10/60, overload  flush global)

# on autorise le ping
pass quick inet6 proto ipv6-icmpall icmp6-type { echoreq, unreach
}
pass quick inet proto icmp  all icmp-type { echoreq, unreach
}

# on ouvre les autres ports
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pass keep state

# vpn
pass in quick on $tun_if keep state
pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)

# tout ouvert en sortie
pass out on $ext_if proto { tcp udp icmp } all modulate state


Regards


--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: pf rule for openvpn

[R0me0 ***]

Assuming you block the traffic by default

pf.conf

block log all


# tcpdump -e -ttt -ni pflog0 action block

You will be able to see what exactly is being blocked :)


-Regards

2016-10-24 12:19 GMT-02:00 Kenneth Gober :

> On Sun, Oct 23, 2016 at 4:46 PM, Thuban  wrote:
> > Here are the relevant parts of my pf.conf :
> >
> > ext_if = "re0"
> > tcp_pass = "{ gopher ipp 8000 }"
> > udp_pass = "{ 1194 }"
> >
> > pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
> > pass in quick on $ext_if proto udp to any port $udp_pass keep state
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if
> >
> > pass out on $ext_if proto { tcp udp icmp } all modulate state
>
> Do you have rules that allow traffic in from tun0?  Something like:
>
> pass in quick on tun0 keep state
>
> Otherwise traffic will reach OpenVPN but get no further, being blocked
> coming out of the tunnel.
>
> -ken

Re: pf rule for openvpn

[Kenneth Gober]

On Sun, Oct 23, 2016 at 4:46 PM, Thuban  wrote:
> Here are the relevant parts of my pf.conf :
>
> ext_if = "re0"
> tcp_pass = "{ gopher ipp 8000 }"
> udp_pass = "{ 1194 }"
>
> pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
> pass in quick on $ext_if proto udp to any port $udp_pass keep state
>
> pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if
>
> pass out on $ext_if proto { tcp udp icmp } all modulate state

Do you have rules that allow traffic in from tun0?  Something like:

pass in quick on tun0 keep state

Otherwise traffic will reach OpenVPN but get no further, being blocked
coming out of the tunnel.

-ken

Re: pf rule for openvpn

[Thuban]

* Predrag Punosevac  le [23-10-2016 20:18:27 -0400]:
> Op 23-10-2016 om 17:01 schreef Thuban:
> > Hi,
> > I have an openvpn server running and working, but can't
> > go "outside" the server to access the web.
> >
> > To configure the server, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to
> the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
> >
> > I've been on this issue for too many hours to have a clear mind on
> this.
> > Any advice to find why I'm stuck on the server?
> >
> > Regards.
> >
> >
>
> Hi,
>
> I saw your e-mail this morning but I had no idea what to make out of it
> as I am confused about your network topology. I was also not impressed
> that you were following some howto from the internet. Both PF and
> OpenVPN are well documented. Grab the books and read it.
>

The link to the howto was to avoid long explanations. Anyway, here is
some more information. I'm pretty sure I'm wrong to redirect packets.

What I want is this :

 VPN
Clients -> Server -> Web

simply.

openvpn configuration :

dev tun0
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 80.67.169.12"
push "redirect-gateway def1"

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/private/server.key
dh /etc/openvpn/dh.pem
crl-verify /etc/openvpn/crl.pem

daemon openvpn
group _openvpn
user _openvpn
keepalive 10 120
management 127.0.0.1 1195 /etc/openvpn/private/mgmt.pwd
max-clients 100
persist-key
persist-tun
port 1194
proto udp
comp-lzo

client-cert-not-required
username-as-common-name
script-security 3 system
auth-user-pass-verify /usr/local/libexec/openvpn_bsdauth via-env
auth-nocache

log-append  /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
verb 3


/etc/pf.conf :

ext_if = "re0"  # interface
ssh_port = ""   # port ssh
http_ports = "{ www https }"# ports http(s)
mail_ports = "{ submission imaps }" # ports mails
tcp_pass = "{ gopher ipp 8000 }"  # ports tcp
ouverts
udp_pass = "{ 1194 }" # ports udp ouverts
set block-policy drop   # bloque
silencieusement
set skip on lo  # Pas de filtre en
local
set limit table-entries 40

## tables pour les vilains bruteforceurs
table  persist
table  persist
table  persist

# antispam avec greylisting
table  persist
table  persist file "/etc/mail/nospamd"
table  persist

## Traitement des paquets ##
match in all scrub (no-df)  # Paquets
partiels
block in quick from urpf-failed

## Les règles du parefeu ##
# on bloque tout par défaut
block log all

# on bloque les ip blacklistées
block in log quick proto tcp from  to any port $http_ports
block in log quick proto tcp from  to any port $ssh_port

# antispam
pass in on $ext_if proto tcp from any to any port smtp \
divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from  to any port smtp
pass in on $ext_if proto tcp from  to any port smtp
pass in quick on $ext_if proto tcp from  to any port
smtp

# Si + de 3 connections toutes les 60 secondes sur le port ssh
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state
\
(max-src-conn-rate 5/60, overload  flush global)

# Si + de 50 connections toutes les 5 secondes sur les ports http(s)
# ou si elle essaie de se connecter + de 100 fois
# on rajoute l'ip pour la bloquer.
pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state
\
(max-src-conn-rate 50/5, overload  flush)

# Protection bruteforce pour les mails
pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state
\
(max-src-conn-rate 10/60, overload  flush global)

# on autorise le ping
pass quick inet6 proto ipv6-icmpall icmp6-type { echoreq, unreach
}
pass quick inet proto icmp  all icmp-type { echoreq, unreach
}

# on ouvre les autres ports
pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any 

Re: pf rule for openvpn

[Predrag Punosevac]

Op 23-10-2016 om 17:01 schreef Thuban:
> Hi,
> I have an openvpn server running and working, but can't
> go "outside" the server to access the web.
>
> To configure the server, I followed this :
> http://2f30.org/guides/openvpn.html
>
> So ip forwarding is ative, vpn port is open, clients can connect to
the
> vpn. But they can't access wwweb.
>
> I guess the problem comes from this pf rule :
>
> pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
>
> I've been on this issue for too many hours to have a clear mind on
this.
> Any advice to find why I'm stuck on the server?
>
> Regards.
>
>

Hi,

I saw your e-mail this morning but I had no idea what to make out of it
as I am confused about your network topology. I was also not impressed
that you were following some howto from the internet. Both PF and
OpenVPN are well documented. Grab the books and read it. 

I run OpenVPN servers in production so I am attaching you the pf.conf
and server configuration. To make it easer to read configuration files I
will describe the my topology.

VPN
road-worriors-net (10.9.0.0/24) > my-lan-zone (192.168.6.0/24)

In my case road worriors want to be able to use ssh to access any of my
LAN zone machines (192.168.6.0/24). Their tun0  interface address is
from the pool 10.9.0.0/24 but they also have some other physical
interface which have other address. Typically that other physical
interface is used to browse the Internet. Internal machines
(192.168.6.0/24) have to be able to browse the internet.

I have an OpenBSD machine acting as a VPN gateway (OpenVPN server) for
road worriors and also actiang as a firewall for the Lan zone. The name
of the machine is apollo. Please see pf.conf and server-apollo.conf
(OpenVPN server configuration). Make sure you understand what I did.

This is Apollo's /etc/pf.conf file 

# macros
ext_if="em1"
int_if="em0"
vpn_if="tun0"
auton_lan = "{192.168.6.0/24}"
auton_vpn = "{10.9.0.0/24}"



broken = "{127.0.0.0/8, 240.0.0.0/4, 0.0.0.0/8, 169.254.0.0/16, \
   198.51.100.0/24, 203.0.113.0/24, 255.255.255.255/32}"
table  persist
table  persist

tcp_services = "{ssh, http, https, submission, 8080, 30041}"
tcp_services_int = "{ssh, http, https, submission, ldap, \
111, 2049, 4000, 4001, 4002, 3690, 8080, 30041}"
udp_services = "{domain, ntp, snmp, syslog, 25826}"
udp_services_int = "{domain, ntp, snmp, syslog, 25826, 111, 2049, 4000, 4001, 
4002}"
openvpn = "{1194}"


# options
set block-policy return
set limit states 10
set loginterface egress
set optimization normal
set ruleset-optimization basic 
set skip on lo


# match rules
match in all scrub (no-df max-mss 1440)
match out all scrub (no-df max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)


# filter rules
block quick from 
block in quick on egress proto tcp from  \
to any port {ssh, 30041} label "ssh bruteforce"
antispoof quick for { $int_if $ext_if}

block drop in quick on egress from {$broken, no-route} to any
block drop in quick from urpf-failed to any
block return in on ! lo0 proto tcp to port 6000:6010

block all


pass inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto tcp from any to any port $tcp_services
pass out on $ext_if inet proto udp from any to any port $udp_services
pass in log on egress inet proto udp to (egress) port $openvpn

pass on $ext_if inet proto tcp from any to any port {30041} \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
 overload  flush global)

pass inet proto tcp from {$auton_lan, $auton_vpn} to any port $tcp_services_int
pass inet proto udp from {$auton_lan, $auton_vpn} to any port $udp_services_int


This is the server-apollo.conf file


# Which local IP address should OpenVPN
# listen on? (optional)
local my_ip_address

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows n

Re: pf rule for openvpn

[Thuban]

* obsd  le [23-10-2016 21:13:19 +0200]:
> Op 23-10-2016 om 17:01 schreef Thuban:
> > Hi,
> > I have an openvpn server running and working, but can't
> > go "outside" the server to access the web.
> >
> > To configure the server, I followed this :
> > http://2f30.org/guides/openvpn.html
> >
> > So ip forwarding is ative, vpn port is open, clients can connect to the
> > vpn. But they can't access wwweb.
> >
> > I guess the problem comes from this pf rule :
> >
> > pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
> >
> > I've been on this issue for too many hours to have a clear mind on this.
> > Any advice to find why I'm stuck on the server?
> >
> > Regards.
> >
> >
> How about a rule that permits tunnel traffic to go out? How about a rule
> that permits the traffic to come in on the tunnel?
>

Here are the relevant parts of my pf.conf :

ext_if = "re0"
tcp_pass = "{ gopher ipp 8000 }"
udp_pass = "{ 1194 }"

pass in quick on $ext_if proto tcp to any port $tcp_pass keep state
pass in quick on $ext_if proto udp to any port $udp_pass keep state

pass out on $ext_if from 10.8.0.0/24 to any nat-to $ext_if

pass out on $ext_if proto { tcp udp icmp } all modulate state


traffic comes in $ext_if on port 1194. There, it goes in the tunnel.
The nat-to directive forward the traffic to $ext_if, which is supposed
to go out.

I feel I miss something here... :/

--
/Thuban/

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: pf rule for openvpn

[obsd]

Op 23-10-2016 om 17:01 schreef Thuban:
> Hi,
> I have an openvpn server running and working, but can't
> go "outside" the server to access the web.
>
> To configure the server, I followed this :
> http://2f30.org/guides/openvpn.html
>
> So ip forwarding is ative, vpn port is open, clients can connect to the
> vpn. But they can't access wwweb.
>
> I guess the problem comes from this pf rule :
>
> pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)
>
> I've been on this issue for too many hours to have a clear mind on this.
> Any advice to find why I'm stuck on the server?
>
> Regards.
>
>
How about a rule that permits tunnel traffic to go out? How about a rule
that permits the traffic to come in on the tunnel?

pf rule for openvpn

[Thuban]

Hi,
I have an openvpn server running and working, but can't
go "outside" the server to access the web.

To configure the server, I followed this :
http://2f30.org/guides/openvpn.html

So ip forwarding is ative, vpn port is open, clients can connect to the
vpn. But they can't access wwweb.

I guess the problem comes from this pf rule :

pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if)

I've been on this issue for too many hours to have a clear mind on this.
Any advice to find why I'm stuck on the server?

Regards.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Why this pf rule is not enough?

[Lampshade]

I have rdomain 1 and default rdomain
pair1 is in rdomain 1
pair2 is in default rdomain
Inside rdomain1 there is not loopback interface
network is 172.10.0.2/24

In /etc/resolv.conf I have nameserver 127.0.0.1
so all DNS (UDP 53) packets should go to 127.0.0.1
Default route in rdomain1 is pair2 interface (172.10.0.2)

I want (and achieved) intercepting DNS requests from rdomain1
to 172.10.0.2 port 9053. I have rule:

pass  out quick log (all, to pflog0)  on pair1 inet proto udp to 127.0.0.1 port 
53 rdr-to 172.10.0.2 port 9053 keep state (floating)

but it is not enough. I needed to add this rule:

pass in quick on pair2 inet proto udp from pair1 to any port 53 rdr-to pair2 
port 9053 keep state (floating)

Re: NAT replies not triggering pf rule

[Stuart Henderson]

On 2015-10-27, Michael S. Keller  wrote:
> On 10/27/15 3:42 AM, Stuart Henderson wrote:
>> On 2015-10-26, Giancarlo Razzolini  wrote:
>>> I suggest you move your match rules to the beginning of the ruleset and
>>> use log on them. So you can watch your pflog interface and see the
>>> packets being triggered. Also, you can (should) always use tags. Not
>>> only they make your ruleset "debugable", but any stray packet should hit
>>> a block rule (possibly logging it). I suspect your first three rules
>>> aren't matching because you're using the external interface. Try using
>>> the internal on them.
>>
>> Also: have the first "action" rule block everything ("block log" probably).
>> Then you can be sure that all packets match one of your rules (and don't get
>> accepted by the implicit default 'pass flags any no state' rule).
>>
>
> These are the rules that appear potentially to affect outgoing packets 
> on the internal interface:
>
> match inet from any to 192.168.1.62
> block drop out on gem0 all
> pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA
>
> Only traffic that initiates directly from the OpenBSD firewall triggers 
> these rules. Neither web page loads (which traverse the NAT) nor SSH 
> session replies increase the trigger counts on any of these three rules.
>
> -Michael
>
>

I mean literally

block log

then put your other rules after it. It is too much hassle to work out
if there are rules to cover every packet that might pass through the
system, putting 'block log' up-front makes it clear so that every
packet will have to match one of the rules in your ruleset, rather
than matching the invisible implicit default rule.

"match inet from any to 192.168.1.62" doesn't do anything. "match" is
a modifier for other rules ("log", "tag", "queue" are common things to
use in a match rule), but your match line doesn't make any changes.

Re: NAT replies not triggering pf rule

[Giancarlo Razzolini]

Em 27-10-2015 09:37, Michael S. Keller escreveu:
> These are the rules that appear potentially to affect outgoing packets
> on the internal interface:
>
> match inet from any to 192.168.1.62
> block drop out on gem0 all
> pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA
>
> Only traffic that initiates directly from the OpenBSD firewall
> triggers these rules. Neither web page loads (which traverse the NAT)
> nor SSH session replies increase the trigger counts on any of these
> three rules.

Since you seem to be unwilling to use tags, lets try to debug this
another way. Install and configure nfsen, create a pflow(4) interface
and set the default for every state to use pflow:

option state-defaults pflow

You will see every flow passing, incoming and leaving your firewall.
Since you mentioned that you're seeing the traffic on tcpdump, this can
make it easier to visualize where you're packets are going.

Cheers,
Giancarlo Razzolini

Re: NAT replies not triggering pf rule

[Michael S. Keller]

On 10/27/15 3:42 AM, Stuart Henderson wrote:

On 2015-10-26, Giancarlo Razzolini  wrote:

I suggest you move your match rules to the beginning of the ruleset and
use log on them. So you can watch your pflog interface and see the
packets being triggered. Also, you can (should) always use tags. Not
only they make your ruleset "debugable", but any stray packet should hit
a block rule (possibly logging it). I suspect your first three rules
aren't matching because you're using the external interface. Try using
the internal on them.


Also: have the first "action" rule block everything ("block log" probably).
Then you can be sure that all packets match one of your rules (and don't get
accepted by the implicit default 'pass flags any no state' rule).



These are the rules that appear potentially to affect outgoing packets 
on the internal interface:


match inet from any to 192.168.1.62
block drop out on gem0 all
pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA

Only traffic that initiates directly from the OpenBSD firewall triggers 
these rules. Neither web page loads (which traverse the NAT) nor SSH 
session replies increase the trigger counts on any of these three rules.


-Michael

Re: NAT replies not triggering pf rule

[Stuart Henderson]

On 2015-10-26, Giancarlo Razzolini  wrote:
> I suggest you move your match rules to the beginning of the ruleset and
> use log on them. So you can watch your pflog interface and see the
> packets being triggered. Also, you can (should) always use tags. Not
> only they make your ruleset "debugable", but any stray packet should hit
> a block rule (possibly logging it). I suspect your first three rules
> aren't matching because you're using the external interface. Try using
> the internal on them.

Also: have the first "action" rule block everything ("block log" probably).
Then you can be sure that all packets match one of your rules (and don't get
accepted by the implicit default 'pass flags any no state' rule).

Re: NAT replies not triggering pf rule

[Michael S. Keller]

Because there will never be a packet on gem0 with destination
192.168.1.64. The packets are being natted, aren't they? Try using tags,
your life will be much simpler.


I tried tags in an earlier iteration of this. Didn't help.

As a simpler test, I revised the rule for packets leaving gem0 to this:

match out on gem0 all

I put it at the top of the ruleset.

It matches nothing.

-Michael

Re: NAT replies not triggering pf rule

[Michael S. Keller]

On 10/26/15 8:12 AM, Giancarlo Razzolini wrote:


Are you aware that you'll need to have a queue on the internal interface
and another on the egress one right? Queuing incoming packets is very
tricky and not always have the desired effect. I suggest you start with
prio and see where it leads you:
http://quigon.bsws.de/papers/2012/eurobsdcon/mgp00010.html


I shouldn't need a queue on the egress to control bandwidth _to_ 
internal network hosts.


I've tried the prio route, but it didn't help, probably because of the 
same trouble with rules matching content.



I suggest you move your match rules to the beginning of the ruleset and
use log on them. So you can watch your pflog interface and see the
packets being triggered. Also, you can (should) always use tags. Not
only they make your ruleset "debugable", but any stray packet should hit
a block rule (possibly logging it). I suspect your first three rules
aren't matching because you're using the external interface. Try using
the internal on them.


   0  MatchAny   gem0  000 
  inet from any to 192.168.1.64/32
   1  MatchAny   gem0  000 
  inet from any to 192.168.1.57/32
   2  MatchAny   gem0  000 
  inet from any to 192.168.1.62/32
   3  MatchAny   gem0106324020 
  inet from 192.168.1.64/32 to any
   4  MatchAny   gem0  000 
  inet from 192.168.1.57/32 to any
   5  MatchAny   gem0426   1030060 
  inet from 192.168.1.62/32 to any


This is "systat rules" output after putting the host "match" rules first 
in pf.conf. The test is a page load from 192.168.1.62.
The outgoing packets from 192.168.1.62 show non-zero counts. Counts to 
192.168.1.62 are zero and that has to be false because the page load 
succeeded. Further, "iftop" can tally the traffic and "tcpdump" will 
show it. So why doesn't PF note it?


-Michael

Re: NAT replies not triggering pf rule

[Giancarlo Razzolini]

Em 25-10-2015 15:31, Michael S. Keller escreveu:
> I want to set queues to limit bandwidth for the streaming media
> devices on my home network. Unfortunately, the "pass out" rules on my
> internal network (external is PPPoE) don't ever trip for replies
> received from the world.

Are you aware that you'll need to have a queue on the internal interface
and another on the egress one right? Queuing incoming packets is very
tricky and not always have the desired effect. I suggest you start with
prio and see where it leads you:
http://quigon.bsws.de/papers/2012/eurobsdcon/mgp00010.html

> What am I missing?
>
> OpenBSD version is 5.8 macppc.
>
> block drop in log on egress all
> block return in on ! lo0 proto tcp from any to any port 6000:6010
> match on egress all scrub (no-df random-id reassemble tcp max-mss 1440)
> pass out on egress from (self) to any flags S/SA nat-to (egress:0)
> round-robin
> pass out on egress inet from 192.168.1.0/24 to any received-on gem0
> flags S/SA nat-to (egress:0) round-robin
> block drop in quick on ! lo inet6 from ::1 to any
> block drop in quick on ! lo inet from 127.0.0.0/8 to any
> block drop in quick inet from 127.0.0.1 to any
> block drop in quick on ! gem0 inet from 192.168.1.0/24 to any
> block drop in quick inet from 192.168.1.1 to any
> block drop in quick on lo0 inet6 from fe80::1 to any
> block drop in quick inet6 from ::1 to any
> pass in on egress inet proto icmp from ! (egress) to (egress)
> icmp-type echoreq code 0
> pass in on egress inet proto icmp from ! (egress) to (egress)
> icmp-type unreach code needfrag
> pass in log on egress inet proto tcp from ! (egress) to (egress) port
> = 8022 flags S/SA modulate state rdr-to 127.0.0.1 port 8022
> pass in on egress inet proto udp from ! (egress) to (egress) port =
> 1194 rdr-to 127.0.0.1
> pass in on gem0 all flags S/SA
> pass in on gem0 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port
> = 22 flags S/SA modulate state rdr-to 127.0.0.1 port 8022
> block drop out on gem0 all
> match on gem0 inet from any to 192.168.1.64 # THESE THREE
> match on gem0 inet from any to 192.168.1.57 # DO NOT
> match on gem0 inet from any to 192.168.1.62 # TRIGGER
> match on gem0 inet from 192.168.1.64 to any # these
> match on gem0 inet from 192.168.1.57 to any # three
> match on gem0 inet from 192.168.1.62 to any # trigger
> pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA

I suggest you move your match rules to the beginning of the ruleset and
use log on them. So you can watch your pflog interface and see the
packets being triggered. Also, you can (should) always use tags. Not
only they make your ruleset "debugable", but any stray packet should hit
a block rule (possibly logging it). I suspect your first three rules
aren't matching because you're using the external interface. Try using
the internal on them.

Cheers,
Giancarlo Razzolini

NAT replies not triggering pf rule

[Michael S. Keller]

I've worked with this off and on for some time, but still don't know 
what I'm not doing correctly.


I want to set queues to limit bandwidth for the streaming media devices 
on my home network. Unfortunately, the "pass out" rules on my internal 
network (external is PPPoE) don't ever trip for replies received from 
the world.


The rule set below includes "match" lines so I can watch the 
bidirectional traffic. Traffic that comes into my OpenBSD box from the 
internal network on interface gem0 triggers the match rules. Replies 
received from across the NAT never trigger rules for the other 
direction. I've confirmed this with both "systat rules" and "pfctl -ss -v".


What am I missing?

OpenBSD version is 5.8 macppc.

block drop in log on egress all
block return in on ! lo0 proto tcp from any to any port 6000:6010
match on egress all scrub (no-df random-id reassemble tcp max-mss 1440)
pass out on egress from (self) to any flags S/SA nat-to (egress:0) 
round-robin
pass out on egress inet from 192.168.1.0/24 to any received-on gem0 
flags S/SA nat-to (egress:0) round-robin

block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! gem0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.1 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
pass in on egress inet proto icmp from ! (egress) to (egress) icmp-type 
echoreq code 0
pass in on egress inet proto icmp from ! (egress) to (egress) icmp-type 
unreach code needfrag
pass in log on egress inet proto tcp from ! (egress) to (egress) port = 
8022 flags S/SA modulate state rdr-to 127.0.0.1 port 8022
pass in on egress inet proto udp from ! (egress) to (egress) port = 1194 
rdr-to 127.0.0.1

pass in on gem0 all flags S/SA
pass in on gem0 inet proto tcp from 192.168.1.0/24 to 192.168.1.1 port = 
22 flags S/SA modulate state rdr-to 127.0.0.1 port 8022

block drop out on gem0 all
match on gem0 inet from any to 192.168.1.64 # THESE THREE
match on gem0 inet from any to 192.168.1.57 # DO NOT
match on gem0 inet from any to 192.168.1.62 # TRIGGER
match on gem0 inet from 192.168.1.64 to any # these
match on gem0 inet from 192.168.1.57 to any # three
match on gem0 inet from 192.168.1.62 to any # trigger
pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA

Re: PF rule for transparent siproxd ?

[Christophe]

Hi Stuart,

Le 08/04/2014 18:31, Stuart Henderson a écrit :
> On 2014-04-07, Christophe  wrote:
> [..]
> 
> Let's ignore the siproxd side of things and just look at the ruleset.
> 
> You have no "pass" or "block" rules for any outbound traffic so the implicit
> default is used for outbound traffic - this is "pass all no state" - I would
> start the ruleset with an explicit "block" and then perhaps "pass out" if
> that's what you want.
> 

Oops, true ! I made a `grep -v` mistake ... Sorry :( .

Here is the real ruleset, that effectively contains block and pass
"default" rules.

> set skip on lo
> set loginterface pflog0
> 
> block in log 
> pass out   
> 
> block in on ! lo0 proto tcp to port 6000:6010
>
> match out log on em0 inet from 172.18.160.0/24 to any nat-to em0
> 
> pass in on em1 inet proto tcp from 172.18.160/24 to any port { 80, 443 } keep 
> state
> pass in on em1 inet proto icmp from 172.18.160.0/24 to any keep state
> 
> pass in on em0 inet proto tcp from any to em0 port 22 keep state 
> pass in on em0 inet proto icmp from any to em0 keep state 
> 
> pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060 
> divert-to 172.18.160.253 port 5060  
> 
> pass in on em0 inet proto udp from any to em0 port 5060 keep state
> pass in on em0 inet proto udp from any to em0 port 17030:17080 keep state



Regards,
Christophe.

Re: PF rule for transparent siproxd ?

[Stuart Henderson]

On 2014-04-07, Christophe  wrote:
[..]

Let's ignore the siproxd side of things and just look at the ruleset.

>> set skip on lo
>> set loginterface pflog0
>> 
>> block in on ! lo0 proto tcp to port 6000:6010
>> 
>> match out log on em0 inet from 172.18.160.0/24 to any nat-to em0
>> 
>> pass in on em1 inet proto tcp from 172.18.160/24 to any port { 80, 443 } 
>> keep state
>> pass in on em1 inet proto icmp from 172.18.160.0/24 to any keep state
>> 
>> pass in on em0 inet proto tcp from any to em0 port 22 keep state 
>> pass in on em0 inet proto icmp from any to em0 keep state 
>> 
>> # Here is the rule I try to use .
>> pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060 
>> divert-to 172.18.160.252 port 5060 
>> 
>> pass in on em0 inet proto udp from any to em0 port 5060 keep state
>> pass in on em0 inet proto udp from any to em0 port 17030:17080 keep state

You have no "pass" or "block" rules for any outbound traffic so the implicit
default is used for outbound traffic - this is "pass all no state" - I would
start the ruleset with an explicit "block" and then perhaps "pass out" if
that's what you want.

Re: PF rule for transparent siproxd ?

[Stuart Henderson]

On 2014-04-08, Christophe  wrote:
> Hi Stuart,
>
> Le 08/04/2014 10:41, Stuart Henderson a écrit :
>> On 2014-04-07, Christophe  wrote:
>>> The goal is to accept every SIP device from inside the LAN to register
>>> to SIP provider without any "outbound proxy" configuration, and let
>>> siproxd acting as a masquerading server.
>> 
>> Do you really need it? Most user-facing SIP providers run SBCs to work
>> around NAT problems (amongst other things) and either don't need, or
>> work better without, SIP NAT helpers.
>> 
>
> As you say : most , but not all ... and we have to deal with :( .
>
> Cisco routers (2600 and 800 series) are able to handle this : only
> public IP address are seen in SIP packets on external network interface,
> without configuring anything in "internal SIP devices" (IPBX or phones).
>
> That's why I try to get a similar behavior using a transparent SIP proxy.
>
> Don't know if it's the best way to do, but from what I know of SIP
> protocol and NAT issues, I found it was a nice solution to handle all
> cases with minimum configuration (or reconfiguration) ;).

First diagnosis step with many ITSPs is to disable any such proxies...

Re: PF rule for transparent siproxd ?

[Christophe]

Hi Stuart,

Le 08/04/2014 10:41, Stuart Henderson a écrit :
> On 2014-04-07, Christophe  wrote:
>> The goal is to accept every SIP device from inside the LAN to register
>> to SIP provider without any "outbound proxy" configuration, and let
>> siproxd acting as a masquerading server.
> 
> Do you really need it? Most user-facing SIP providers run SBCs to work
> around NAT problems (amongst other things) and either don't need, or
> work better without, SIP NAT helpers.
> 

As you say : most , but not all ... and we have to deal with :( .

Cisco routers (2600 and 800 series) are able to handle this : only
public IP address are seen in SIP packets on external network interface,
without configuring anything in "internal SIP devices" (IPBX or phones).

That's why I try to get a similar behavior using a transparent SIP proxy.

Don't know if it's the best way to do, but from what I know of SIP
protocol and NAT issues, I found it was a nice solution to handle all
cases with minimum configuration (or reconfiguration) ;).


Christophe.

Re: PF rule for transparent siproxd ?

[Christophe]

Hi Simon,

Le 07/04/2014 20:20, Simon Perreault a écrit :
> I don't know the direct answer to your question, but taking a step back...
> 
> Any reason you want a transparent SIP proxy rather than an
> explicitly-configured SIP B2BUA? The latter is usually much easier to
> set up and maintain.
> 

SIP B2BUA can be interesting, thanks for the advice ;).

But in this case, there is already several devices configured.
(different types, and different SIP providers).

If we can avoid reconfiguring all the devices ... ;) .

Christophe.

Re: PF rule for transparent siproxd ?

[Stuart Henderson]

On 2014-04-07, Christophe  wrote:
> The goal is to accept every SIP device from inside the LAN to register
> to SIP provider without any "outbound proxy" configuration, and let
> siproxd acting as a masquerading server.

Do you really need it? Most user-facing SIP providers run SBCs to work
around NAT problems (amongst other things) and either don't need, or
work better without, SIP NAT helpers.

Re: PF rule for transparent siproxd ?

[Simon Perreault]

I don't know the direct answer to your question, but taking a step back...

Any reason you want a transparent SIP proxy rather than an
explicitly-configured SIP B2BUA? The latter is usually much easier to
set up and maintain.

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca
STUN/TURN server   --> http://numb.viagenie.ca

PF rule for transparent siproxd ?

[Christophe]

Hi list,

I encounter a problem while aptempting to get siproxd acting as a
transparent SIP proxy and PF.

OpenBSD version is 5.4 on amd64.

> OpenBSD 5.4 (GENERIC) #37: Tue Jul 30 15:24:05 MDT 2013
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

siproxd installed from package "siproxd-0.8.1p3.tgz"

The setup is as simple as possible (IPv4 only) :

em1 : LAN, 172.18.160.253/24
em0 : WAN with DHCP.

I'm trying to get transparent proxy config as described here :

http://siproxd.sourceforge.net/siproxd_guide/siproxd_guide_c7s4.html

But replacing iptables rules by pf rules.

Content of siproxd.conf is :

> if_inbound  = em1
> if_outbound = em0
> 
> hosts_allow_reg = 172.18.160.0/24,127.0.0.1/8
> sip_listen_port = 5060
> 
> daemonize = 1
> 
> silence_log = 0
> 
> user = _siproxd
> chrootjail = /var/siproxd/
> 
> registration_file = siproxd_registrations
> 
> autosave_registrations = 300
> 
> pid_file = siproxd.pid
> 
> rtp_proxy_enable = 1
> 
> rtp_port_low  = 17030
> rtp_port_high = 17080
> 
> rtp_timeout = 300
> 
> rtp_dscp = 46
> 
> sip_dscp = 0
> 
> rtp_input_dejitter  = 0
> rtp_output_dejitter = 0
> 
> tcp_timeout = 600
> tcp_connect_timeout = 500
> tcp_keepalive = 20
> 
> debug_level = -1
> debug_port = 5050
> 
> plugindir=/usr/local/lib/siproxd/
> load_plugin=plugin_logcall.so
> 

Using outbound SIP proxy on (soft)phones let me know that siproxd config
is working. But it's not the goal :

The goal is to accept every SIP device from inside the LAN to register
to SIP provider without any "outbound proxy" configuration, and let
siproxd acting as a masquerading server.


PF rules :

> set skip on lo
> set loginterface pflog0
> 
> block in on ! lo0 proto tcp to port 6000:6010
> 
> match out log on em0 inet from 172.18.160.0/24 to any nat-to em0
> 
> pass in on em1 inet proto tcp from 172.18.160/24 to any port { 80, 443 } keep 
> state
> pass in on em1 inet proto icmp from 172.18.160.0/24 to any keep state
> 
> pass in on em0 inet proto tcp from any to em0 port 22 keep state 
> pass in on em0 inet proto icmp from any to em0 keep state 
> 
> # Here is the rule I try to use .
> pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060 
> divert-to 172.18.160.252 port 5060 
> 
> pass in on em0 inet proto udp from any to em0 port 5060 keep state
> pass in on em0 inet proto udp from any to em0 port 17030:17080 keep state


I tried several rules but none of them redirects packets on siproxd (no
log on siproxd) , and none of them logs to pflog0 interface :( .

pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060
divert-to localhost port 5060

pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060
divert-to 127.0.0.1 port 5060

pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060
divert-packet port 5060

pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060
rdr-to 127.0.0.1 port 5060

pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060
rdr-to 172.18.160.252 port 5060

The only one that can log in pflog0 is :

pass in log on em1 inet proto udp from 172.18.160.0/24 to any port 5060
keep state

But it doesn't fit my needs ...

I'd like to be as simple as redirecting FTP traffic on ftp-proxy;
Redirect SIP requests to a local service than can handle rewrite of
packets.

Final goal is to replace Cisco routers (that handle SIP inspection and
redirect public RTP ports to the appropriate device) by OpenBSD.

Any ideas ?

Regards,
Christophe.

Re: pf rule idea

[Josh Hoppes]

Best option I see here is a dup-to packets to an interface with IDS
listening and give it the ability to add IP addresses to a blacklist and
flush all states associated with them.

PF is a kernel space item, and you want to keep this as simple as possible
to minimize bugs. Leave complex stuff like intrusion detection to the
userland where it can do less harm.


On Fri, Jan 25, 2013 at 3:08 PM, Andres Perera  wrote:

> i highly doubt that they would add any sort of layer 7/string checking
> capability to pf. it's completely against its design
>
> that's just not going to happen

Re: pf rule idea

[Andres Perera]

i highly doubt that they would add any sort of layer 7/string checking
capability to pf. it's completely against its design

that's just not going to happen

Re: pf rule idea

[sven falempin]

Ì am not sure i am right but you are not in the good layer, you want snort
or something similar to do that.

On Fri, Jan 25, 2013 at 3:03 PM, Todd  wrote:

> hi,
>
> not sure this is the correct place to ask but i wanted to know if the
> possibility of a new pf rule had been thought of?
>
> the concept i had in mind would be to filter packets bound for a port that
> contained a she! or similar script header?
>
> my thought was trying to add a way to check or prevent scripts from been
> sent out or run on particular ports?
>
> after reading about the new breed of malware (aimed at windows .dll,
> acrobat and java) i was trying to come ip with a new security measure to
> prevent ppl from executing java scrips into services or visa versa with any
> type of script?
>
> im not sure if this is possible or what not but i believe there may be an
> advantage to having the ability of dropping packets that contain scripts?
>
> or for that matter contain "x" information, words, hashes ect
>
> i noticed that the red october malware was set up to user programs with
> specific md5 hashes, i thought it would be beneficial if it was possible to
> check hash tags against a known list of faked/ malware programs.
>
> thanks
>
> Todd
>
>


--
() ascii ribbon campaign - against html e-mail
/\

pf rule idea

[Todd]

hi, 

not sure this is the correct place to ask but i wanted to know if the 
possibility of a new pf rule had been thought of?

the concept i had in mind would be to filter packets bound for a port that 
contained a she! or similar script header?

my thought was trying to add a way to check or prevent scripts from been sent 
out or run on particular ports?

after reading about the new breed of malware (aimed at windows .dll, acrobat 
and java) i was trying to come ip with a new security measure to prevent ppl 
from executing java scrips into services or visa versa with any type of script?

im not sure if this is possible or what not but i believe there may be an 
advantage to having the ability of dropping packets that contain scripts?

or for that matter contain "x" information, words, hashes ect

i noticed that the red october malware was set up to user programs with 
specific md5 hashes, i thought it would be beneficial if it was possible to 
check hash tags against a known list of faked/ malware programs.

thanks

Todd

Re: "simple" PF rule? redirect port without touching address

[Fil DiNoto]

WHOA! that works!

I had no idea you could use the bitmask option like that! Thank You.

Although I haven't tested for any unwanted behavior...  I'll get back
to you if i find any.

On Mon, Jul 9, 2012 at 3:10 PM, Stuart Henderson  wrote:
> On 2012-07-09, Simon Perreault  wrote:
>> On 2012-07-09 10:17, Stuart Henderson wrote:
>>> On 2012-07-09, Fil DiNoto  wrote:
 But i was wondering if I could achieve something that would work for
 ALL the addresses behind the router as well without creating
 individual rules for each address. Something like this:

 pass in on egress proto tcp from $location1 to any port ssh rdr-to
 (original destination IP) port XXX22
>>>
>>> nope. easiest option for this is probably a userland proxy.
>>> not sure but I reckon relayd can probably do it.
>>
>> Not even with a bitmask pool?
>>
>> pass ... rdr-to 0.0.0.0/0 port XXX22 bitmask
>>
>> Simon
>>
>>
>
> Oh, that's twisted, I like it!

Re: "simple" PF rule? redirect port without touching address

[Stuart Henderson]

On 2012-07-09, Simon Perreault  wrote:
> On 2012-07-09 10:17, Stuart Henderson wrote:
>> On 2012-07-09, Fil DiNoto  wrote:
>>> But i was wondering if I could achieve something that would work for
>>> ALL the addresses behind the router as well without creating
>>> individual rules for each address. Something like this:
>>>
>>> pass in on egress proto tcp from $location1 to any port ssh rdr-to
>>> (original destination IP) port XXX22
>>
>> nope. easiest option for this is probably a userland proxy.
>> not sure but I reckon relayd can probably do it.
>
> Not even with a bitmask pool?
>
> pass ... rdr-to 0.0.0.0/0 port XXX22 bitmask
>
> Simon
>
>

Oh, that's twisted, I like it!

Re: "simple" PF rule? redirect port without touching address

[Simon Perreault]

On 2012-07-09 10:17, Stuart Henderson wrote:

On 2012-07-09, Fil DiNoto  wrote:

But i was wondering if I could achieve something that would work for
ALL the addresses behind the router as well without creating
individual rules for each address. Something like this:

pass in on egress proto tcp from $location1 to any port ssh rdr-to
(original destination IP) port XXX22


nope. easiest option for this is probably a userland proxy.
not sure but I reckon relayd can probably do it.


Not even with a bitmask pool?

pass ... rdr-to 0.0.0.0/0 port XXX22 bitmask

Simon

Re: "simple" PF rule? redirect port without touching address

[Artturi Alm]

2012/7/9 Stuart Henderson 

> On 2012-07-09, Fil DiNoto  wrote:
> > I am trying to achieve something I thought would be simple, but
> > haven't had any luck.
> >
> >
> > I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A
> >
> > Behind it are a mix of OpenBSD and Linux systems, all with public IP. NO
> NAT.
> >
> > I run ssh on an alternate port, XXX22. However, from a certain
> > location I am dealing with a firewall that will not allow outbound
> > connections on XXX22 only on 22
> >
> > I have already set up a rule like this, and it works:
> >
> > pass in on egress proto tcp from $location1 to any port ssh rdr-to
> > X.X.X.A port XXX22
> >
> > But i was wondering if I could achieve something that would work for
> > ALL the addresses behind the router as well without creating
> > individual rules for each address. Something like this:
> >
> > pass in on egress proto tcp from $location1 to any port ssh rdr-to
> > (original destination IP) port XXX22
> >
> >
>
> nope. easiest option for this is probably a userland proxy.
> not sure but I reckon relayd can probably do it.
>
>
Not sure either, but i would try to use divert(4).

Re: "simple" PF rule? redirect port without touching address

[Stuart Henderson]

On 2012-07-09, Fil DiNoto  wrote:
> I am trying to achieve something I thought would be simple, but
> haven't had any luck.
>
>
> I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A
>
> Behind it are a mix of OpenBSD and Linux systems, all with public IP. NO NAT.
>
> I run ssh on an alternate port, XXX22. However, from a certain
> location I am dealing with a firewall that will not allow outbound
> connections on XXX22 only on 22
>
> I have already set up a rule like this, and it works:
>
> pass in on egress proto tcp from $location1 to any port ssh rdr-to
> X.X.X.A port XXX22
>
> But i was wondering if I could achieve something that would work for
> ALL the addresses behind the router as well without creating
> individual rules for each address. Something like this:
>
> pass in on egress proto tcp from $location1 to any port ssh rdr-to
> (original destination IP) port XXX22
>
>

nope. easiest option for this is probably a userland proxy.
not sure but I reckon relayd can probably do it.

"simple" PF rule? redirect port without touching address

[Fil DiNoto]

I am trying to achieve something I thought would be simple, but
haven't had any luck.


I have an OpenBSD 5.0 router/firewall with public IP X.X.X.A

Behind it are a mix of OpenBSD and Linux systems, all with public IP. NO NAT.

I run ssh on an alternate port, XXX22. However, from a certain
location I am dealing with a firewall that will not allow outbound
connections on XXX22 only on 22

I have already set up a rule like this, and it works:

pass in on egress proto tcp from $location1 to any port ssh rdr-to
X.X.X.A port XXX22

But i was wondering if I could achieve something that would work for
ALL the addresses behind the router as well without creating
individual rules for each address. Something like this:

pass in on egress proto tcp from $location1 to any port ssh rdr-to
(original destination IP) port XXX22

Re: PF rule "match only packets for local machine"

[Robert Wolf]

Hallo all,

thank you for your answers.

> > > 
> > > table  const {  }
> > > pass quick proto tcp from  to any port 22 no state
> > > pass in quick proto tcp from any to any port  rdr-to 127.0.0.1
> > > port 22 block quick proto tcp from any to any port 22
> > > 
> > > 
> > > But of course, the last rule blocks every SSH traffic going from
> > > unknown networks to all hosts.
> > 
> > Just replace "to any" to "to self". Should do what you want.

*** YES!:-) That is the keyword I was looking for:-)

> > > I have read PF manual but not found any possibility to tell pf "to
> > > LOCAL-HOST". I have search with google but no relevant articles
> > > found, maybe I have not asked correct.
> > 
> > Well, it's not very easy to find, but the "self" word is explained in
> > the manual.

*** Oh I see it now. It is in the TABLES section. I have look for in the
section PACKET FILTERING in the article for syntax of "from port os to port".

> Yes, but also keep in mind that "self" is only evaluated on ruleset
> load. 

*** H, OK, it is not same as iptables -I INPUT, but at least I can create
one rule without defining IP addresses or interfaces. Great, thank you for for
info.

I have updated my rules to 

pass in quick proto tcp from any to (self) port  rdr-to 127.0.0.1 port 22
block quick proto tcp from !  to (self) port 22 no state

we use "pass flags any no state" because this machine works as router but I
want to block incoming SSH traffic.

> Surely better to have ssh listen on the additional port if it's needed?
> Whatever reason you have for using PF without keeping state presumably
> applies to port  as well.

*** You are right. I can configure SSH on both 22 and  ports. I want to
have port 22 because of access from our networks with strict firewall allowing
SSH on port 22. But for access from unknown networks I want to have additional
port  open. And I wanted to have as less as possible files changed. I have
changed already pf.conf so I wanted to make updates only in pf.conf. But it's
no problem to update sshd_config too.

> Unless enclosed by parentheses; "block proto tcp to (self) port ssh"
> *is* evaluated each time. However on a router with relatively static
> IP address configuration, it's often helpful to avoid the overhead
> of lookups for each packet (especially if you're not keeping state...).

*** Cool, applied:) 

> start with block rule without "quick", then apply pass rules.
> something like this:
> table  const {  }
> block proto tcp from any to any port 22
> pass quick proto tcp from  to any port 22 no state
> pass in quick proto tcp from any to any port  rdr-to 127.0.0.1 port 22

*** This does not work. We have one rule "pass flags any no state" after this
block because the machine is a router and we want to pass everything. If I
move this block after that pass any, it would block every ssh traffic going
through.

The solution with (self) is the best one, I will try to find a little better
solution for all non-SSH packets to be passed before SSH check, something like

==
pass out quick flags any no state
pass in quick proto ! tcp flags any no state
pass in quick proto tcp from any to any port ! 22 flags any no state
## start sshd on port 22 and  instead ##
## pass in quick proto tcp from any to (self) port  rdr-to 127.0.0.1 port 22
block in quick proto tcp from !  to (self) port 22 no state
pass flags any no state
==

Is this better?


Thank you all for your answers.


Regards,

Robert Wolf.

Re: PF rule "match only packets for local machine"

[Stuart Henderson]

On 2012-01-05, Gregory Edigarov  wrote:
> On Thu, 5 Jan 2012 09:21:16 +0100
> Rafal Bisingier  wrote:
>
>> Hi,
>> 
>> On Thursday, 05 Jan 2012 at 09:00 CET
>> Robert Wolf  wrote:
>> 
>> > 
>> > table  const {  }
>> > pass quick proto tcp from  to any port 22 no state
>> > pass in quick proto tcp from any to any port  rdr-to 127.0.0.1 port 22

Surely better to have ssh listen on the additional port if it's needed?
Whatever reason you have for using PF without keeping state presumably
applies to port  as well.

>> > block quick proto tcp from any to any port 22
>> > 
>> > 
>> > But of course, the last rule blocks every SSH traffic going from
>> > unknown networks to all hosts.
>> > 
>> > 
>> > Could someone please help me to create PF rules to block only
>> > traffic going to local machine from other networks as OutNetworks
>> > similary as the iptables rule above?
>> 
>> Just replace "to any" to "to self". Should do what you want.
>> 
>> > I have read PF manual but not found any possibility to tell pf "to
>> > LOCAL-HOST". I have search with google but no relevant articles
>> > found, maybe I have not asked correct.
>> 
>> Well, it's not very easy to find, but the "self" word is explained in
>> the manual.
>
> Yes, but also keep in mind that "self" is only evaluated on ruleset
> load. 

Unless enclosed by parentheses; "block proto tcp to (self) port ssh"
*is* evaluated each time. However on a router with relatively static
IP address configuration, it's often helpful to avoid the overhead
of lookups for each packet (especially if you're not keeping state...).

Re: PF rule "match only packets for local machine"

[favar]

Hi,
start with block rule without "quick", then apply pass rules.
something like this:

table  const {  }
block proto tcp from any to any port 22
pass quick proto tcp from  to any port 22 no state
pass in quick proto tcp from any to any port  rdr-to 127.0.0.1 port 22

2012/1/5 Gregory Edigarov :
> On Thu, 5 Jan 2012 09:21:16 +0100
> Rafal Bisingier  wrote:
>
>> Hi,
>>
>> On Thursday, 05 Jan 2012 at 09:00 CET
>> Robert Wolf  wrote:
>>
>> > 
>> > table  const {  }
>> > pass quick proto tcp from  to any port 22 no state
>> > pass in quick proto tcp from any to any port  rdr-to 127.0.0.1
>> > port 22 block quick proto tcp from any to any port 22
>> > 
>> >
>> > But of course, the last rule blocks every SSH traffic going from
>> > unknown networks to all hosts.
>> >
>> >
>> > Could someone please help me to create PF rules to block only
>> > traffic going to local machine from other networks as OutNetworks
>> > similary as the iptables rule above?
>>
>> Just replace "to any" to "to self". Should do what you want.
>>
>> > I have read PF manual but not found any possibility to tell pf "to
>> > LOCAL-HOST". I have search with google but no relevant articles
>> > found, maybe I have not asked correct.
>>
>> Well, it's not very easy to find, but the "self" word is explained in
>> the manual.
>
> Yes, but also keep in mind that "self" is only evaluated on ruleset
> load.
>
>
>
> --
> With best regards,
> B  B  B  B Gregory Edigarov

Re: PF rule "match only packets for local machine"

[Gregory Edigarov]

On Thu, 5 Jan 2012 09:21:16 +0100
Rafal Bisingier  wrote:

> Hi,
> 
> On Thursday, 05 Jan 2012 at 09:00 CET
> Robert Wolf  wrote:
> 
> > 
> > table  const {  }
> > pass quick proto tcp from  to any port 22 no state
> > pass in quick proto tcp from any to any port  rdr-to 127.0.0.1
> > port 22 block quick proto tcp from any to any port 22
> > 
> > 
> > But of course, the last rule blocks every SSH traffic going from
> > unknown networks to all hosts.
> > 
> > 
> > Could someone please help me to create PF rules to block only
> > traffic going to local machine from other networks as OutNetworks
> > similary as the iptables rule above?
> 
> Just replace "to any" to "to self". Should do what you want.
> 
> > I have read PF manual but not found any possibility to tell pf "to
> > LOCAL-HOST". I have search with google but no relevant articles
> > found, maybe I have not asked correct.
> 
> Well, it's not very easy to find, but the "self" word is explained in
> the manual.

Yes, but also keep in mind that "self" is only evaluated on ruleset
load. 



-- 
With best regards,
Gregory Edigarov

Re: PF rule "match only packets for local machine"

[Rafal Bisingier]

Hi,

On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf  wrote:

> 
> table  const {  }
> pass quick proto tcp from  to any port 22 no state
> pass in quick proto tcp from any to any port  rdr-to 127.0.0.1 port 22
> block quick proto tcp from any to any port 22
> 
> 
> But of course, the last rule blocks every SSH traffic going from unknown
> networks to all hosts.
> 
> 
> Could someone please help me to create PF rules to block only traffic going to
> local machine from other networks as OutNetworks similary as the iptables rule
> above?

Just replace "to any" to "to self". Should do what you want.

> I have read PF manual but not found any possibility to tell pf "to
> LOCAL-HOST". I have search with google but no relevant articles found, maybe I
> have not asked correct.

Well, it's not very easy to find, but the "self" word is explained in
the manual.

-- 
Greetings
Rafal Bisingier

PF rule "match only packets for local machine"

[Robert Wolf]

Hallo all,

May I ask any PF professional for his advice?

I have openbsd router with more interfaces doing routing. It does not work as a 
firewall so there is only one rule "pass flags any no state".

Because of many hack-scripts doing SSH logins and filling logs I would like to 
block every SSH traffic going to this host from unknown IPs, but not routed 
traffic. I want to keep this block rule as simple as possible to be correct for 
future, even if interfaces change or IP addresses change.

I work mostly with Linux and I in netfilter I would create following rule:

iptables -I INPUT -j DROP -s OURNETWORK -m state --state NEW


In PF I did following rules:


table  const {  }
pass quick proto tcp from  to any port 22 no state
pass in quick proto tcp from any to any port  rdr-to 127.0.0.1 port 22
block quick proto tcp from any to any port 22


But of course, the last rule blocks every SSH traffic going from unknown
networks to all hosts.


Could someone please help me to create PF rules to block only traffic going to
local machine from other networks as OutNetworks similary as the iptables rule
above?

I have read PF manual but not found any possibility to tell pf "to
LOCAL-HOST". I have search with google but no relevant articles found, maybe I
have not asked correct.


Thank you very much for any idea.


Regards,

Robert Wolf.

PF rule counters

[Mik J]

Hello,

I would like a clarification. I have these rules and I notice an
incrementation only when there is a new incoming connection.
Here I did an ssh
connection


# pfctl -s rules -v | head -6
block drop log all
  [ Evaluations:
83Packets: 0 Bytes: 0   States: 0 ]
  [ Inserted:
uid 0 pid 23419 State Creations: 0 ]
pass in log quick on re0 inet proto
tcp from 192.168.1.0/24 to 192.168.1.254 flags S/SA keep state (no-sync,
pflow)
  [ Evaluations: 83Packets: 41Bytes: 7241   
States: 1 ]
  [ Inserted: uid 0 pid 23419 State Creations: 1 ]
Subsequently I can use the ssh session but no packet or byte incrementation is
observed.
What these counters are counting if it's not the realtime counters
and how can I see the real time counters: the numbers of packets or bytes that
matched the rule

Thank you

pf rule def/(short) pass

[Kapetanakis Giannis]

Hi,

I'm seeing these in the pflog off my firewall:
Oct 27 15:20:32.845671 rule def/(short) pass in on vlanxxx: 
218.76.138.156.0 > x.x.x.63.0: udp 17035
Oct 27 15:21:12.924605 rule def/(short) pass in on vlanxxx: 
218.76.138.156.0 > x.x.x.38.0: udp 17035
Oct 27 15:21:15.652141 rule def/(short) pass in on vlanxxx: 
218.76.138.156.0 > x.x.x.80.0: udp 17035
Oct 27 15:21:29.271224 rule def/(short) pass in on vlanxxx: 
218.76.138.156.0 > x.x.x.24.0: udp 17035


The local IPs are not operative at all so there is no traffic from these IPs
or 218.76.138.156

pfctl -ss |grep 218.76.138.156 -> nothing
pfctl -ss |grep x.x.x.63 -> nothing

I've even added
block quick from 218.76.138.156 in my pf.conf
but I'm still seeing these messages.
@0 block drop in log quick inet from 218.76.138.156 to any
  [ Evaluations: 22078 Packets: 0 Bytes: 0   
States: 0 ]

  [ Inserted: uid 0 pid 16282 State Creations: 0 ]

According to http://marc.info/?l=openbsd-misc&m=129577235704794&w=2
"The "short" reason code indicates that the packet was truncated or too 
short and therefore was missing information required to make a packet 
filtering decision. This could be, for example, a packet that only 
contained the first few bytes of an IP datagram (or a header that states 
that it is a particular length, but the packet is shorter than the 
length given). Run `grep PFRES_SHORT sys/net/pf*` if you want to see 
where/how this can occur."


So the question is. Why "pass" and not "block"?
In sys/net/pf.c before REASON_SET(reason, PFRES_SHORT);
there is always a *action = PF_DROP;

Is it true that I see the message because there is no packet filtering 
decision?


regards,

Giannis

Re: Time interval based pf rule

[Ryan McBride]

On Fri, Sep 02, 2011 at 05:41:26AM -0700, Stefan N wrote:
> Okay guys. Thanks for the suggestion.
>
> > On 2 September 2011 09:26, Stefan N  wrote:
> > 
> > anchors + crontab as Peter suggested is an easy alternative.

Depending on what exact effect you want to acheive, you can maybe do it
without loading separate ruleset files if you prefer.

For example, in your /etc/pf.conf file, something like

table  { } persist

# allow interent surfing
pass in on $int_if from  to any {
block

# rules that allow internet surfing here. e.g.
pass in proto tcp from any to any port { 80 443 }
}


And in crontab:

0   9   *   *   *   /sbin/pfctl -Td -t surfers 192.168.1/24
0   17  *   *   *   /sbin/pfctl -Ta -t surfers 192.168.1/24

If your misbehaving users are not all in one netblock, you can create a
file and load/delete the addreses in the table from that file.


Alternatively, run a squid proxy, force all your users to use it, and
implement your time-based filtering there (squid is much better for
censorship anyways because you can filter based on domain name or even
the full URL rather than just IP addresses)

Re: Time interval based pf rule

[Stefan N]

Okay guys. Thanks for the suggestion.

Regards,
Stefan




From: Christiano F. Haesbaert 
To: Stefan N 
Cc: "misc@openbsd.org" 
Sent: Friday, September 2, 2011 8:34 PM
Subject: Re: Time interval based pf rule

On 2 September 2011 09:26, Stefan N  wrote:
> Actually I would like to limit the access during office hour.
> So Time interval base rule means:
> user is only allowed to access specific application and destination based 
> from the time interval.
> For example: Finance Department user is only allowed to access facebook
> website after office hour (after 6PM onwards) and only on friday.
>
> If I didn't add the time interval, they can spend their time for browsing and 
> chatting on facebook instead of working.
> What do you mean by "one-hit" rules?
>
Rules that get destroyed after a first match, but that's not what you want.

anchors + crontab as Peter suggested is an easy alternative.

Re: Time interval based pf rule

[Christiano F. Haesbaert]

On 2 September 2011 09:26, Stefan N  wrote:
> Actually I would like to limit the access during office hour.
> So Time interval base rule means:
> user is only allowed to access specific application and destination based 
> from the time interval.
> For example: Finance Department user is only allowed to access facebook
> website after office hour (after 6PM onwards) and only on friday.
>
> If I didn't add the time interval, they can spend their time for browsing and 
> chatting on facebook instead of working.
> What do you mean by "one-hit" rules?
>
Rules that get destroyed after a first match, but that's not what you want.

anchors + crontab as Peter suggested is an easy alternative.

Re: Time interval based pf rule

[Stefan N]

Actually I would like to limit the access during office hour.
So Time interval base rule means:
user is only allowed to access specific application and destination based from 
the time interval.
For example: Finance Department user is only allowed to access facebook 
website after office hour (after 6PM onwards) and only on friday.

If I didn't add the time interval, they can spend their time for browsing and 
chatting on facebook instead of working.
What do you mean by "one-hit" rules?


Regards,
Stefan





From: Christiano F. Haesbaert 
To: Stefan N 
Cc: "misc@openbsd.org" 
Sent: Friday, September 2, 2011 8:14 PM
Subject: Re: Time interval based pf rule

On 2 September 2011 09:11, Stefan N  wrote:
> Hi Jim,
>
> If I used anchor to create pf rules which means there is another 
> configuration needs to be taken care.
> Beside /etc/pf.conf, we need to take care and maintain crontab for 
> schedulling.
>

What are you trying to accomplish with timer based rules ?
Recently "one-hit" rules were added, depending on your problem that
might solve it.

Re: Time interval based pf rule

[Peter N. M. Hansteen]

On Fri, Sep 02, 2011 at 04:21:31AM -0700, Stefan N wrote:
 
> Does OpenBSD PF engine have the feature to create time interval based rule?
> I have tried to do that but I could not find any relevant documentation. 
> Is time interval based rule supported to be created on OpenBSD PF?

the question comes up at intervals, but so far at least the conclusion has been 
that 
there are other ways to implement the functionality (cron + anchors and/or rules
matching on table membership, etc) and no real need to complicate the pf.conf 
syntax.

- P

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Time interval based pf rule

[Christiano F. Haesbaert]

On 2 September 2011 09:11, Stefan N  wrote:
> Hi Jim,
>
> If I used anchor to create pf rules which means there is another 
> configuration needs to be taken care.
> Beside /etc/pf.conf, we need to take care and maintain crontab for 
> schedulling.
>

What are you trying to accomplish with timer based rules ?
Recently "one-hit" rules were added, depending on your problem that
might solve it.

Re: Time interval based pf rule

[Stefan N]

Hi Jim,

If I used anchor to create pf rules which means there is another configuration 
needs to be taken care.
Beside /etc/pf.conf, we need to take care and maintain crontab for schedulling.

Regards,
Stefan




From: James Hartley 
To: Stefan N 
Cc: "misc@openbsd.org" 
Sent: Friday, September 2, 2011 7:47 PM
Subject: Re: Time interval based pf rule

On Fri, Sep 2, 2011 at 4:21 AM, Stefan N  wrote:

> Does OpenBSD PF engine have the feature to create time interval based rule?
>

See how to dynamically add rules via anchors:

http://www.openbsd.org/faq/pf/anchors.html

...& scheduling scripts via crontab(5).

Jim

Re: Time interval based pf rule

[James Hartley]

On Fri, Sep 2, 2011 at 4:21 AM, Stefan N  wrote:

> Does OpenBSD PF engine have the feature to create time interval based rule?
>

 See how to dynamically add rules via anchors:

http://www.openbsd.org/faq/pf/anchors.html

...& scheduling scripts via crontab(5).

Jim

Re: Time interval based pf rule

[Kevin Chadwick]

On Fri, 2 Sep 2011 04:21:31 -0700 (PDT)
Stefan N wrote:

> Hi all,
> 
> Does OpenBSD PF engine have the feature to create time interval based rule?

What exactly do you mean by time interval based rule.

> I have tried to do that but I could not find any relevant documentation. 
> Is time interval based rule supported to be created on OpenBSD PF?
>

You've looked at

http://www.openbsd.org/faq/pf/index.html

and the manpage though, right?

Time interval based pf rule

[Stefan N]

Hi all,

Does OpenBSD PF engine have the feature to create time interval based rule?
I have tried to do that but I could not find any relevant documentation. 
Is time interval based rule supported to be created on OpenBSD PF?

Regards,
Stefan

Re: pf rule?

[Wesley MOUEDINE ASSABY]

Hi,

For your ftp issue, see here : http://www.openbsd.org/faq/pf/ftp.html

Wesley. M
www.mouedine.net
www.e-solutions.re

On Wed, 20 Jul 2011 23:26:33 -0700, fqui nonez 
wrote:
> 2011/7/20 fqui nonez :
>> 2011/7/20 Andres Perera :
>>> On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez 
>>> wrote:
>>
>> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez

>> wrote:
>>> Hello
>>>
>>> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log
>>> all
>>> blocked packets, and send them to /var/log/pfblocklog to be read
>>> with
>>> tcpdump. What and where should be the rule?
>>
>>> Thanks for your attention.

 Hello

 I changed it to:

 #$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
 #

 set skip on lo

 ### Agregadas por mi: (added by me)
 block log

 pass out quick on rl0

 antispoof quick for rl0

 pass in log on rl0 proto tcp from any to port 22
 pass in log on rl0 proto tcp from any to port 21
 pass in log on rl0 proto tcp from any to port 80
>>>
>>> replace all three by:
>>> pass in log on rl0 proto tcp to port { 21 22 80 }
>>>

 ### Fin. (end)

 # filter rules and anchor for ftp-proxy(8)
 anchor "ftp-proxy/*"
 pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>>>
>>> you already pass these packets before. redundant rules make pfctl
>>> output hard to read, so change it to:
>>> match in proto tcp to port ftp rdr-to localhost port 8021
>>>
>>
>> Done, thanks again!
>>
> 
> Hello, again.
> 
> I am receiving this message at client side :
> "425 Can't build data connection: illegal port number"
> then, i changed it to:
> 
> # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> 
> set skip on lo
> 
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> 
> ### Agregadas por mi: (added by me)
> block log
> 
> pass out quick on rl0
> 
> antispoof quick for rl0
> 
> pass in log on rl0 proto tcp from any to port {21 22 80}
> 
> ### Fin. (end)
> 
> #pass # to establish keep-state
> 
> # By default, do not permit remote connections to X11
> #block in on ! lo0 proto tcp to port 6000:6010
> 
> ftpd is not working correctly with those rules; does somebody see the
> error?
> 
> Thanks for your attention.

Re: pf rule?

[fqui nonez]

2011/7/20 fqui nonez :
> 2011/7/20 Andres Perera :
>> On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez  wrote:
>
> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez 
> wrote:
>> Hello
>>
>> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
>> blocked packets, and send them to /var/log/pfblocklog to be read with
>> tcpdump. What and where should be the rule?
>
>> Thanks for your attention.
>>>
>>> Hello
>>>
>>> I changed it to:
>>>
>>> #$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
>>> #
>>>
>>> set skip on lo
>>>
>>> ### Agregadas por mi: (added by me)
>>> block log
>>>
>>> pass out quick on rl0
>>>
>>> antispoof quick for rl0
>>>
>>> pass in log on rl0 proto tcp from any to port 22
>>> pass in log on rl0 proto tcp from any to port 21
>>> pass in log on rl0 proto tcp from any to port 80
>>
>> replace all three by:
>> pass in log on rl0 proto tcp to port { 21 22 80 }
>>
>>>
>>> ### Fin. (end)
>>>
>>> # filter rules and anchor for ftp-proxy(8)
>>> anchor "ftp-proxy/*"
>>> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>>
>> you already pass these packets before. redundant rules make pfctl
>> output hard to read, so change it to:
>> match in proto tcp to port ftp rdr-to localhost port 8021
>>
>
> Done, thanks again!
>

Hello, again.

I am receiving this message at client side :
"425 Can't build data connection: illegal port number"
then, i changed it to:

#   $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $

set skip on lo

# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

### Agregadas por mi: (added by me)
block log

pass out quick on rl0

antispoof quick for rl0

pass in log on rl0 proto tcp from any to port {21 22 80}

### Fin. (end)

#pass   # to establish keep-state

# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010

ftpd is not working correctly with those rules; does somebody see the error?

Thanks for your attention.

Re: pf rule?

[Andres Perera]

On Wed, Jul 20, 2011 at 8:49 AM, fqui nonez  wrote:
> 2011/7/20 Wesley MOUEDINE ASSABY :
>> Also,
>> you can see a sample on http://mouedine.net/ruleset49.aspx
>>
>> Wesley.
>>
>> On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY
>>  wrote:
>>> Hi,
>>>
>>> Try this:
>>> block log return
>>>
>>> Cheers,
>>>
>>> Wesley.
>>>
>>> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez 
>>> wrote:
 Hello

 I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
 blocked packets, and send them to /var/log/pfblocklog to be read with
 tcpdump. What and where should be the rule?

>

 Thanks for your attention.
>
> Hello
>
> I changed it to:
>
> # B  B $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
>
> set skip on lo
>
> ### Agregadas por mi: (added by me)
> block log
>
> pass out quick on rl0
>
> antispoof quick for rl0
>
> pass in log on rl0 proto tcp from any to port 22
> pass in log on rl0 proto tcp from any to port 21
> pass in log on rl0 proto tcp from any to port 80

replace all three by:
pass in log on rl0 proto tcp to port { 21 22 80 }

>
> ### Fin. (end)
>
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

you already pass these packets before. redundant rules make pfctl
output hard to read, so change it to:
match in proto tcp to port ftp rdr-to localhost port 8021

>
> Thank so much both. How does it look?

Re: pf rule?

[fqui nonez]

2011/7/20 Wesley MOUEDINE ASSABY :
> Also,
> you can see a sample on http://mouedine.net/ruleset49.aspx
>
> Wesley.
>
> On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY
>  wrote:
>> Hi,
>>
>> Try this:
>> block log return
>>
>> Cheers,
>>
>> Wesley.
>>
>> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez 
>> wrote:
>>> Hello
>>>
>>> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
>>> blocked packets, and send them to /var/log/pfblocklog to be read with
>>> tcpdump. What and where should be the rule?
>>>

>>>
>>> Thanks for your attention.

Hello

I changed it to:

#$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#

set skip on lo

### Agregadas por mi: (added by me)
block log

pass out quick on rl0

antispoof quick for rl0

pass in log on rl0 proto tcp from any to port 22
pass in log on rl0 proto tcp from any to port 21
pass in log on rl0 proto tcp from any to port 80

### Fin. (end)

# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

Thank so much both. How does it look?

Re: pf rule?

[Andres Perera]

now for the problems in your rules:

On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez  wrote:
> # B  B  B  $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
>
> set skip on lo
>
> ### Agregadas por mi: (added by me)
> block return
>
> pass in quick log on rl0 proto tcp from any to port 22
> pass out quick on rl0 to any
> pass in quick log on rl0 proto tcp from any to port 21
> pass in quick log on rl0 proto tcp from any to port 80

from any/ to any is implied

>
> ### Fin. (end)
>
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>
> pass B  B  B  B  B  B # to establish keep-state

this negates rule #0

>
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp to port 6000:6010

redundant if #0 works

>
> Thanks for your attention.

Re: pf rule?

[Wesley MOUEDINE ASSABY]

Also,
you can see a sample on http://mouedine.net/ruleset49.aspx

Wesley.

On Wed, 20 Jul 2011 14:27:27 +0400, Wesley MOUEDINE ASSABY
 wrote:
> Hi,
> 
> Try this:
> block log return
> 
> Cheers,
> 
> Wesley.
> 
> On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez 
> wrote:
>> Hello
>> 
>> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
>> blocked packets, and send them to /var/log/pfblocklog to be read with
>> tcpdump. What and where should be the rule?
>> 
>> #$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
>> #
>> 
>> set skip on lo
>> 
>> ### Agregadas por mi: (added by me)
>> block return
>> 
>> pass in quick log on rl0 proto tcp from any to port 22
>> pass out quick on rl0 to any
>> pass in quick log on rl0 proto tcp from any to port 21
>> pass in quick log on rl0 proto tcp from any to port 80
>> 
>> ### Fin. (end)
>> 
>> # filter rules and anchor for ftp-proxy(8)
>> anchor "ftp-proxy/*"
>> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>> 
>> pass # to establish keep-state
>> 
>> # By default, do not permit remote connections to X11
>> block in on ! lo0 proto tcp to port 6000:6010
>> 
>> Thanks for your attention.

Re: pf rule?

[Wesley MOUEDINE ASSABY]

Hi,

Try this:
block log return

Cheers,

Wesley.

On Wed, 20 Jul 2011 01:09:09 -0700, fqui nonez 
wrote:
> Hello
> 
> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
> blocked packets, and send them to /var/log/pfblocklog to be read with
> tcpdump. What and where should be the rule?
> 
> # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
> 
> set skip on lo
> 
> ### Agregadas por mi: (added by me)
> block return
> 
> pass in quick log on rl0 proto tcp from any to port 22
> pass out quick on rl0 to any
> pass in quick log on rl0 proto tcp from any to port 21
> pass in quick log on rl0 proto tcp from any to port 80
> 
> ### Fin. (end)
> 
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> 
> pass  # to establish keep-state
> 
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp to port 6000:6010
> 
> Thanks for your attention.

Re: pf rule?

[Andres Perera]

ifconfig pflog1 create
touch /var/log/pfblocklog
pflogd -ipflog1 -f$_

pf.conf:

l = "log (to pflog1)"

block return $l
block ... $l

to keep the pfctl rule output readable, match and tag the packets
instead and have a single block + log rule (at the expense of no
"quick")

On Wed, Jul 20, 2011 at 3:39 AM, fqui nonez  wrote:
> Hello
>
> I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
> blocked packets, and send them to /var/log/pfblocklog to be read with
> tcpdump. What and where should be the rule?
>
> # B  B  B  $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
> #
>
> set skip on lo
>
> ### Agregadas por mi: (added by me)
> block return
>
> pass in quick log on rl0 proto tcp from any to port 22
> pass out quick on rl0 to any
> pass in quick log on rl0 proto tcp from any to port 21
> pass in quick log on rl0 proto tcp from any to port 80
>
> ### Fin. (end)
>
> # filter rules and anchor for ftp-proxy(8)
> anchor "ftp-proxy/*"
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
>
> pass B  B  B  B  B  B # to establish keep-state
>
> # By default, do not permit remote connections to X11
> block in on ! lo0 proto tcp to port 6000:6010
>
> Thanks for your attention.

pf rule?

[fqui nonez]

Hello

I have a sshd/ftpd/httpd server box, 4.9 stable; and I want to log all
blocked packets, and send them to /var/log/pfblocklog to be read with
tcpdump. What and where should be the rule?

#   $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#

set skip on lo

### Agregadas por mi: (added by me)
block return

pass in quick log on rl0 proto tcp from any to port 22
pass out quick on rl0 to any
pass in quick log on rl0 proto tcp from any to port 21
pass in quick log on rl0 proto tcp from any to port 80

### Fin. (end)

# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

pass# to establish keep-state

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

Thanks for your attention.

Re: pf rule

[Indunil Jayasooriya]

On Wed, Apr 6, 2011 at 1:49 PM, Gianluca D'Auri Muscelli 
wrote:
> Hi everyone,
> I never had to deal with pf, but if possible i have a question:
>
> on my OpenBSD now block all outcoming connection to ssh and telnet to
internet
> with:
>
> block out on re0 proto { tcp } from any to any port  { ssh telnet }

do you have one interface?

re0 may be your external interface. What is your internal interface





--
Thank you
Indunil Jayasooriya

Re: pf rule

[Gianluca D'Auri Muscelli]

i try with:

pass out on re0 from any to { 192.168.1.9, 192.168.1.10 }

there is ok for you?

Il giorno 06/apr/2011, alle ore 10.19, Gianluca D'Auri Muscelli ha scritto:

> Hi everyone,
> I never had to deal with pf, but if possible i have a question:
>
> on my OpenBSD now block all outcoming connection to ssh and telnet to
internet
> with:
>
> block out on re0 proto { tcp } from any to any port  { ssh telnet }
>
> but now with this rule i can't connect with ssh to my lan 192.168.1.0/24 ,
> there is any rule for this question?
>
> Thanks vm and sorry for my bad english!

pf rule

[Gianluca D'Auri Muscelli]

Hi everyone,
I never had to deal with pf, but if possible i have a question:

on my OpenBSD now block all outcoming connection to ssh and telnet to internet
with:

block out on re0 proto { tcp } from any to any port  { ssh telnet }

but now with this rule i can't connect with ssh to my lan 192.168.1.0/24 ,
there is any rule for this question?

Thanks vm and sorry for my bad english!