DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th April 2014
Arenio Arenio is offline
New User
 
Join Date: Apr 2009
Location: Poland/Warsaw
Posts: 8
Thanked 0 Times in 0 Posts
Default PF gets block rules not any pass

Hello again :-)

I've got one problem to pass the packet by specific rule (OpenBSD 5.3).
Everytime packet is blocked by default rule "block all". Please look at my configuration and let me know if something is wrong with me or with PF ;-)
PF processes 55 line (bold and italic) not the rest (bold and italic).
I guess there is something with redirection...or I don't know what.
Obviously, if I comment the block rule the packets go through.
Thanks.

Apr 09 21:06:20.377714 rule 2/(match) block in on re1: 10.0.0.11.6009 > 10.0.0.18.9075: S 479358578:479358578(0) ack 4036054638 win 8192 <mss 1460,nop,nop,sackOK> (DF)
Apr 09 21:08:10.999121 rule 2/(match) block in on re1: 10.0.0.11.135 > 10.0.0.18.9107: S 581148785:581148785(0) ack 3544399904 win 8192 <mss 1460,nop,nop,sackOK> (DF)
Apr 09 21:08:14.008521 rule 2/(match) block in on re1: 10.0.0.11.6009 > 10.0.0.18.9108: S 1799928790:1799928790(0) ack 1530143132 win 8192 <mss 1460,nop,nop,sackOK> (DF)

Code:
################## INTERFACES AND IP's ##################
ext_if = "re0"
ip_ext = "6.1.2.4" #FAKE
ip_ext2 = "6.1.2.2" #FAKE
ip_ext3 = "6.1.2.3" #FAKE
ip_ext_upc = "1.7.8.2" #FAKE

home_if = "re1"
ip_home = "{" 10.0.0.2 10.0.0.1 "}"
ip_gw1 = "10.0.0.18"
ip_carp = "10.0.0.17"
ip_dns1 = "10.0.0.4"
ip_dns2 = "10.0.0.5"
ip_web1 = "10.0.0.6"
ip_vm1 = "10.0.0.7"
ip_mon2 = "10.0.0.8"
ip_mon1 = "10.0.0.9"
ip_dc1 = "10.0.0.10"
ip_ex1 = "10.0.0.11"
ip_mon3 = "10.0.0.13"
ip_centos = "10.0.0.14"

pfsync_if = "rl0"
ip_pfsync = "172.16.0.2"
ip_pfsync_peer = "172.16.0.1"

#vpn_if = "enc0"
#########################################################

################## LAN's, VLAN's etc. ###################
table <core_lan> { 10.0.0.0/28 }
table <internet_lan> { 10.0.0.16/28 }
table <vpn_lan> { 192.168.5.0/24 }
#########################################################

table <dns> { 217.17.34.68, 74.82.42.42, 208.67.222.222, 208.67.220.220 }
table <ntp> { 212.244.36.227, 212.244.36.228 }
table <pkg_update_source> { 193.219.28.2, 130.60.230.167, 129.128.5.191 }
table <portsnap.freebsd.org> { 46.137.83.240, 208.86.224.118, 208.83.221.214, 212.101.4.241, 93.158.155.199, 204.9.55.80, 149.20.53.40 }
table <yum.centos> { 67.212.81.83, 77.68.63.159, 85.214.205.10, 88.208.217.170, 91.215.65.226 }
table <clamav> { 168.143.19.95, 194.8.197.22, 207.57.106.31, 64.22.33.90, 69.163.100.14, 150.214.142.197, 208.72.56.53, 194.186.47.19, 78.46.84.244, 65.19.179.67, 200.236.31.1, 204.109.62.22, 194.47.250.218, 209.198.147.20, 69.12.162.28, 155.98.64.87 }
table <class_abc> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
passil = "pass in"
passol = "pass out"
logger = "log (all)"

set block-policy drop
set optimization normal
set ruleset-optimization basic
set state-policy if-bound
set timeout { tcp.established 360, tcp.closing 60 }
set skip on lo0
block in quick $logger from urpf-failed
block quick $logger inet6
block $logger all
antispoof $logger quick for { $ext_if }
pass proto carp
pass on $pfsync_if proto pfsync
##########################################################################################################################################

###################### VPN - IPsec ######################
#pass in quick on $vpn_if proto ipencap all
#pass out quick on $vpn_if all
#pass in quick on $ext_if inet proto esp from { any, !<class_abc> } to $ip_ext
#pass in quick on $ext_if inet proto esp from $ip_ext to { any, !<class_abc> }
#pass in quick on $ext_if inet proto udp from { any, !<class_abc> } to $ip_ext port isakmp
#pass out quick on $ext_if inet proto udp from $ip_ext to { any, !<class_abc> } port isakmp
#pass in quick on $vpn_if inet from <vpn_lan> to { <core_lan>, <apps_lan> }
#pass out quick on $vpn_if inet from { <core_lan>, <apps_lan> } to <vpn_lan>
#########################################################

############# NETWORK ADDRESS TRANSLATION ###############
match out on $ext_if from carp0:network to { any, !<class_abc> } nat-to $ip_ext
match out on $ext_if from $ip_ex1 to { any, !<class_abc> } nat-to $ip_ext2
match out on $ext_if from re1:network to { any, !<class_abc> } nat-to $ip_ext
#########################################################

########################### ALTQ ########################
altq on $ext_if cbq bandwidth 1Gb queue { default_ext_if, dns_ext_if, icmp_ext_if, ssh_ext_if, gg_ext_if, ntp_ext_if }
queue default_ext_if bandwidth 100Mb cbq(default)
queue dns_ext_if bandwidth 5Mb priority 7
queue ssh_ext_if bandwidth 5Mb priority 6
queue ntp_ext_if bandwidth 1Mb priority 5
queue icmp_ext_if bandwidth 1Mb priority 4
queue gg_ext_if bandwidth 1Mb priority 1
altq on $home_if cbq bandwidth 1Gb queue { default_home_if, dns_home_if, icmp_home_if, ssh_home_if, gg_home_if, ntp_home_if }
queue default_home_if bandwidth 850Mb cbq(default)
queue dns_home_if bandwidth 50Mb priority 7
queue ssh_home_if bandwidth 50Mb priority 6
queue ntp_home_if bandwidth 10Mb priority 5
queue icmp_home_if bandwidth 10Mb priority 4
queue gg_home_if bandwidth 1Mb priority 1
#########################################################

################## EXTERNAL INTERFACE re0 ################
$passol on $ext_if inet proto icmp from { $ip_ext, $ip_ext2, $ip_ext3 } to { any, !<class_abc> } queue icmp_ext_if
$passol on $ext_if inet proto tcp from $ip_ext to <pkg_update_source> port { 20, 21, 49152:65535 }
$passol on $ext_if inet proto tcp from $ip_ext to 213.135.44.33 port 22 queue ssh_ext_if
$passol $logger on $ext_if proto tcp from $ip_ext2 to { !<class_abc>, any } port 25
$passol on $ext_if inet proto udp from { $ip_ext, $ip_ext2 } to <dns> port 53 queue dns_ext_if
$passol on $ext_if inet proto tcp from { $ip_ext, $ip_ext2 } to { any, !<class_abc> } port { 25, 80, 110, 443, 465, 587, 993, 995 }
$passol on $ext_if inet proto udp from $ip_ext to <ntp> port 123 queue ntp_ext_if
$passol on $ext_if inet proto tcp from $ip_ext to 91.214.237.0/25 port 1443 queue gg_ext_if
$passil on $ext_if inet proto tcp from $ip_ext_upc to $ip_ext port 9999
$passol on $ext_if inet proto tcp from $ip_ext to $ip_ext_upc port 9999
#$passil on $ext_if inet proto tcp from <pkg_update_source> port { 20, 21, 49152:65535 } to $ip_ext
$passil $logger on $ext_if proto tcp from { !<class_abc>, any } to $ip_ext2 port 25 synproxy state (max-src-conn 20, max-src-conn-rate 5/10)
#########################################################

################# INTERNAL INTERFACE re1 ################
$passil on $home_if inet proto icmp from 10.0.0.1 to 10.0.0.2 queue icmp_home_if
$passol on $home_if inet proto icmp from 10.0.0.2 to 10.0.0.1 queue icmp_home_if
#########################################################

################## CORE LAN 10.0.0.0/28 #################
pass out on $home_if inet proto icmp from { <core_lan>, $ip_gw1 } to <core_lan> queue icmp_home_if
pass in on $home_if inet proto icmp from <core_lan> to { any, !<class_abc> } queue icmp_home_if
pass $logger on $home_if inet proto tcp from $ip_gw1 to <core_lan> port 2222 queue ssh_home_if
pass $logger on $home_if inet proto tcp from $ip_mon1 to $ip_home port 2222
pass in on $home_if inet proto udp from <core_lan> to <dns> port 53 queue dns_home_if
$passol $logger on $home_if proto tcp from { !<class_abc>, any } to $ip_web1 port 80
$passol $logger on $home_if inet proto tcp from $ip_gw1 to $ip_mon2 port 80
pass in on $home_if inet proto tcp from { $ip_web1, $ip_mon1 } to <portsnap.freebsd.org> port 80
$passil $logger on $home_if proto tcp from $ip_centos to { <yum.centos> } port 80
pass in on $home_if inet proto tcp from { $ip_dc1, $ip_ex1 } to { !<class_abc>, any } port { 80, 443 }
pass in on $home_if inet proto udp from <core_lan> to $ip_home port 123 queue ntp_home_if
$passil $logger on $home_if inet proto udp from $ip_mon3 to $ip_home port 161 #SNMP for Cacti
$passol $logger on $home_if inet proto tcp from $ip_gw1 to $ip_mon1 port 443
$passol $logger on $home_if inet proto udp from $ip_home to $ip_web1
$passil $logger on $home_if inet proto tcp from $ip_mon1 to $ip_home port 6666
$passil $logger on $home_if inet proto tcp from $ip_mon2 to <core_lan> port 10050
#########################################################

##################### Windows Domain ####################
pass $logger on $home_if proto { tcp, udp, icmp } from $ip_dc1 to $ip_ex1
pass $logger on $home_if proto { tcp, udp, icmp } from $ip_ex1 to $ip_dc1
#########################################################

################### HOME INTERFACE re1  ##################
$passil on $home_if inet proto icmp from $ip_gw1 to { $ip_home, any, !<class_abc> } queue icmp_home_if
$passil $logger on $home_if proto tcp from $ip_ex1 to { !<class_abc>, any } port 25
$passol $logger on $home_if proto tcp from { !<class_abc>, any } to $ip_ex1 port 25
$passil on $home_if inet proto udp from $ip_gw1 to <dns> port 53 queue dns_home_if
$passol $logger on $home_if inet proto udp from { !<class_abc>, any } to $ip_dns1 port 53
$passil on $home_if inet proto tcp from $ip_gw1 to { any, !<class_abc> } port {25,  80, 110, 443, 465, 587, 993, 995 }
$passil on $home_if inet proto udp from $ip_gw1 to $ip_carp port 123 queue ntp_home_if
pass $logger on $home_if proto udp from $ip_gw1 port 137 to $ip_ex1 port 137
$passol on $home_if inet proto tcp from $ip_gw1 to $ip_vm1 port 443
$passil on $home_if inet proto tcp from $ip_gw1 to $ip_home port 2222
pass $logger on $home_if inet proto tcp from $ip_gw1 to { $ip_dc1, $ip_ex1 } port { 3389, 5555 } # MS Server and Exchange
$passol $logger on $home_if inet proto tcp from $ip_gw1 to $ip_ex1 port { 135, 1024:65535 } # MS Exchange
$passil $logger on $home_if inet proto tcp from $ip_ex1 port { 135, 1024:65535 } to $ip_gw1 # MS Exchange
#########################################################

################### RDR INTERFACE re0 ###################
$passil $logger on $ext_if proto tcp from { !<class_abc>, any } to $ip_ext2 port 25 rdr-to $ip_ex1 port 25
$passil $logger on $ext_if proto udp from { !<class_abc>, any } to $ip_ext2 port 53 rdr-to $ip_dns1 port 53
$passil $logger on $ext_if proto tcp from { !<class_abc>, any } to $ip_ext3 port 80 rdr-to $ip_web1 port 80
#########################################################

################### RDR INTERFACE re1 ###################
$passil $logger on $home_if proto tcp from $ip_gw1 to $ip_ext3 port 80 rdr-to $ip_web1 port 80
$passil $logger on $home_if proto tcp from $ip_gw1 to $ip_ext2 rdr-to $ip_ex1
#########################################################

################### PFsync INTERFACE rl0  ##################
$passol on $pfsync_if inet proto icmp from $ip_pfsync to $ip_pfsync_peer
$passil on $pfsync_if inet proto icmp from $ip_pfsync_peer to $ip_pfsync
############################################################
__________________
Arenio

------------
Secure by Default
Reply With Quote
  #2   (View Single Post)  
Old 10th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,814
Thanked 214 Times in 189 Posts
Default

Hello again.

I have tried to make sense of your configuration file and your log output. I have failed. There are too many odd macros, the tcpdump log is too sparse, it is unclear what IP addresses are the routers, and the pass definitions are so complex I cannot tell what is intended to be passed.

I can confirm that rule #2 is your block all rule. I assume that you are matching this rule because the traffic does not match any of the pass rules.

You don't appear to have rules for passing port 6009 or port 135. But you might. I just can't tell. The file is too hard for me to read.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
QEMU 1.5: GPU pass-through and ARM support J65nko News 0 21st May 2013 05:52 PM
Multi-word pass-phrases not so secure after all? J65nko News 0 15th March 2012 01:44 AM
No redirection pass with one interface ? Simon OpenBSD Security 11 8th March 2010 11:51 AM
PF rdr pass question nimnod FreeBSD General 2 1st May 2009 08:55 PM
testing pf block all rules with Nmap. bsdnewbie999 OpenBSD General 1 25th March 2009 11:55 AM


All times are GMT. The time now is 04:12 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick