SOLVED: TODO: pass unidir. TCP connections
Hurray! Solved by following change: - pass in proto tcp from nPrivate to nPublic keep state + pass out proto tcp from nPrivate to nPublic keep state I think, community, NEEDS documentation about PF's stateful inspection, it's internal organization, posibilites and limitations. Documentation, not maillist arhive (I guess, nobody needs an differrence explanation). Thank you. Ilya A. Kovalenko S.A, SpecialEQ SW section JSC Oganer-Service For archives: IAK I trying to pass any outgoing TCP connections from my IAK office (nPrivate) onto campus network (nPublic) sites, IAK but block any incoming connections from campus to office. IAK Can use for it, PF ruleset like this (on 2-ifaced GW IAK between office campus): IAK blockinall block return-rst in proto tcp all pass in on lo0 all pass in from nPublic to nPublic pass in from nPrivate to nPublic pass in from nPrivate to nPrivate pass in proto tcp from nPrivate to nPublic keep state IAK IAK I suppose to think, that last rule would create state for IAK outgoing connection and pass all campus packets for it. IAK But it seems to does not work ... or I missed some other IAK factors. IAKtcpdump(8) shows this interchange: IAKOFFICE __CAMPUS IAK| | IAKSYN - | GW | - SYN IAK| | - SYN ACK IAK| | - RST IAKand | | IAK again| | IAK| | IAKSYN - | | - SYN IAK| | - SYN ACK IAK|__| - RST IAKShould such ruleset work ? IAK Previously, I've used construction like this pass in proto tcp from nPublic to nPrivate block in proto tcp from nPublic to nPrivate flags S/SA IAK but it has security issue - public host could send spoofed IAK TCP packet, on which, internal host responds with RST. IAK So public host could perform ping-scan (by nmap, for example) IAK for internal network.
TODO: pass unidir. TCP connections
Addition (GW behavior description): [ ... skipped ... ] outgoing connection and pass all campus packets for it. But it seems to does not work ... or I missed some other factors. + + tcpdump(8) shows this interchange: + +OFFICE __CAMPUS +| | +SYN - | GW | - SYN +| | - SYN ACK +| | - RST +and | | + again| | +| | +SYN - | | - SYN +| | - SYN ACK +|__| - RST + -Should it work ? +Should such ruleset work ? Previously, I've used construction like this [ ... skipped ... ] - Ilya A. Kovalenko
TODO: pass unidir. TCP connections
Good day, I trying to pass any outgoing TCP connections from my office (nPrivate) onto campus network (nPublic) sites, but block any incoming connections from campus to office. Can use for it, PF ruleset like this (on 2-ifaced GW between office campus): blockinall block return-rst in proto tcp all pass in on lo0 all pass in from nPublic to nPublic pass in from nPrivate to nPublic pass in from nPrivate to nPrivate pass in proto tcp from nPrivate to nPublic keep state I suppose to think, that last rule would create state for outgoing connection and pass all campus packets for it. But it seems to does not work ... or I missed some other factors. Should it work ? Previously, I've used construction like this pass in proto tcp from nPublic to nPrivate block in proto tcp from nPublic to nPrivate flags S/SA but it has security issue - public host could send spoofed TCP packet, on which, internal host responds with RST. So public host could perform ping-scan (by nmap, for example) for internal network. (feel free for any RTFM links) Thank you. Ilya A. Kovalenko S.A, SpecialEQ SW section JSC Oganer-Service
Re: TODO: pass unidir. TCP connections
On Thu, 2004-08-19 at 06:51, Ilya A. Kovalenko wrote: Good day, I trying to pass any outgoing TCP connections from my office (nPrivate) onto campus network (nPublic) sites, but block any incoming connections from campus to office. Can use for it, PF ruleset like this (on 2-ifaced GW between office campus): blockinall block return-rst in proto tcp all pass in on lo0 all pass in from nPublic to nPublic pass in from nPrivate to nPublic pass in from nPrivate to nPrivate pass in proto tcp from nPrivate to nPublic keep state I suppose to think, that last rule would create state for outgoing connection and pass all campus packets for it. But it seems to does not work ... or I missed some other factors. Should it work ? Previously, I've used construction like this pass in proto tcp from nPublic to nPrivate block in proto tcp from nPublic to nPrivate flags S/SA but it has security issue - public host could send spoofed TCP packet, on which, internal host responds with RST. So public host could perform ping-scan (by nmap, for example) for internal network. if that's your concern--do some anti-spoofing (there's actually a shortcut version of this in 3.5, but it's just as easy to do it manually): block in all block return-rst in proto tcp all block in quick on ! $private_if from nPrivate [ ... rest of rules ... ] -j =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Drunks are rarely amusing unless they know some good songs and lose a lot a poker. -- Karyl Roosevelt =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~