DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th October 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default help to make best PF rules and high performance

after long time I find new job , and they want me I make NAT server for internet sharing . so I want use FreeBSD with PF,
they want me only make NAT and do not block ports , they want all ports must be open , and they want only NAT , and do not want block by PF , can I use these rules for make NAT only or no
please help me to improve this rule
Code:
ns# cat  /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi

################################ MACROS ############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 }"
#UDP_SRV         = "{ 53 }"
TCP_SRV         = "{ 80, 443 }"
UDP_SRV         = "{ }"
Samba_TCP       = "{ 139, 445 }"
Samba_UDP       = "{ 137, 138 }"


SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
NAT3            = "10.10.10.196"
NAT4            = "10.10.10.197"
NAT5            = "10.10.10.198"
NAT6            = "10.10.10.199"
NAT7            = "10.10.10.201"
NAT8            = "10.10.10.202"
NAT9            = "10.10.10.203"
NAT10           = "10.10.10.204"
NAT11           = "10.10.10.205"
NAT12           = "10.10.10.206"
NAT13           = "10.10.10.207"
NAT14           = "10.10.10.208"
NAT15           = "10.10.10.209"
NAT16           = "10.10.10.210"
NAT17           = "10.10.10.211"
NAT18           = "10.10.10.212"
NAT19           = "10.10.10.213"
NAT20           = "10.10.10.214"
NAT21           = "10.10.10.215"
NAT22           = "10.10.10.216"
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

#### All IP of Groups which can be connect to Internet
paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28, 192.168.0.29 }"
webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53, 192.168.0.54 }"
rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4          = "{ 192.168.0.69, 192.168.0.70 }"
rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202, 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208, 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214, 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220, 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225  }"
admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2          = "{ 192.168.0.58, 192.168.0.59 }"

############################### TABLES ############################################################

#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12, 10.0.0.0/8, 0.0.0.0/8, \
                          14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23, 224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"

#Define Favoured client hosts
table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }

############################### OPTIONS ############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound


############################### TRAFFIC NORMALIZATION ##############################################
#Filter traffic for unusual packets
scrub in all


############################### TRANSLATION ######################################################

#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER

nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
nat pass on $ext_if from $webdsgn2 to any -> $NAT5
nat pass on $ext_if from $webdsgn3 to any -> $NAT6
nat pass on $ext_if from $webdsgn4 to any -> $NAT7
nat pass on $ext_if from $webdsgn5 to any -> $NAT8
nat pass on $ext_if from $webdsgn6 to any -> $NAT9
nat pass on $ext_if from $webdsgn7 to any -> $NAT10
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1   to any -> $NAT12
nat pass on $ext_if from $rased2   to any -> $NAT13
nat pass on $ext_if from $rased3   to any -> $NAT14
nat pass on $ext_if from $rased4   to any -> $NAT15
nat pass on $ext_if from $rased5   to any -> $NAT16
nat pass on $ext_if from $rased6   to any -> $NAT17
nat pass on $ext_if from $rased7   to any -> $NAT18
nat pass on $ext_if from $rased8   to any -> $NAT19
nat pass on $ext_if from $admin1   to any -> $NAT20
nat pass on $ext_if from $admin2   to any -> $NAT21


#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 -> 192.168.0.100 port 5900
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 -> 192.168.0.50 port 22

############################### PACKET FILTERING #################################################

# Default Rule
pass quick on { $ext_if, $int_if } all keep state




# End of File: pf.conf
can I use this rule for NAT ?
I want only NAT and I do not want another thing like block torrent ports or something else

I would be grateful if you can help my to modify this rule , I think this rule has a lot of problems
do you think I need add some rules to this rules or no ?
for has better NAT with high performance , what I must do ?
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #2   (View Single Post)  
Old 1st November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Code:
# --- NAT
nat on $ext_if from !($ext_if)


# --- EXTERNAL interface 
# --- OUT
pass out quick on  $ext_if all keep state flags S/SA

# -- INTERNAL interface
# --- IN & OUT
pass        quick on  $int_if all keep state flags S/SA

# default block and log
block log all
This will do NAT for the internal network, only pass out traffic on the external interface, and pass out/in traffic on the internal interface.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 2nd November 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

I think my rule has problem . beacuse after one days . some computer can not connect to internet and they do not have internet connection and I must reset PF
but I do not know what is problem
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #4   (View Single Post)  
Old 2nd November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

How many computers are in the network? If the network is big and busy you may hit the maximum nr of states that pf can track.
Code:
$ sudo pfctl -s info

Status: Enabled for 0 days 00:14:43              Debug: err

Interface Stats for egress            IPv4             IPv6
  Bytes In                         1289347                0
  Bytes Out                         372112               64
  Packets In
    Passed                            1661                0
    Blocked                              0                0
  Packets Out
    Passed                            1596                1
    Blocked                              0                0

State Table                          Total             Rate
  current entries                        3               
  searches                            3258            3.7/s
  inserts                              157            0.2/s
  removals                             154            0.2/s
Counters
  match                                157            0.2/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
Here, on my desktop machine I only have 3 states. The maximum states pf can track is:
Code:
$ sudo pfctl -s memory

states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000
pf has still space/root for another 10000-3=9997 states. However, in a large and busy network you may have to increase the states hard limit See the man pf.conf man page
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 2nd November 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

I have 42 computers in my network , and all of them use paltalk , paltalk is messenger and they use voice chat , and our internet speed is 1Mbps .
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #6   (View Single Post)  
Old 2nd November 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

when I type this
Code:
pfctl -s info
I see these
Code:
Status: Enabled for 6 days 07:24:08           Debug: Urgent

Interface Stats for sk0               IPv4             IPv6
  Bytes In                      9189704409                0
  Bytes Out                     1882048433                0
  Packets In
    Passed                        11444963                0
    Blocked                          21677                0
  Packets Out
    Passed                        10500629                0
    Blocked                              0                0

State Table                          Total             Rate
  current entries                      269               
  searches                       225488256          413.7/s
  inserts                          1103490            2.0/s
  removals                         1103221            2.0/s
Counters
  match                            1107918            2.0/s
  bad-offset                             0            0.0/s
  fragment                               3            0.0/s
  short                                  0            0.0/s
  normalize                             20            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                           52            0.0/s
  state-mismatch                     21671            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
and when I type this
Code:
pfctl -s memory
I see these
Code:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   100000
do you think I have problem with my PF rule ?
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #7   (View Single Post)  
Old 3rd November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Code:
State Table                          Total             Rate
  current entries                      269
You only have 269 entries in the state table, while there is space for 10,000, so that cannot be the problem.

If you a dynamic IP address, one that changes, you will have to use "(" and ")" around the external interface specification.
From my example above:
Code:
# --- EXTERNAL interface 
# --- OUT
pass out quick on  ($ext_if) all keep state flags S/SA
Note the ($ext_if) instead of the $ext.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 3rd November 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

we have valid IP and I use
Code:
/27
and My valid IPs is like this
Code:
10.10.10.192/27
and I use these rang IPs
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #9   (View Single Post)  
Old 3rd November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Many years ago, on bsdforums.org, I helped somebody, who had the same problem as you. He thought that his Internet cafe had a fixed IP while it was not. When he restarted the pf router/firewall everything worked again for a few hours.

Because your external IP is fixed, that cannot be the problem

What is the use of these rules?:
Code:
SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
[snip]
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
[snip]
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1   to any -> $NAT12
nat pass on $ext_if from $rased2   to any -> $NAT13
[snip]
nat pass on $ext_if from $rased7   to any -> $NAT18
nat pass on $ext_if from $rased8   to any -> $NAT19
nat pass on $ext_if from $admin1   to any -> $NAT20
nat pass on $ext_if from $admin2   to any -> $NAT21
The "paltalk", "webdsgn", "rased" and "admin" hosts/groups are all on the 192.168.0.0/24 network.

As far as I understand you have the following setup
Code:
            |
            |
            |
------------|------------
     10.10.10.192/27
         external

   FreeBSD pf firewall

        internal
     192.168.168.0.1/24
------------|------------
            |
            |
            |
Why do you have to NAT for each host individually?
You can do it with one single statement :
Code:
# --- NAT
nat on $ext_if from !$ext_if
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 3rd November 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

Quote:
Originally Posted by J65nko View Post
Many years ago, on bsdforums.org, I helped somebody, who had the same problem as you. He thought that his Internet cafe had a fixed IP while it was not. When he restarted the pf router/firewall everything worked again for a few hours.

Because your external IP is fixed, that cannot be the problem

What is the use of these rules?:
Code:
SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
[snip]
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
[snip]
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1   to any -> $NAT12
nat pass on $ext_if from $rased2   to any -> $NAT13
[snip]
nat pass on $ext_if from $rased7   to any -> $NAT18
nat pass on $ext_if from $rased8   to any -> $NAT19
nat pass on $ext_if from $admin1   to any -> $NAT20
nat pass on $ext_if from $admin2   to any -> $NAT21
The "paltalk", "webdsgn", "rased" and "admin" hosts/groups are all on the 192.168.0.0/24 network.

As far as I understand you have the following setup
Code:
            |
            |
            |
------------|------------
     10.10.10.192/27
         external

   FreeBSD pf firewall

        internal
     192.168.168.0.1/24
------------|------------
            |
            |
            |
Why do you have to NAT for each host individually?
You can do it with one single statement :
Code:
# --- NAT
nat on $ext_if from !$ext_if
I have to use NAT each host individually. because in my work place all of user use paltalk , paltalk is messenger for voice chat and all of user use this messenger for voice chat , in paltalk you can find many room for chat about different subject ,
paltalk server do not let user to login or use three room from one IP ,and only let users login from 3 room with one IP and when somebody want login with another room , they discard it , so I have to make different NAT
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
Old 3rd November 2011
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

my setup for NAT and IPs is like that , you understand
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
Old 4th November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Yes, now I understand, but I am afraid I cannot help you much further

When the connections hang again, but before you to restart pf, you could do the following two things;
  • redirect the pfctl -s info output to file and investigate that.
  • redirect the output of pfctl -vvsr to file for diagnosis

FreeBSD has a rather old version of pf. You could try to get the latest OpenBSD release 5.0 and see whether that solves the problem. Be aware though, that in OpenBSD 4.7 the NAT/RDR syntax has changed. See http://www.openbsd.org/faq/pf/nat.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 13th November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

REMARK from Administrator:

Because mfaridi decided see whether a change to OpenBSD will solve the "hangs" of ruleset on FreeBSD, the continuation of this thread is in the OpenBSD section at http://www.daemonforums.org/showthre...6531#post41282
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
High Definition Audio classicmanpro NetBSD General 0 12th April 2011 07:03 PM
high cpu usage by system process badkuk OpenBSD General 7 19th October 2010 03:17 AM
Bad ftp performance Randux NetBSD Package System (pkgsrc) 2 4th January 2009 09:17 PM
resolution too high!!! =| ? what? seadog109 Other BSD and UNIX/UNIX-like 19 18th October 2008 04:25 AM
Bill Joy's high school matt Off-Topic 9 27th May 2008 06:01 PM


All times are GMT. The time now is 03:38 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick