Re: newbie help with PF. block all, then allowing port 22 doesnt work.
Hello,
THat solved the issue but I have about 20 rulesets that have the same
syntax. I dont see anything yet also about this.
Please elaborate.
Andres
On Thu, Apr 22, 2010 at 3:59 PM, Alexander Hall wrote:
> On 04/22/10 18:22, Allie Daneman wrote:
>> Why are you doing "from any to (fxp0)" ? That's your problem. Change all
>
> I fail to see why that would cause any issues. Care to elaborate?
>
> /Alexander
>
>> the rules like that to "from any to any" since you're already putting
>> the rule on that interface and it should fix you up. As long as you're
>> not redirecting you can turn logging on specific rules and see why
>> they're blocking as well if that doesn't fix your issue.
>>
>> Andres Salazar wrote:
>>> Hello,
>>>
>>> Yes it loaded properly. Yes I had missied the macro for the external
>>> NIC it is included in the original ruleset. t_externa = "fxp0"
>>>
>>>
>>> This is the result for pfctl -sr:
>>>
>>> match in all scrub (no-df)
>>> block drop all
>>> pass out all flags S/SA keep state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
>>> port = domain flags S/SA keep state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
>>> port = domain flags S/SA keep state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
>>> domain flags S/SA keep state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
>>> domain flags S/SA keep state
>>> pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
>>> port = domain keep state
>>> pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
>>> port = domain keep state
>>> pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
>>> domain keep state
>>> pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
>>> domain keep state
>>> pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
>>> flags S/SA keep state
>>> pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
>>> flags S/SA keep state
>>> pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh
>>> keep state
>>> pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
>>> state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
>>> flags S/SA modulate state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
>>> flags S/SA modulate state
>>> pass out inet proto icmp all icmp-type echoreq keep state
>>> pass out inet proto icmp all icmp-type unreach keep state
>>>
>>>
>>>
>>> As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
>>> cannot SSH in from the outside.
>>>
>>> Where am I blocking port SSH in? :(
>>>
>>> Andres
>>>
>>>
>>> On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet
>>> wrote:
>>>
> ## Traffic IN
> pass in log quick on $t_externa inet proto { tcp, udp } from any
> to ($t_externa) \
> port { 22 8080 } keep state
>
In your pf configuration it doesn't show where you actually define the
>>> macro
>>>
for your interface $t_externa.
Are you sure the rules you run are what you think they are.
Did it load properly and may be you want to check the rules as active
with
pfctl -sr
And check that display. I think you may find what you are looking for.
Compare your pf.conf with what you actually see in pfctl -sr and you
will
work your issue out.
Best,
Daniel
Re: newbie help with PF. block all, then allowing port 22 doesnt work.
On 04/22/10 18:22, Allie Daneman wrote:
> Why are you doing "from any to (fxp0)" ? That's your problem. Change all
I fail to see why that would cause any issues. Care to elaborate?
/Alexander
> the rules like that to "from any to any" since you're already putting
> the rule on that interface and it should fix you up. As long as you're
> not redirecting you can turn logging on specific rules and see why
> they're blocking as well if that doesn't fix your issue.
>
> Andres Salazar wrote:
>> Hello,
>>
>> Yes it loaded properly. Yes I had missied the macro for the external
>> NIC it is included in the original ruleset. t_externa = "fxp0"
>>
>>
>> This is the result for pfctl -sr:
>>
>> match in all scrub (no-df)
>> block drop all
>> pass out all flags S/SA keep state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
>> port = domain flags S/SA keep state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
>> port = domain flags S/SA keep state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
>> domain flags S/SA keep state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
>> domain flags S/SA keep state
>> pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
>> port = domain keep state
>> pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
>> port = domain keep state
>> pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
>> domain keep state
>> pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
>> domain keep state
>> pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
>> flags S/SA keep state
>> pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
>> flags S/SA keep state
>> pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh
>> keep state
>> pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
>> state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
>> flags S/SA modulate state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
>> flags S/SA modulate state
>> pass out inet proto icmp all icmp-type echoreq keep state
>> pass out inet proto icmp all icmp-type unreach keep state
>>
>>
>>
>> As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
>> cannot SSH in from the outside.
>>
>> Where am I blocking port SSH in? :(
>>
>> Andres
>>
>>
>> On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet
>> wrote:
>>
## Traffic IN
pass in log quick on $t_externa inet proto { tcp, udp } from any
to ($t_externa) \
port { 22 8080 } keep state
>>> In your pf configuration it doesn't show where you actually define the
>>>
>> macro
>>
>>> for your interface $t_externa.
>>>
>>> Are you sure the rules you run are what you think they are.
>>>
>>> Did it load properly and may be you want to check the rules as active
>>> with
>>>
>>> pfctl -sr
>>>
>>> And check that display. I think you may find what you are looking for.
>>>
>>> Compare your pf.conf with what you actually see in pfctl -sr and you
>>> will
>>> work your issue out.
>>>
>>> Best,
>>>
>>> Daniel
Re: newbie help with PF. block all, then allowing port 22 doesnt work.
Why are you doing "from any to (fxp0)" ? That's your problem. Change all
the rules like that to "from any to any" since you're already putting
the rule on that interface and it should fix you up. As long as you're
not redirecting you can turn logging on specific rules and see why
they're blocking as well if that doesn't fix your issue.
Andres Salazar wrote:
Hello,
Yes it loaded properly. Yes I had missied the macro for the external
NIC it is included in the original ruleset. t_externa = "fxp0"
This is the result for pfctl -sr:
match in all scrub (no-df)
block drop all
pass out all flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
domain keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
flags S/SA keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
flags S/SA keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
flags S/SA modulate state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
flags S/SA modulate state
pass out inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type unreach keep state
As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
cannot SSH in from the outside.
Where am I blocking port SSH in? :(
Andres
On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet wrote:
## Traffic IN
pass in log quick on $t_externa inet proto { tcp, udp } from any
to ($t_externa) \
port { 22 8080 } keep state
In your pf configuration it doesn't show where you actually define the
macro
for your interface $t_externa.
Are you sure the rules you run are what you think they are.
Did it load properly and may be you want to check the rules as active with
pfctl -sr
And check that display. I think you may find what you are looking for.
Compare your pf.conf with what you actually see in pfctl -sr and you will
work your issue out.
Best,
Daniel
Re: newbie help with PF. block all, then allowing port 22 doesnt work.
Hello,
Yes it loaded properly. Yes I had missied the macro for the external
NIC it is included in the original ruleset. t_externa = "fxp0"
This is the result for pfctl -sr:
match in all scrub (no-df)
block drop all
pass out all flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
domain keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
flags S/SA keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
flags S/SA keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
flags S/SA modulate state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
flags S/SA modulate state
pass out inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type unreach keep state
As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
cannot SSH in from the outside.
Where am I blocking port SSH in? :(
Andres
On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet wrote:
>> ## Traffic IN
>> pass in log quick on $t_externa inet proto { tcp, udp } from any
>> to ($t_externa) \
>> port { 22 8080 } keep state
>
> In your pf configuration it doesn't show where you actually define the
macro
> for your interface $t_externa.
>
> Are you sure the rules you run are what you think they are.
>
> Did it load properly and may be you want to check the rules as active with
>
> pfctl -sr
>
> And check that display. I think you may find what you are looking for.
>
> Compare your pf.conf with what you actually see in pfctl -sr and you will
> work your issue out.
>
> Best,
>
> Daniel
Re: newbie help with PF. block all, then allowing port 22 doesnt work.
## Traffic IN
pass in log quick on $t_externa inet proto { tcp, udp } from any
to ($t_externa) \
port { 22 8080 } keep state
In your pf configuration it doesn't show where you actually define the
macro for your interface $t_externa.
Are you sure the rules you run are what you think they are.
Did it load properly and may be you want to check the rules as active with
pfctl -sr
And check that display. I think you may find what you are looking for.
Compare your pf.conf with what you actually see in pfctl -sr and you
will work your issue out.
Best,
Daniel
newbie help with PF. block all, then allowing port 22 doesnt work.
Hello all.
I have a ruleset where iam explicitly allowing incoming connections
on port 22.. (default is block log all) .. for some weird reason
they are getting blocked
log says: Apr 21 17:09:49.105052 rule 1/(match) block in on fxp0:
my.client.ip.here.54711 > my.server.ip.here.22: S
2999658291:2999658291(0) win 5840 (
Using OBSD 4.6 .. the name of the interface does match with ifconfig
(only 1 network card) pass out works without any problem.
dns_servers = "{ 208.67.222.220, 208.67.222.222, 4.2.2.1, 4.2.2.2 }"
set block-policy drop
set loginterface $t_externa
set skip on lo
set debug urgent
##scrub
match in all scrub (no-df)
##translation
## filter rules
block log all
pass out
antispoof quick for { lo $t_externa }
## Traffic IN
pass in log quick on $t_externa inet proto { tcp, udp } from any
to ($t_externa) \
port { 22 8080 } keep state
## Traffic OUT
pass out quick on $t_externa inet proto { tcp, udp } from
($t_externa) to $dns_servers \
port 53 keep state
pass out quick on $t_externa inet proto { tcp } from ($t_externa) to any \
port { 80 443 } flags S/SA modulate state
pass out inet proto icmp all icmp-type { echoreq, unreach } keep state
Please help! Thanks
Andres
