|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
need help with troubleshooting pf.conf
Hi all,
New here seeking help with my PF.conf For some reason, I'm not getting the desired effect, perhaps someone can be a second pair of eyes / ears? My testing has given the following results (in brackets, it's what this is supposed to be in the end): UNCONFIGURED - 29mbps down and 18mbps up. (supposed to be unlimited in the end but understand it's not config'd that way right now) CLIENT1 - 26.72mbps down and 15.63mbps up. (supposed to be limited to 10mbps) CLIENT2 - 1.33mbps down and 1.19mbps up. (supposed to be limited to 1.5mbps so this is good) 8.82.104.212 - 38mbps down and 8mbps up. (supposed to be limited to 10mbps) Any insight on what I'm missing? Thanks for the help! |
|
|||
some progress on the pf.conf
Hi,
I think I've made some progress here but if someone out there has a better understanding of pf.conf files, maybe you can help me with glaring errors? |
|
|||
In case you don't want to download...
Might be useful for those that don't want to download the conf file...
Code:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # # Couple things look into making it a default block policy, make sure VPN's work, double check and test the outbox.allstream.net address, determine the correct interface for ftp-proxy CARP or EM? table <LocalNetworks> const { 10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24, 10.4.0.0/24, 10.5.0.0/24, 10.6.0.0/24, 10.7.0.0/24, 10.8.0.0/23, 10.9.0.0/24 10.10.0.0/24, 10.11.0.0/24, 10.12.0.0/24, 10.13.0.0/24, 10.14.0.0/24 } IntIFs = "{ em0, vlan2, vlan2, vlan3, vlan4, vlan5, vlan6, vlan7, vlan8, vlan9, vlan10, vlan11, vlan12, vlan13, vlan14 }" IntCARPs = "{ carp1, carp2, carp3, carp4, carp5, carp6, carp7, carp8, carp9, carp10, carp11, carp12, carp13, carp14 }" set skip on lo scrub in all # Allstream upload = 40Mbit (queue at 97%) #altq on em1 bandwidth 38Mb hfsc queue { ack, dns } #queue ack bandwidth 50% priority 7 qlimit 500 hfsc (realtime 50%) #queue dns bandwidth 5% priority 6 qlimit 500 hfsc (realtime 5%) #queue dns bandwidth 7% priority 6 qlimit 500 hfsc (realtime 5%) #queue https bandwidth 7% priority 5 qlimit 500 hfsc (realtime 5%) #queue http bandwidth 7% priority 4 qlimit 500 hfsc (realtime 5%) #queue bulk bandwidth 1% priority 3 qlimit 500 hfsc (realtime 5% default) #queue bittor bandwidth 1% priority 2 qlimit 500 hfsc (upperlimit 99%) ext_if = "em1" int_if = "em0" dev_if = "em2" dev1 = "8.82.104.212" bw_world_up = "51Mb" bw_world_dn = "51Mb" bw_client1 = "39.5Mb" bw_client2 = "1.5Mb" bw_rest = "5Mb" bw_dev_dn = "100Mb" bw_dev1 = "5Mb" bw_rest_dev_dn = "95Mb" altq on $ext_if cbq bandwidth $bw_world_up queue { client1_up, client2_up, dev1_up, rest_up } altq on $int_if cbq bandwidth $bw_world_dn queue { client1_dn, client2_dn, rest_dn } altq on $dev_if cbq bandwidth $bw_dev_dn queue { dev1_dn, rest_dev_dn } queue client1_up bandwidth $bw_client1 cbq queue client1_dn bandwidth $bw_client1 cbq queue client2_up bandwidth $bw_client2 cbq queue client2_dn bandwidth $bw_client2 cbq queue dev1_up bandwidth $bw_dev1 cbq queue dev1_dn bandwidth $bw_dev1 cbq queue rest_up bandwidth $bw_rest cbq(default) queue rest_dn bandwidth $bw_rest cbq(default) queue rest_dev_dn bandwidth $bw_rest_dev_dn cbq(default) # NAT all internal networks on em1 to CARP100 interface (Internet) nat on em1 proto { tcp, udp, icmp, esp, gre } from <LocalNetworks> -> (carp100) # Correct FTP issues on all local interfaces nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # Please determine which is working the CARP or the Internal IF #rdr pass on $IntCARPs proto tcp to port ftp -> 127.0.0.1 port 8021 rdr pass on $IntIFs proto tcp to port ftp -> 127.0.0.1 port 8021 # Intercept all smtp outgoing e-mail and forward to outbox.allstream.net rdr pass on $IntIFs proto tcp to port 25 -> 207.245.244.41 port 25 # Redirect external IP address to internal CMPP camera server. rdr pass on em1 proto tcp to 8.82.105.158 port 5400 -> 10.1.0.5 port 5400 #rdr pass on em1 proto tcp to 192.168.42.2 port 5400 -> 10.1.0.5 port 5400 anchor "ftp-proxy/*" # Allow all vpn data pass in quick on em1 inet proto udp from any to any port = 500 pass in quick on em1 inet proto esp from any to any pass out on em1 inet proto esp from any to any pass out on em1 inet proto tcp all flags S/SA keep state pass out on em1 inet proto udp from any to any port = 500 pass out on em1 inet proto esp from any to any pass out on em1 inet proto udp all keep state pass out on em1 inet proto icmp all keep state # no inet6 for me block quick inet6 all block out on $IntIFs from <LocalNetworks> pass in on em0 from 10.1.0.0/24 to any tag CLIENT2U queue client2_dn pass out on em0 from { (em0), (carp1) } queue client2_dn pass out quick on $ext_if tagged CLIENT2U queue client2_up pass in on vlan2 from 10.2.0.0/24 to any pass out on vlan2 from { (vlan2), (carp2) } pass in on vlan3 from 10.3.0.0/24 to any pass out on vlan3 from { (vlan3), (carp3) } #pass in on vlan4 from 10.4.0.0/24 to any #pass out on vlan4 from { (vlan4), (carp4) } pass in on vlan4 from 10.4.0.0/24 to any tag CLIENT2U queue client2_dn pass out on vlan4 from { (vlan4), (carp4) } queue client2_dn pass out quick on $ext_if tagged CLIENT2U queue client2_up pass in on vlan5 from 10.5.0.0/24 to any pass out on vlan5 from { (vlan5), (carp5) } pass in on vlan6 from 10.6.0.0/24 to any pass out on vlan6 from { (vlan6), (carp6) } pass in on vlan7 from 10.7.0.0/24 to any pass out on vlan7 from { (vlan7), (carp7) } pass in on vlan8 from 10.8.0.0/23 to any tag CLIENT1U queue client1_dn pass out on vlan8 from { (vlan8), (carp8) } queue client1_dn pass out quick on $ext_if tagged CLIENT1U queue client1_up # dev1 #pass in quick on $dev_if from any to $dev1 queue dev1_dn #pass in quick on $ext_if from any to $dev1 queue dev1_dn #pass out quick on $ext_if from $dev1 to any queue dev1_up #pass out quick on $dev_if from any to $dev1 queue dev1_dn #pass out quick on $ext_if from $dev1 to any #pass out quick on $dev_if from any to $dev1 pass in on $dev_if from $dev1 to any tag DEV1U queue dev1_dn pass out on $dev_if from $dev1 queue dev1_dn pass out quick on $ext_if tagged DEV1U queue dev1_up pass in on vlan9 from 10.9.0.0/24 to any tag CLIENT2U queue client2_dn pass out on vlan9 from { (vlan9), (carp9) } queue client2_dn pass out quick on $ext_if tagged CLIENT2U queue client2_up pass in on vlan10 from 10.10.0.0/24 to any pass out on vlan10 from { (vlan10), (carp10) } pass in on vlan11 from 10.11.0.0/24 to any pass out on vlan11 from { (vlan11), (carp11) } pass in on vlan12 from 10.12.0.0/24 to any pass out on vlan12 from { (vlan12), (carp12) } pass in on vlan13 from 10.13.0.0/24 to any pass out on vlan13 from { (vlan13), (carp13) } pass in on vlan14 from 10.14.0.0/24 to any pass out on vlan14 from { (vlan14), (carp14) } Last edited by tinhead; 22nd March 2011 at 01:52 AM. |
|
|||
If you're going to post configuration files inline, use [code][/code] blocks.
|
|
|||
Now doesn't that look pretty?! Thanks!
|
|
|||
Without a network topology and a description of the security policy your rules are supposed to implement it is rather difficult to give meaningful/correct tips and/or advice
Code:
# Allow all vpn data pass in quick on em1 inet proto udp from any to any port = 500 pass in quick on em1 inet proto esp from any to any pass out on em1 inet proto esp from any to any pass out on em1 inet proto tcp all flags S/SA keep state pass out on em1 inet proto udp from any to any port = 500 pass out on em1 inet proto esp from any to any pass out on em1 inet proto udp all keep state pass out on em1 inet proto icmp all keep state Or only allow outgoing VPN connections? Why don't you use quick on the pass out rules as well? Some rules say keep state, or flags S/SA keep state but some don't. That is not consistent If you want stateful connections, you don't have to specify keep state. anymore. Stateful connections have been the default in pf for quite some time.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 22nd March 2011 at 09:33 AM. |
|
|||
thanks J65nko
Thanks for pointing that out. The biggest concern is actually the bandwidth limitation. We run a complex environment with three physical interfaces.
One physical interface is connected to the ISP, the other is connected to a number of devices with public IPs, the third is connected to a number of internal networks all on their own VLANS. Our concern is rate limiting individual networks, on the public IP space, limiting by IP on the internal networks, limiting by VLAN. What information would you need in order to help on this situation? What can I pull off the server to better elicit a reply from an expert such as yourself? |
|
|||
Code:
pass in on em0 from 10.1.0.0/24 to any tag CLIENT2U queue client2_dn pass out on em0 from { (em0), (carp1) } queue client2_dn pass out quick on $ext_if tagged CLIENT2U queue client2_up So if any other rule after this by would allow incoming traffic on em0 from 10.1.0.0/24, this traffic would be passed without being assigned to that "client2_up" queue. BTW I am not an expert
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
This stuff is way over my head! (hence why I'm asking for help )
|
|
|||
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
@J65nko thanks again for your response...
* The 10.x networks are all /24 except 10.8 which is a /23 * I understand that these are defined - the file was hacked together before my time and I'm somewhat clueless * I'm not sure what the purpose of Code:
block out on $IntIFs from <LocalNetworks> Again, I'm pretty junior on this stuff but have the task of making sure this works.. I would be willing to pay someone to actually do the work and implement. I would be the test monkey. Is this a possibility? |
|
|||
I just noticed the 10.8/23 and wondered whether this was deliberate or a typo.
RE: test monkey possibility Please read the Private Message I sent to you.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Pf.conf issues | afcelie | OpenBSD Security | 5 | 3rd January 2011 09:12 PM |
need troubleshooting tip for vpn connections | badguy | OpenBSD Security | 19 | 10th November 2010 02:53 PM |
Pf.conf | erict35 | OpenBSD Security | 1 | 30th January 2010 10:19 PM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |