View Single Post
  #4   (View Single Post)  
Old 8th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

OK. The following recommendations are without testing your configuration, just from walking through them.

  • I see two rules that I am sure will NOT work as you intended
  • I see a rule which negates all of the previous rules, rendering this configuration unworkable
  • I see a mix of policy, macro, and option settings within your filtering rules. I recommend moving all of those to the top of your configuration, ahead of your filter rules, for clarity.
  • Unless you have a specific requirement, I recommend avoid using flags to filter; you might either negate stateful processing which can affect performance, or you might cause a rule to be improperly skipped or applied, which would be an operational problem.
Of special note:
  • In PF, unless the quick option is used, the last matching rule will be applied. When you do not use quick, your general rules need to be at the top of the filter list, your specific rules underneath them.
Now for your ruleset:
  1. Your $mysqld_ip macro is a list which cotains a single IP address fronted by exclamation point. As defined, this is "all IP addresses except this one address." And this one address appears to be the address assigned to this single server. Your filter rule that uses this list will never match any traffic, as it states, "block all incoming tcp traffic from anywhere headed to anywhere for destination port 3306, except for traffic destined to the IP address for this computer." Except, this is a terminal server so there will only be traffic destined for this server, and you have no pass rules for this port in your ruleset. I believe your intent was:

    block all
    pass in from any to $EXT_IP port 3306
  2. Your rule to pass HTTP traffic to destination port 80 uses the IP address instead of the $EXT_IP macro. If your address changes, you will need to change it in multiple rules, instead of just at the top of your configuration. It also uses flags with synproxy state, and I recommend you avoid flags -- in this case, you are asking PF to manage the TCP handshake to avoid SYN flooding but you may be limiting its capabilities with flag settings.
  3. You have two rules that have flag settings which refer to an undefined $SYN_ONLY macro.
  4. You have a general block on all outbound traffic well beneath more specific rules, and if it were ever matched could block outbound traffic that must flow in order to establish state for earlier pass rules. As you already have a block all as your starting rule, this rule is unnecessary, and immediately followed by a general pass rule which renders it useless, at the moment. I'm warning you about it because if your ruleset changes, this could suddenly match and cause unintended blocks.
  5. Your pass rules for loopback could be replaced with a set skip option rule. I recommned using it, and recommend putting this in an options section above your filter rules, with your other options, macros, and general settings.

Last edited by jggimi; 8th November 2013 at 05:24 PM. Reason: improved clarity
Reply With Quote