RE: Why isn't this port blocked?
Title: RE: Why isn't this port blocked? This was the problem: >>Just replace <> with ><. tcp 3.3.0.10:12002 <- 2.2.20.0:2913 ESTABLISHED:ESTABLISHED [498402552 + 63219] [922621281 + 63919] age 00:03:52, expires in 23:59:56, 207 pkts, 42135 bytes, rule 43 @43 pass in inet proto tcp from any to any port 5799 <> 5811 keep state Should have been these: @32 pass in on fxp1 inet proto tcp from 3.3.0.0/16 to 2.2.0.0/16 port = nameserver keep state @33 pass in on fxp0 inet proto tcp from 2.2.0.0/16 to 3.3.0.0/16 port = nameserver keep state Thanks men, learned a lot again. Pete
Why isn't this port blocked?
Connections to port 12002 occur between net2 and net3,
which should only allow port 42.
Thanks,
Pete
#pf.conf
#"net_" numbers:
#corp = x.5.55.0/24
#net2 = 2.2.0.0/16
#net3 = 3.3.0.0/16
#net4 = unused
#net5 = unused
#net6 = unused
#VARIABLES:
corp="xl0"
net2="fxp1"
net3="fxp0"
net4="fxp2"
net5="fxp3"
net6="fxp4"
#NAT:
nat on $corp from 2.2.0.0/16 to any -> 12.5.55.230
nat on $corp from 3.3.0.0/16 to any -> 12.5.55.230
#add more nat rules if needed as segments are added...
###
#Filter rules:
###
#block all by default:
block in all
block out all
###
#pass all for services as noted
#DNS
pass out inet proto { tcp, udp } from any to any port 53 keep state
#WWW
pass out inet proto tcp from any to any port 80 keep state
pass out inet proto tcp from any to any port https keep state
#ICMP
pass in proto icmp from any to any keep state
pass out proto icmp from any to any keep state
#Samba
pass in inet proto { tcp, udp } from any to any port { 135, 137, 138, 139 }
pass out inet proto { tcp, udp } from any to any port { 135, 137, 138, 139 }
keep state
pass in proto { tcp, udp } from any to any port 445
pass out proto { tcp, udp } from any to any port 445 keep state
#WINS on net2 and net3:
pass in on $net2 inet proto tcp from 3.3.0.0/16 to 2.2.0.0/16 port 42 keep
state
pass in on $net3 inet proto tcp from 2.2.0.0/16 to 3.3.0.0/16 port 42 keep
state
#Unix printing:
pass out inet proto { tcp, udp } from $corp to any port { 515, 9100 } keep
state
#REMOTE CONTROL (allow VNC on all hosts listening for a connection):
pass in inet proto { tcp, udp } from any to any port 5899 <> 5911 keep state
pass out inet proto { tcp, udp } from any to any port 5899 <> 5911 keep
state
pass in inet proto { tcp, udp } from any to any port 5799 <> 5811 keep state
pass out inet proto { tcp, udp } from any to any port 5799 <> 5811 keep
state
Six interfaces...
I believe I am fundamentally misunderstanding the way that pf functions.
The excellent man page and list archives I've viewed have not been able to
help me in my efforts to understand what exactly it is that I'm doing.
Fortunately I know exactly what I want to do.
I have a machine running 3.2-stable, with six nics, three currently active,
which I am using in an sqa environment. In my sqa environment, I want to
have knowledge of and the ability to control all aspects of what goes to and
from each host or interface. So far, only my "from any to any" rules work
(icmp, dns, samba, web, vnc). My rules involving specific hosts and/or
interfaces don't work. For instance if I want to allow only port 42 open
between a host on net2 and another host on net3, my rule does not generate a
syntax error, but the WINS databases don't replicate. I must use a "from
any to any" rule on those interfaces to pass traffic. I have used every
combination of syntax that I could think of, with out the expected result (I
won't include any of those many tries in the rule set below); that is why I
think I am missing something fundamental in my understanding of what is
really going on.
How would the readers of this list approach this situation?
Any advice is welcome.
Please see my rule set below, and please excuse the tcp/udp and keep state
redundancies unless they are causing problems; I'll be cleaning those up.
I may have a somewhat unusual application for pf with 6 nics, and perhaps a
discussion will be helpful for others. This machine is affectionately named
6nix.
Thanks very much indeed,
Peter Gorsuch
# pf.conf
#"net_" numbers:
#inova = 2.5.55.0/24
#net2 = 2.2.0.0/16
#net3 = 3.3.0.0/16
#net4 = unused
#net5 = unused
#net6 = unused
#VARIABLES:
inova="xl0"
net2="fxp1"
net3="fxp0"
net4="fxp2"
net5="fxp3"
net6="fxp4"
#NAT:
nat on xl0 inet from 2.2.0.0/16 to any -> 12.5.55.230
nat on xl0 inet from 3.3.0.0/16 to any -> 12.5.55.230
#add more nat rules if needed as segments are added...
##i
#Filter rules:
#block all by default:
block in all
block out all
###
#pass all for services as noted
###
#DNS:
pass out inet proto { tcp, udp } from any to any port 53 keep state pass in
inet proto { tcp, udp } from any to any port 53 keep state
#WEB:
pass in inet proto tcp from any to any port 80 keep state
pass out inet proto tcp from any to any port 80 keep state
pass in inet proto tcp from any to any port https keep state pass out inet
proto tcp from any to any port https keep state
#ICMP (ping, etc.):
pass in proto icmp from any to any keep state
pass out proto icmp from any to any keep state
#Samba:
pass in proto { tcp, udp } from any to any port 135 keep state pass out
proto { tcp, udp } from any to any port 135 keep state pass in proto { tcp,
udp } from any to any port 137 keep state pass in proto udp from any to any
port 138 keep state pass in proto tcp from any to any port 139 keep state
pass out proto { udp, tcp } from any to any port 137 keep state pass out
proto udp from any to any port 138 keep state pass out proto tcp from any to
any port 139 keep state pass in proto { tcp, udp } from any to any port 445
keep state pass out proto { tcp, udp } from any to any port 445 keep state
#pass all: net2 and net 3 (currently for WINS - need port 42) pass in on
$net2 inet proto tcp from any to any keep state pass out on $net2 inet proto
tcp from any to any keep state pass in on $net3 inet proto tcp from any to
any keep state pass out on $net3 inet proto tcp from any to any keep state
#Unix printing:
pass out inet proto { tcp, udp } from $inova to any port 515 keep state pass
in inet proto { tcp, udp } from any to $inova port 515 keep state pass out
inet proto { tcp, udp } from $inova to any port 9100 keep state pass in inet
proto { tcp, udp } from any to $inova port 9100 keep state
#REMOTE CONTROL
# allow VNC on all interfaces listening for a connection:
pass in inet proto { tcp, udp } from any to any port 5800 keep state pass
out inet proto { tcp, udp } from any to any port 5800 keep state pass in
inet proto { tcp, udp } from any to any port 5900 keep state pass out inet
proto { tcp, udp } from any to any port 5900 keep state
Six interfaces...
Title: Six interfaces...
I believe I am fundamentally misunderstanding the way that pf functions. The exellent man page and list archives I've veiwed have not been able to help me in my efforts understand what exactly it is that I'm doing. Fortunately I know exactly what I want to do.
I have a machine running 3.2-stable, with six nics, three currently active, which I am using in an sqa environment.
In my sqa environment, I want to have knowledge of and the ability to control all aspects of what goes to and from each host or interface. So far, only my "from any to any" rules work (icmp, dns, samba, web, vnc). My rules involving specific hosts and/or interfaces don't work. For instance if I want to allow only port 42 open between a host on net2 and another host on net3, my rule does not generate a syntax error, but the WINS databases don't replicate. I must use a "from any to any" rule on those interfaces to pass traffic. I have used every combination of syntax that I could think of, with out the expected result (I will not include those many tries in the ruleset below); that is why I think I am missing something fundamental in my understanding of what is really going on.
Please see my ruleset below, and please excuse the tcp/udp and keep state redundancies unless they are causing problems;
I'll be cleaning those up.
I may have a somewhat unusual application for pf with 6 nics, and perhaps a discussion will be helpful for others. This machine is named 6nix.
Thanks very much indeed,
Peter Gorsuch
# pf.conf
#"net_" numbers:
#inova = 2.5.55.0/24
#net2 = 2.2.0.0/16
#net3 = 3.3.0.0/16
#net4 = unused
#net5 = unused
#net6 = unused
#VARIABLES:
inova="xl0"
net2="fxp1"
net3="fxp0"
net4="fxp2"
net5="fxp3"
net6="fxp4"
#NAT:
nat on xl0 inet from 2.2.0.0/16 to any -> 12.5.55.230
nat on xl0 inet from 3.3.0.0/16 to any -> 12.5.55.230
#add more nat rules if needed as segments are added...
##i
#Filter rules:
#block all by default:
block in all
block out all
###
#pass all for services as noted
###
#DNS:
pass out inet proto { tcp, udp } from any to any port 53 keep state
pass in inet proto { tcp, udp } from any to any port 53 keep state
#WEB:
pass in inet proto tcp from any to any port 80 keep state
pass out inet proto tcp from any to any port 80 keep state
pass in inet proto tcp from any to any port https keep state
pass out inet proto tcp from any to any port https keep state
#ICMP (ping, etc.):
pass in proto icmp from any to any keep state
pass out proto icmp from any to any keep state
#Samba:
pass in proto { tcp, udp } from any to any port 135 keep state
pass out proto { tcp, udp } from any to any port 135 keep state
pass in proto { tcp, udp } from any to any port 137 keep state
pass in proto udp from any to any port 138 keep state
pass in proto tcp from any to any port 139 keep state
pass out proto { udp, tcp } from any to any port 137 keep state
pass out proto udp from any to any port 138 keep state
pass out proto tcp from any to any port 139 keep state
pass in proto { tcp, udp } from any to any port 445 keep state
pass out proto { tcp, udp } from any to any port 445 keep state
#pass all: net2 and net 3 (currently for WINS - need port 42)
pass in on $net2 inet proto tcp from any to any keep state
pass out on $net2 inet proto tcp from any to any keep state
pass in on $net3 inet proto tcp from any to any keep state
pass out on $net3 inet proto tcp from any to any keep state
#Unix printing:
pass out inet proto { tcp, udp } from $inova to any port 515 keep state
pass in inet proto { tcp, udp } from any to $inova port 515 keep state
pass out inet proto { tcp, udp } from $inova to any port 9100 keep state
pass in inet proto { tcp, udp } from any to $inova port 9100 keep state
#REMOTE CONTROL
# allow VNC on all interfaces listening for a connection:
pass in inet proto { tcp, udp } from any to any port 5800 keep state
pass out inet proto { tcp, udp } from any to any port 5800 keep state
pass in inet proto { tcp, udp } from any to any port 5900 keep state
pass out inet proto { tcp, udp } from any to any port 5900 keep state
