|
|
|||
PF gets block rules not any pass
Hello again :-)
I've got one problem to pass the packet by specific rule (OpenBSD 5.3). Everytime packet is blocked by default rule "block all". Please look at my configuration and let me know if something is wrong with me or with PF ;-) PF processes 55 line (bold and italic) not the rest (bold and italic). I guess there is something with redirection...or I don't know what. Obviously, if I comment the block rule the packets go through. Thanks. Apr 09 21:06:20.377714 rule 2/(match) block in on re1: 10.0.0.11.6009 > 10.0.0.18.9075: S 479358578:479358578(0) ack 4036054638 win 8192 <mss 1460,nop,nop,sackOK> (DF) Apr 09 21:08:10.999121 rule 2/(match) block in on re1: 10.0.0.11.135 > 10.0.0.18.9107: S 581148785:581148785(0) ack 3544399904 win 8192 <mss 1460,nop,nop,sackOK> (DF) Apr 09 21:08:14.008521 rule 2/(match) block in on re1: 10.0.0.11.6009 > 10.0.0.18.9108: S 1799928790:1799928790(0) ack 1530143132 win 8192 <mss 1460,nop,nop,sackOK> (DF) Code:
################## INTERFACES AND IP's ################## ext_if = "re0" ip_ext = "6.1.2.4" #FAKE ip_ext2 = "6.1.2.2" #FAKE ip_ext3 = "6.1.2.3" #FAKE ip_ext_upc = "1.7.8.2" #FAKE home_if = "re1" ip_home = "{" 10.0.0.2 10.0.0.1 "}" ip_gw1 = "10.0.0.18" ip_carp = "10.0.0.17" ip_dns1 = "10.0.0.4" ip_dns2 = "10.0.0.5" ip_web1 = "10.0.0.6" ip_vm1 = "10.0.0.7" ip_mon2 = "10.0.0.8" ip_mon1 = "10.0.0.9" ip_dc1 = "10.0.0.10" ip_ex1 = "10.0.0.11" ip_mon3 = "10.0.0.13" ip_centos = "10.0.0.14" pfsync_if = "rl0" ip_pfsync = "172.16.0.2" ip_pfsync_peer = "172.16.0.1" #vpn_if = "enc0" ######################################################### ################## LAN's, VLAN's etc. ################### table <core_lan> { 10.0.0.0/28 } table <internet_lan> { 10.0.0.16/28 } table <vpn_lan> { 192.168.5.0/24 } ######################################################### table <dns> { 217.17.34.68, 74.82.42.42, 208.67.222.222, 208.67.220.220 } table <ntp> { 212.244.36.227, 212.244.36.228 } table <pkg_update_source> { 193.219.28.2, 130.60.230.167, 129.128.5.191 } table <portsnap.freebsd.org> { 46.137.83.240, 208.86.224.118, 208.83.221.214, 212.101.4.241, 93.158.155.199, 204.9.55.80, 149.20.53.40 } table <yum.centos> { 67.212.81.83, 77.68.63.159, 85.214.205.10, 88.208.217.170, 91.215.65.226 } table <clamav> { 168.143.19.95, 194.8.197.22, 207.57.106.31, 64.22.33.90, 69.163.100.14, 150.214.142.197, 208.72.56.53, 194.186.47.19, 78.46.84.244, 65.19.179.67, 200.236.31.1, 204.109.62.22, 194.47.250.218, 209.198.147.20, 69.12.162.28, 155.98.64.87 } table <class_abc> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } passil = "pass in" passol = "pass out" logger = "log (all)" set block-policy drop set optimization normal set ruleset-optimization basic set state-policy if-bound set timeout { tcp.established 360, tcp.closing 60 } set skip on lo0 block in quick $logger from urpf-failed block quick $logger inet6 block $logger all antispoof $logger quick for { $ext_if } pass proto carp pass on $pfsync_if proto pfsync ########################################################################################################################################## ###################### VPN - IPsec ###################### #pass in quick on $vpn_if proto ipencap all #pass out quick on $vpn_if all #pass in quick on $ext_if inet proto esp from { any, !<class_abc> } to $ip_ext #pass in quick on $ext_if inet proto esp from $ip_ext to { any, !<class_abc> } #pass in quick on $ext_if inet proto udp from { any, !<class_abc> } to $ip_ext port isakmp #pass out quick on $ext_if inet proto udp from $ip_ext to { any, !<class_abc> } port isakmp #pass in quick on $vpn_if inet from <vpn_lan> to { <core_lan>, <apps_lan> } #pass out quick on $vpn_if inet from { <core_lan>, <apps_lan> } to <vpn_lan> ######################################################### ############# NETWORK ADDRESS TRANSLATION ############### match out on $ext_if from carp0:network to { any, !<class_abc> } nat-to $ip_ext match out on $ext_if from $ip_ex1 to { any, !<class_abc> } nat-to $ip_ext2 match out on $ext_if from re1:network to { any, !<class_abc> } nat-to $ip_ext ######################################################### ########################### ALTQ ######################## altq on $ext_if cbq bandwidth 1Gb queue { default_ext_if, dns_ext_if, icmp_ext_if, ssh_ext_if, gg_ext_if, ntp_ext_if } queue default_ext_if bandwidth 100Mb cbq(default) queue dns_ext_if bandwidth 5Mb priority 7 queue ssh_ext_if bandwidth 5Mb priority 6 queue ntp_ext_if bandwidth 1Mb priority 5 queue icmp_ext_if bandwidth 1Mb priority 4 queue gg_ext_if bandwidth 1Mb priority 1 altq on $home_if cbq bandwidth 1Gb queue { default_home_if, dns_home_if, icmp_home_if, ssh_home_if, gg_home_if, ntp_home_if } queue default_home_if bandwidth 850Mb cbq(default) queue dns_home_if bandwidth 50Mb priority 7 queue ssh_home_if bandwidth 50Mb priority 6 queue ntp_home_if bandwidth 10Mb priority 5 queue icmp_home_if bandwidth 10Mb priority 4 queue gg_home_if bandwidth 1Mb priority 1 ######################################################### ################## EXTERNAL INTERFACE re0 ################ $passol on $ext_if inet proto icmp from { $ip_ext, $ip_ext2, $ip_ext3 } to { any, !<class_abc> } queue icmp_ext_if $passol on $ext_if inet proto tcp from $ip_ext to <pkg_update_source> port { 20, 21, 49152:65535 } $passol on $ext_if inet proto tcp from $ip_ext to 213.135.44.33 port 22 queue ssh_ext_if $passol $logger on $ext_if proto tcp from $ip_ext2 to { !<class_abc>, any } port 25 $passol on $ext_if inet proto udp from { $ip_ext, $ip_ext2 } to <dns> port 53 queue dns_ext_if $passol on $ext_if inet proto tcp from { $ip_ext, $ip_ext2 } to { any, !<class_abc> } port { 25, 80, 110, 443, 465, 587, 993, 995 } $passol on $ext_if inet proto udp from $ip_ext to <ntp> port 123 queue ntp_ext_if $passol on $ext_if inet proto tcp from $ip_ext to 91.214.237.0/25 port 1443 queue gg_ext_if $passil on $ext_if inet proto tcp from $ip_ext_upc to $ip_ext port 9999 $passol on $ext_if inet proto tcp from $ip_ext to $ip_ext_upc port 9999 #$passil on $ext_if inet proto tcp from <pkg_update_source> port { 20, 21, 49152:65535 } to $ip_ext $passil $logger on $ext_if proto tcp from { !<class_abc>, any } to $ip_ext2 port 25 synproxy state (max-src-conn 20, max-src-conn-rate 5/10) ######################################################### ################# INTERNAL INTERFACE re1 ################ $passil on $home_if inet proto icmp from 10.0.0.1 to 10.0.0.2 queue icmp_home_if $passol on $home_if inet proto icmp from 10.0.0.2 to 10.0.0.1 queue icmp_home_if ######################################################### ################## CORE LAN 10.0.0.0/28 ################# pass out on $home_if inet proto icmp from { <core_lan>, $ip_gw1 } to <core_lan> queue icmp_home_if pass in on $home_if inet proto icmp from <core_lan> to { any, !<class_abc> } queue icmp_home_if pass $logger on $home_if inet proto tcp from $ip_gw1 to <core_lan> port 2222 queue ssh_home_if pass $logger on $home_if inet proto tcp from $ip_mon1 to $ip_home port 2222 pass in on $home_if inet proto udp from <core_lan> to <dns> port 53 queue dns_home_if $passol $logger on $home_if proto tcp from { !<class_abc>, any } to $ip_web1 port 80 $passol $logger on $home_if inet proto tcp from $ip_gw1 to $ip_mon2 port 80 pass in on $home_if inet proto tcp from { $ip_web1, $ip_mon1 } to <portsnap.freebsd.org> port 80 $passil $logger on $home_if proto tcp from $ip_centos to { <yum.centos> } port 80 pass in on $home_if inet proto tcp from { $ip_dc1, $ip_ex1 } to { !<class_abc>, any } port { 80, 443 } pass in on $home_if inet proto udp from <core_lan> to $ip_home port 123 queue ntp_home_if $passil $logger on $home_if inet proto udp from $ip_mon3 to $ip_home port 161 #SNMP for Cacti $passol $logger on $home_if inet proto tcp from $ip_gw1 to $ip_mon1 port 443 $passol $logger on $home_if inet proto udp from $ip_home to $ip_web1 $passil $logger on $home_if inet proto tcp from $ip_mon1 to $ip_home port 6666 $passil $logger on $home_if inet proto tcp from $ip_mon2 to <core_lan> port 10050 ######################################################### ##################### Windows Domain #################### pass $logger on $home_if proto { tcp, udp, icmp } from $ip_dc1 to $ip_ex1 pass $logger on $home_if proto { tcp, udp, icmp } from $ip_ex1 to $ip_dc1 ######################################################### ################### HOME INTERFACE re1 ################## $passil on $home_if inet proto icmp from $ip_gw1 to { $ip_home, any, !<class_abc> } queue icmp_home_if $passil $logger on $home_if proto tcp from $ip_ex1 to { !<class_abc>, any } port 25 $passol $logger on $home_if proto tcp from { !<class_abc>, any } to $ip_ex1 port 25 $passil on $home_if inet proto udp from $ip_gw1 to <dns> port 53 queue dns_home_if $passol $logger on $home_if inet proto udp from { !<class_abc>, any } to $ip_dns1 port 53 $passil on $home_if inet proto tcp from $ip_gw1 to { any, !<class_abc> } port {25, 80, 110, 443, 465, 587, 993, 995 } $passil on $home_if inet proto udp from $ip_gw1 to $ip_carp port 123 queue ntp_home_if pass $logger on $home_if proto udp from $ip_gw1 port 137 to $ip_ex1 port 137 $passol on $home_if inet proto tcp from $ip_gw1 to $ip_vm1 port 443 $passil on $home_if inet proto tcp from $ip_gw1 to $ip_home port 2222 pass $logger on $home_if inet proto tcp from $ip_gw1 to { $ip_dc1, $ip_ex1 } port { 3389, 5555 } # MS Server and Exchange $passol $logger on $home_if inet proto tcp from $ip_gw1 to $ip_ex1 port { 135, 1024:65535 } # MS Exchange $passil $logger on $home_if inet proto tcp from $ip_ex1 port { 135, 1024:65535 } to $ip_gw1 # MS Exchange ######################################################### ################### RDR INTERFACE re0 ################### $passil $logger on $ext_if proto tcp from { !<class_abc>, any } to $ip_ext2 port 25 rdr-to $ip_ex1 port 25 $passil $logger on $ext_if proto udp from { !<class_abc>, any } to $ip_ext2 port 53 rdr-to $ip_dns1 port 53 $passil $logger on $ext_if proto tcp from { !<class_abc>, any } to $ip_ext3 port 80 rdr-to $ip_web1 port 80 ######################################################### ################### RDR INTERFACE re1 ################### $passil $logger on $home_if proto tcp from $ip_gw1 to $ip_ext3 port 80 rdr-to $ip_web1 port 80 $passil $logger on $home_if proto tcp from $ip_gw1 to $ip_ext2 rdr-to $ip_ex1 ######################################################### ################### PFsync INTERFACE rl0 ################## $passol on $pfsync_if inet proto icmp from $ip_pfsync to $ip_pfsync_peer $passil on $pfsync_if inet proto icmp from $ip_pfsync_peer to $ip_pfsync ############################################################
__________________
Arenio ------------ Secure by Default |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
QEMU 1.5: GPU pass-through and ARM support | J65nko | News | 0 | 21st May 2013 05:52 PM |
Multi-word pass-phrases not so secure after all? | J65nko | News | 0 | 15th March 2012 01:44 AM |
No redirection pass with one interface ? | Simon | OpenBSD Security | 11 | 8th March 2010 11:51 AM |
PF rdr pass question | nimnod | FreeBSD General | 2 | 1st May 2009 08:55 PM |
testing pf block all rules with Nmap. | bsdnewbie999 | OpenBSD General | 1 | 25th March 2009 11:55 AM |