RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

2006-03-12 Thread Chris Willis 
 

-Original Message-
From: Chris Willis 
Sent: Sunday, March 12, 2006 10:23 AM
To: 'Melameth, Daniel D.'
Subject: RE: Solution Request: I need to initiate outbound PPTP requests
thru FreeBSD firewall

This is what fwbuilder is creating.


set limit { frags 5000, states 1 }
set timeout adaptive.start 8000
set timeout adaptive.end 1
set optimization Normal

#
# Scrub rules
#
scrub in all fragment reassemble
scrub out all random-id 

#
# Rule  0 (NAT)
# force mail server to NAT using same IP as incoming mail # nat on fxp0
proto {tcp udp icmp} from 192.168.254.253 to any - 64.62.37.227 # #
Rule  1 (NAT) # force outbound vpn traffic to source port 500 # nat on
fxp0 proto {tcp,udp} from 192.168.0.0/16 to any port 500 - 64.62.37.226
port 500 # # Rule  2 (NAT) # NAT all 1928 LAN clients to an IP address
on the external NIC # nat on fxp0 proto {tcp udp icmp} from
192.168.0.0/16 to any - 64.62.37.226 # # Rule  3 (NAT) # Port Forward
services to DC1 # rdr on fxp0 proto tcp from any to 64.62.37.226 port
3389 - 192.168.254.254 port 3389 rdr on fxp0 proto tcp from any to
64.62.37.226 port 1723 - 192.168.254.254 port 1723 rdr on fxp0 proto
udp from any to 64.62.37.226 port 500 - 192.168.254.254 port 500 rdr on
fxp0 proto 47 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0
proto 51 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0 proto
50 from any to 64.62.37.226 - 192.168.254.254 rdr on fxp0 proto tcp
from any to 64.62.37.226 port 22 - 192.168.254.254 port 22 # # Rule  4
(NAT) # Port Forward Services to MAIL1 # rdr on fxp0 proto tcp from any
to 64.62.37.227 port 110 - 192.168.254.253 port 110 rdr on fxp0 proto
tcp from any to 64.62.37.227 port 443 - 192.168.254.253 port 443 rdr on
fxp0 proto tcp from any to 64.62.37.227 port 3389 - 192.168.254.253
port 3389 rdr on fxp0 proto tcp from any to 64.62.37.227 port 80 -
192.168.254.253 port 80 # # Rule  5 (NAT) # port forward to the store
camera # rdr on fxp0 proto tcp from any to 64.62.37.228 port 80 -
192.168.202.96 port 80 # # Rule  6 (NAT) # # rdr on fxp0 proto tcp from
any to 64.62.37.226 port 23 - 192.168.200.11 port 23 # # Rule  7 (NAT)
# # rdr on fxp0 proto tcp from any to 64.62.37.229 port 11001 -
192.168.200.38 port 11001 rdr on fxp0 proto udp from any to 64.62.37.229
port 11001 - 192.168.200.38 port 11001 # # Rule  8 (NAT) # # rdr on
fxp0 proto tcp from any to 64.62.37.229 port 11002 - 192.168.202.19
port 21 # # Rule  9 (NAT) # # rdr on fxp0 proto tcp from any to
64.62.37.230 port 3389 - 192.168.254.255 port 3389 


# Tables: (3)
table id4411F6F4.1 { 224.0.0.0/4 , 169.254.0.0/16 , 127.0.0.0/8 ,
10.0.0.0/8 , 192.168.0.0/12 , 192.0.2.0/24 , 0.0.0.0/8 } table
id4411F73B.2 { 64.62.37.226 , 64.62.37.227 , 64.62.37.228 ,
64.62.37.229 , 64.62.37.230 , 192.168.200.89 , 192.168.200.40 } table
id4411FCBC.1 { 192.168.0.0/16 , 66.134.48.170 } 

#
# Rule  0 (fxp0)
# anti-spoof rule for external interfaces # 
block in   log  quick on fxp0 inet  from id4411F6F4.1  to any  label
RULE 0 -- DROP   
#
# Rule  0 (lo0)
# allow loopback to all - required to log onto box # 
pass in   log  quick on lo0 inet  from any  to any keep state  label
RULE 0 -- ACCEPT   
pass out  log  quick on lo0 inet  from any  to any keep state  label
RULE 0 -- ACCEPT   
#
# Rule  0 (global)
# deny bad combinations of TCP flags
# 
block in   log  quick inet proto tcp  from any  to any flags U/UA  label
RULE 0 -- DROP   
block in   log  quick inet proto tcp  from any  to any flags RF/RF
label RULE 0 -- DROP   
block in   log  quick inet proto tcp  from any  to any flags RS/RS
label RULE 0 -- DROP   
block in   log  quick inet proto tcp  from any  to any flags SF/SF
label RULE 0 -- DROP   
block in   log  quick inet proto tcp  from any  to any flags
UAPRSF/UAPRSF  label RULE 0 -- DROP   
block in   log  quick inet proto tcp  from any  to any flags /UAPRSF
label RULE 0 -- DROP   
block in   log  quick inet proto tcp  from any  to any flags UPF/UAPRSF
label RULE 0 -- DROP   
block in   log  quick inet proto tcp  from any  to any flags UPSF/UAPRSF
label RULE 0 -- DROP   
block in   log  quick inet proto tcp  from any  to any flags
UARSF/UAPRSF  label RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags U/UA  label
RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags RF/RF
label RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags RS/RS
label RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags SF/SF
label RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags
UAPRSF/UAPRSF  label RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags /UAPRSF
label RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags UPF/UAPRSF
label RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags UPSF/UAPRSF
label RULE 0 -- DROP   
block out  log  quick inet proto tcp  from any  to any flags
UARSF/UAPRSF  label RULE

RE: Solution Request: I need to initiate outbound PPTP requests thru FreeBSD firewall

2006-03-11 Thread Chris Willis 
Ok, this is not a PPTP connection from the internet TO a box on the
internal LAN.

This is a problems with making a PPTP connection from the internal LAN
to any PPTP server out on the internet.

Thus, TCP 1723 and GRE are not the issue.  I am passing ALL from the
internal LAN to the internet.

I used FWBuilder to create the policy for the FreeBSD box.  When I
install Linux 2.6 in place of the freebsd box, and use the exact same
FWBuilder ruleset, then outbound PPTP works great.

Any other thoughts?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Melameth, Daniel D.
Sent: Saturday, March 11, 2006 12:27 AM
To: pf@benzedrine.cx
Subject: RE: Solution Request: I need to initiate outbound PPTP requests
thru FreeBSD firewall

Chris Willis wrote:
 I have setup a FreeBSD box running PF for a client.  It is the 
 'firewall' for their internal LAN.
 
 I cannot make an outbound VPN connection from their LAN to any other 
 microsoft PPTP VPN server.
 
 The VPN connections work fine from any machine that plugs in to the 
 hub in FRONT of the firewall (static public IP), but that obviously 
 isn't the solution.
 
 What changes need to be made to the ruleset to allow outbound PPTP 
 connections?  Here is the existing NAT rule I though might work based 
 on browsing the Archives:
 
 nat on fxp0 proto udp from 172.16.0.0/16 port = 500 to any -
 206.135.37.226 port 500
 
 But it didn't help at all.  I put that rule both in front of, and 
 behind, the regular NAT rule for outbound network traffic.

I hate to say it Chris, but have you bothered to even find out what
ports/protocols PPTP actually uses?  Perhaps TCP 1723 and GRE?

RFC - my firewall ruleset

2003-03-05 Thread Chris Willis 
I would like to know what I can do to improve my firewall ruleset.  This exact set 
protects my own internal LAN (8 computers), and includes P2P rules.  I have similar 
rulesets protecting other networks I have worked on, none with more than 300 clients 
though.
 
# pF.conf working for Wall
# Variables  Tables
int_dev=xl0   # Internal network device.
ext_dev=ep0   # External network device.
cwork={ bunch of IPs here }
overpeer={ 64.15.228.160/27 }
max_mss=1432
unrouteable={ 0/8, 10/8, 127/8, 169.254/16, 172.16/12, 192.0.2/24, 192.168/16 }
ext_bandwidth=1544Kb
# Options
set optimization conservative
set loginterface $ext_dev
# Normalize (defragment) packets on External Interface
scrub in on $ext_dev all fragment reassemble
scrub out on $ext_dev all max-mss $max_mss fragment reassemble
# NAT Rules
# only internal LAN gets NAT currently
nat on $ext_dev from 192.168.1.0/24 to any - $ext_dev
# Port Forwarding Rules
rdr on $ext_dev proto tcp from any to any port 443 - 192.168.1.2 port 443
rdr on $ext_dev proto tcp from any to any port 892 - 192.168.1.2 port 892
rdr on $ext_dev proto udp from any to any port 4665 - 192.168.1.2 port 4665
rdr on $ext_dev proto tcp from any to any port 4662 - 192.168.1.2 port 4662
rdr on $ext_dev proto tcp from any to any port 2000 - 192.168.1.2 port 2000
rdr on $ext_dev proto tcp from any to any port 222 - 192.168.1.2 port 222
rdr on $ext_dev proto tcp from any to any port 6774 - 192.168.1.2 port 6774
rdr on $ext_dev proto tcp from any to any port 3389 - 192.168.1.2 port 3389
rdr on $ext_dev proto tcp from any to any port 6699 - 192.168.1.2 port 6699
rdr on $ext_dev proto udp from any to any port 6257 - 192.168.1.2 port 6257
rdr on $ext_dev proto udp from any to any port 1494 - 192.168.1.2 port 1494
# Deny all connections - default packet filter rule
block in log on $ext_dev from any to any label block_in_all
# pass all loopback traffic
pass in quick on lo0 all
pass out quick on lo0 all
# block out all Microsoft AD  Netbios traffic
# mainly a paranoia rule
block out log quick on $ext_dev inet proto tcp  from any  to any port 445 
block out log quick on $ext_dev inet proto udp  from any  to any port { 138, 137, 139 
} 
# Outbound Connection Rules for External Interface
pass out quick on $ext_dev proto tcp all modulate state
pass out quick on $ext_dev proto udp all keep state
pass out quick on $ext_dev proto icmp all keep state
# Block in all invalid combos of TCP flags  Log them
# these rules exist mainly to log these packets so I can curse at the bad people
block in log quick on $ext_dev inet proto tcp  from any  to any flags /UAPRSF 
block in log quick on $ext_dev inet proto tcp  from any  to any flags F/AF 
block in log quick on $ext_dev inet proto tcp  from any  to any flags P/AP 
block in log quick on $ext_dev inet proto tcp  from any  to any flags U/UA 
block in log quick on $ext_dev inet proto tcp  from any  to any flags RF/RF 
block in log quick on $ext_dev inet proto tcp  from any  to any flags SF/SF 
block in log quick on $ext_dev inet proto tcp  from any  to any flags RS/RS 
block in log quick on $ext_dev inet proto tcp  from any  to any flags UPF/UAPRSF 
block in log quick on $ext_dev inet proto tcp  from any  to any flags UPSF/UAPRSF 
block in log quick on $ext_dev inet proto tcp  from any  to any flags UARSF/UAPRSF 
block in log quick on $ext_dev inet proto tcp  from any  to any flags UAPRSF/UAPRSF 
# Rules to allow incoming traffic for internal services  P2P traffic
pass in quick on $ext_dev proto tcp from any to 192.168.1.2 port 
{443,892,222,1494,3389,2000} flags S/SA modulate state
pass in quick on $ext_dev proto tcp from any to $ext_dev port=22 flags S/SA modulate 
state
pass in log quick on $ext_dev proto tcp from any to $ext_dev port=25 flags S/SA 
modulate state
pass in on $ext_dev proto udp from any to 192.168.1.2 port {4665,6257} keep state
pass in on $ext_dev proto tcp from any to 192.168.1.2 port {4662,6774,6699} modulate 
state
# block and log incoming packets from reserved address space and invalid addresses
block in log on $ext_dev inet from $unrouteable to any
# properly respond to ident protocol also
block return-rst  in proto tcp from any to any port { 111, 6000, 6667 }   
block return-icmp in proto udp from any to any port { 137 }
# block Overpeer shit
block in on $ext_dev inet from $overpeer to any

Newbie Question (one of many to come)

2002-08-10 Thread Chris Willis 

How can I setup a packet filter that works with a trigger?

Example:  I have an app that uses TCP 5000 for its connection state info, 
and UDP 4900  4901 for the actual work.

I would like to create a filter that allows 49004901 inbound to the 
machine that already has tcp 5000 open.  If tcp 5000 isn't open, then I 
do not want the UDP ports to be open inbound.

Thanx!

Chris