Is there any plan to add the time based filtering feature in PF

[Siju George]

Hi all,

This question is primarily to the PF developers :))
Thankyou so much for all your great work and effort to give us an
excellent firewall!!

I would like to know if there is any plan among PF developers to add
the feature to filter traffic based on time.

I mean a way by which I can pass traffic during a particular time
period by a rule like

pass in on $ext_if proto tcp from any to $comp3 port 80 \
time 05:00  06:00 \
   flags S/SA synproxy state

May I also know from all who read this how this type of filtering is
implemented with OpenBSD presently?

Thankyou So much 

Kind Regards

Siju

block return doesn't return rst

[eric]

I seem to not be getting the intended behavior from a NAT box. What I was
hoping is to limit services to the firewall after allowing a few ports in
(ftp, ssh, http, https, etc). But when I use the following rules, I do not
get RST's when connecting to $wlan_if on any other port (i.e. 54199, etc).
The logs show the connection attempt as being blocked, but the
connecting-host has to wait for the connection to time-out.

Any help is appreciated; I'm running 3.6-CURRENT. Thanks.

##
#; Variables
##
loopbk  = lo0
ext_if  = de0
wlan_if = fxp0
ipsec_if= enc0

donald  = 10.116.131.13
daisy   = 10.116.131.14
cirque  = 10.116.131.15
broadcast   = 255.255.255.255
ps2 = 10.116.131.27
ap  = 10.116.131.31
lp  = 10.116.131.94
cp  = 10.116.131.97

edp = { $cirque }
jap = { $daisy }
tcp_wlanif  = { ftp, ssh, http, https }
ps2_wlanif  = { ftp, http, https }

table dpu persist { x.4.180, x.4.81.181, \
  x.4.81.182, x.4.21.128/29 }
table nxious  persist { y.42.42.14, x.4.16.40  }
table olt persist { 110.3.43.1, 110.52.36.84 }
table bogon   persist file /etc/bogon.txt

aspf  = antispoof log
bi= block in
bo= block out
bil   = block in log
biq   = block in quick
bol   = block out log
boq   = block out quick
bilq  = block in log quick
bolq  = block out log quick
blk   = block
pqk   = pass quick
pi= pass in
po= pass out
pil   = pass in log
piq   = pass in quick
pol   = pass out log
poq   = pass out quick
pilq  = pass in log quick
polq  = pass out log quick
ks= keep state
ms= modulate state
ss= synproxy state

##
#; Set logging of stats on the given interface.
##
set loginterface $ext_if
set timeout   { interval 10, frag 27 }
set limit { frags 45000, states 35000 }
set optimization  aggressive
set block-policy  return

##
#; NAT/RDR
##
scrub out all no-df random-id max-mss 1440
scrub in  all no-df fragment reassemble min-ttl 3
nat on $ext_if from $wlan_if:network to any - ($ext_if)
rdr on $wlan_if proto tcp from any to any port 21 - 127.0.0.1 port 8021

##
#; Rules
##

block return log all  label 
$nr:$if-block-log
$pqk  on lo0   alllabel $nr:$if-pass
$bilq on $ext_if   from bogonto any label $nr:$if-bogon
$bilq on $wlan_if  from { bogon, !$wlan_if:network } to any label 
$nr:$if-bogon
$biq  on $ext_if   from any to $broadcast label 
$nr:$if-broadcast


$poq  inet proto tcp  all flags S/SA label $nr:$if-pass-synack-out $ms
$poq  inet proto tcp  alllabel $nr:$if-pass-tcp-out$ks
$poq  inet proto udp  alllabel $nr:$if-pass-udp-out$ks
$poq  inet proto icmp alllabel $nr:$if-pass-icmp-out   $ks
$poq  alllabel $nr:$if-pass-ip-out

### Allowed from local network to wlan_if
$piq   on $wlan_if inet proto tcp \
 from $edp  to $wlan_if port $tcp_wlanif label $nr:$if-edp-$dstport-in $ms
$piq   on $wlan_if inet proto tcp \
 from $jap  to $wlan_if port $tcp_wlanif label $nr:$if-jap-$dstport-in $ms
$piq   on $wlan_if inet proto tcp \
 from $ps2  to $wlan_if port $ps2_wlanif label $nr:$if-ps2-$dstport-in $ms
$poq   on $wlan_if inet proto tcp \
 from $wlan_if to $edp  port $tcp_wlanif label $nr:$if-edp-$dstport-out $ms

$piq  on $wlan_if inet proto udp \
 from any to any  port bootps label $nr:$if-bootps-in $ks
$piq  on $wlan_if inet proto udp \
 from $wlan_if:network   to $wlan_if port domain label $nr:$if-domain-udp-in 
$ks
$piq  on $wlan_if inet proto tcp \
 from $wlan_if:network   to $wlan_if port domain label $nr:$if-domain-tcp-in 
$ms
$piq  on $wlan_if inet proto udp \
 from $wlan_if:network   to $wlan_if port ntplabel $nr:$if-ntp-in
$ks

block return in log quick   on $wlan_if inet proto { tcp, udp } \
 from $wlan_if:network to $wlan_if label $nr:$if-block-in 
$bilq on $wlan_if from $wlan_if:network to $wlan_if label 
$nr:$if-block-in 

$polq on $wlan_if inet proto icmp \
 from $wlan_if:network to $ap icmp-type echoreq  label 
$nr:$if-accesspoint-icmp-out $ks
$polq on $wlan_if inet proto tcp  \
 from 

Re: block return doesn't return rst

[Daniel Hartmeier]

On Fri, Jan 28, 2005 at 03:28:26AM -0600, eric wrote:

 bilq  = block in log quick

 block return log all  label 
 $nr:$if-block-log
 $bilq on $wlan_if  from { bogon, !$wlan_if:network } to any label 
 $nr:$if-bogon

The second rule expands to two rules

  block in log quick on $wlan_if from bogon to any
  block in log quick on $wlan_if from !$wlan_if:network to any

If $wlan_if:network is also in bogon, maybe you see where this is
leading :)

You could add the negation of $wlan_if:network to the bogon table
instead.

If you're wondering what other effect expansion has, take a look at the
output of pfctl -sr. Those are the rules that are really in effect.
Also, pfctl -vvsr prints the rule number for each rule, which pflog
entries refer to. So, if you see a packet logged as blocked but get no
RST, you can look up what rule blocked it (instead of the return-rst
rule you thought should have).

Daniel

Re: Is there any plan to add the time based filtering feature in PF

[Siju George]

On Fri, 28 Jan 2005 11:35:33 +0100, Daniel Hartmeier
[EMAIL PROTECTED] wrote:
 On Fri, Jan 28, 2005 at 02:29:36PM +0530, Siju George wrote:
 
  I would like to know if there is any plan among PF developers to add
  the feature to filter traffic based on time.
 
 I don't think so. There's an endless number of criteria outside of
 packet contents that someone finds useful to filter on in some case,
 like CPU load, memory usage, disk usage, geographic location delivered
 by a GPS receiver, existance of some process, etc.
 
 Instead of cluttering the syntax with more and more (obscure) keywords,
 the better approach seems to be to explain how do this in a generic way,
 see below
...
...
 The main ruleset is not affected by this, you can edit and reload
 pf.conf at any time without destroying the current contents of the
 anchor.
 
 Daniel
 

Thankyou so much Danny!!! That was a very detailed reply!!! i greatly
appreciate the fact that you took time to give me a detailed reply in
your busy schedule!!!
Thankyou so much :)))

good luck

kind Regards

Siju

Re: Is there any plan to add the time based filtering feature in PF

[Henning Brauer]

* Siju George [EMAIL PROTECTED] [2005-01-28 10:50]:
 I would like to know if there is any plan among PF developers to add
 the feature to filter traffic based on time.

no.

cron.

-- 
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

PF suddenly stops allowing certain connections through

[Lyle Worthington]

Hope everyone is doing well...

My question is a little difficult to word, and thus its been
impossible for me to find other instances of it by searching this list
or google, so hopefully someone can help.

We are running pf on v3.4 and for the most part it has worked
perfectly for 6 months (with only 2 hard crashes).  However, twice now
in the past week we've seen it suddenly stop allowing certain
connections through, while others come through just fine.  The state
table is nowhere near even 35% full, and its always just one port that
wont get through.

In this case it was ssh that was suddenly not allowed.  We have these
three rules:

pass in log on $ext_if proto tcp from xx.xx.xx.xx/24 to any port 22 keep state
pass in log on $ext_if proto tcp from any to any port 25 keep state
pass in log on $ext_if proto tcp from any to any port 80 keep state

Where xx.xx.xx.xx/24 is our class C at our office.  Now the problem we
see is that all of a sudden ssh is no longer allowed through.  There
are no entries in the log about connections actually being blocked,
but nothing gets through.  From multiple IPs on our C block we can hit
SMTP and HTTP, just not SSH.  Does anyone have any ideas?  Anywhere I
can look?  Need any more information?

Thanks,

Lyle Worthington

new feature

[Gustavo A. Baratto]

hello all,
Is it (or will be) possible to set different state timeouts for different 
rules?

For example, if I'm using http, and I need to keep the state for 10 minutes 
because of an e-commerce session, and I dont want to keep the state for smtp 
for more than 30 seconds.

Something like:
-
set timeout 60  #default timeout
# http rule
pass out on fxp0 proto tcp from any to any port www keep state timeout 600
# smtp rule
pass out on fxp0 proto tcp from any to any port smtp keep state timeout 30

Cheers ;)

Re: new feature

[Jason Opperisano]

On Fri, Jan 28, 2005 at 10:37:44AM -0800, Gustavo A. Baratto wrote:
 hello all,
 
 Is it (or will be) possible to set different state timeouts for different 
 rules?
 
 For example, if I'm using http, and I need to keep the state for 10 minutes 
 because of an e-commerce session, and I dont want to keep the state for 
 smtp for more than 30 seconds.
 
 Something like:
 -
 set timeout 60  #default timeout
 
 # http rule
 pass out on fxp0 proto tcp from any to any port www keep state timeout 600
 
 # smtp rule
 pass out on fxp0 proto tcp from any to any port smtp keep state timeout 30

you can do that today:

  pass out on fxp0 proto tcp from any to any port = www \
keep state (tcp.established 600)

  pass out on fxp0 proto tcp from any to any port = smtp \
keep state (tcp.established 30)

man 5 pf.conf for more details.

-j

--
Asleep at the switch?  I wasn't asleep, I was drunk!
--The Simpsons

Re: new feature

[Jon Simola]

On Fri, 28 Jan 2005 10:37:44 -0800, Gustavo A. Baratto
[EMAIL PROTECTED] wrote:

 Is it (or will be) possible to set different state timeouts for different
 rules?

Like this?
pass in  on vlan101 from vlan101:network to any keep state (max 5000,
source-track rule, max-src-states 50, tcp.established 60, tcp.closing
5)

Traffic shaping Q's

[Amir S Mesry]

I am working on a traffic shaper to simulate modems and other
devices, is there a way to add a delay to the packets as they come in
and out using pf to simulate latency? I am trying to simulate ADSL
connections and I need someway to simulate latency that is inherent from
them. I am using a bridge to do it with pf ;). 

Also as far as using pfstat or a similar program, when using
queueing, in order to get the % of the queue's bandwidth being used over
a period of time, would you monitor the outgoing interface or is there
no way to do this?

Amir Mesry
[EMAIL PROTECTED]
Cadillac Jack, Inc.
http://www.cadillacjack.com/
Network  Systems Administrator
2420 Meadowbrook Parkway
Duluth, GA 30096
770-865-0034 

Re: block return doesn't return rst

[Daniel Hartmeier]

On Fri, Jan 28, 2005 at 11:44:08AM -0600, eric wrote:

 Jan 28 11:23:38.565478 rule 40/0(match): block in on fxp0: 
 10.116.131.15.11723  10.116.131.1.7357: SWE 4179382606:4179382606(0) win 
 16384 mss 1460,nop,nop,sackOK,[|tcp] [tos 0x10] (ttl 64, id 44969)
 
 Jan 28 11:23:44.557060 rule 40/0(match): block in on fxp0: 
 10.116.131.15.11723  10.116.131.1.7357: S 4179382606:4179382606(0) win 16384 
 mss 1460,nop,nop,sackOK,[|tcp] [tos 0x10] (ttl 64, id 45638)

Look closely at the TCP flags part of those two packets, they are not
identical.

The first one has SWE set, that means it's SYN with the ECN bits ECE and
CWR set. You must have enabled ECN on the client, check

  # sysctl net.inet.tcp.ecn

When ECN is enabled, a host will try to negotiate ECN for outgoing TCP
connections. That is, it sets the flags SWE in the initial SYN. If the
reply is a RST, it doesn't know for sure whether the peer is not
accepting connections on the port at all or whether it just doesn't
understand ECN and sent the RST because of the WE flags. Hence, the host
will automatically try again without the ECN bits. Because of this
automatic retry you get a delayed 'connection refused' error only after
the second RST is received. This is a normal effect of ECN support.

 But when I connect to the host from the outside world to de0 (ext_if), the
 reset happens immediately.
 
 Jan 28 11:24:35.447744 rule 0/0(match): block in on de0: 207.227.243.193.3435 
  67.175.80.217.7357: S 1276381594:1276381594(0) win 16384 mss 
 1460,nop,nop,sackOK,[|tcp] (ttl 54, id 22646)

The external client seems to have ECN support not enabled in the first
place, so it begins with a plain SYN and aborts on the first RST.

That should explain it entirely, unless sysctl doesn't agree with the
theory :)

Daniel

Re: block return doesn't return rst

[eric]

On Fri, 2005-01-28 at 23:37:37 +0100, Daniel Hartmeier proclaimed...

 Look closely at the TCP flags part of those two packets, they are not
 identical.
 
 The first one has SWE set, that means it's SYN with the ECN bits ECE and
 CWR set. You must have enabled ECN on the client, check
 
   # sysctl net.inet.tcp.ecn
 
 When ECN is enabled, a host will try to negotiate ECN for outgoing TCP
 connections. That is, it sets the flags SWE in the initial SYN. If the
 reply is a RST, it doesn't know for sure whether the peer is not
 accepting connections on the port at all or whether it just doesn't
 understand ECN and sent the RST because of the WE flags. Hence, the host
 will automatically try again without the ECN bits. Because of this
 automatic retry you get a delayed 'connection refused' error only after
 the second RST is received. This is a normal effect of ECN support.

D'oh! Yep, I've been using it for some testing but didn't think much of it
(though the SWE caught my eye as something I haven't seen before).

 The external client seems to have ECN support not enabled in the first
 place, so it begins with a plain SYN and aborts on the first RST.
 
 That should explain it entirely, unless sysctl doesn't agree with the
 theory :)

Everything agrees, many thanks!

- Eric