Migrating from iptables to pf, a love story

[Popelicious]

Hello everybody, I'm a network admin in a small company. I'm in charge of modernizing the firewalls, two very old linux boxes with iptables.

Now, I could just go and install some CentOS with iptables and relax with a cup of coffee while my boss looks approvingly, or I could go with new (for me) and sexy powerfull pf on OpenBSD that i fell in love with. I'm going for the second option

So, as part 1 of my plan I have been researching all I can on pf, as a practice installed OpenBSD on a small machine and tried to write my pf.conf. Once done i tried to swap this small firewall we have that has nat and forwards ldap and port 8080 to 2 different machines in preparation for the big changes. It doesn't work

I humbly ask for some guidance as I kinda have a deadline for this of 2 weeks and I'm stuck.

The network is like this:
Isp router forwards all ports to rl0 interface (192.168.0.9, then the nfe0 iface (192.168.200.151) goes to the servers network.

I'll paste my pf.conf down here:

Code:

set skip on lo

# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

# anchor for relayd(8)
#anchor "relayd/*"

pass        # to establish keep-state

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

#######MACROS########
ext_if = "rl0"
int_if = "nfe0"
pub_ip = "6.6.6.6"
IntNet = "{ 192.168.200.0/24, 192.168.122.0/24 }"
server1 = "192.168.200.31"
server2 = "192.168.122.103"

######PROTECTION####
#antispoof log quick on $ext_if
######RULES########
block all
pass in on $int_if from $IntNet
pass out on $int_if from $IntNet
pass out on $ext_if from $int_if to any nat-to $ext_if

pass in on $ext_if proto tcp from 6.6.6.6 port 389 rdr-to $server1 port 389
pass in on $ext_if proto tcp from 6.6.6.6 port 8080 rdr-to $server2 port 8080

Thanks a lot guys.

[J65nko]

Some tips:

• Organize your rules by interface, direction, protocol.
• Use log in your rules to trouble shoot. pf will make all the logged packets appear on the pflog0 interface.
  You can view these packets using tcpdump:
  
  Code:

  # tcpdump -eni pflog0

• Keep in mind that pf uses a "last matching rule wins" strategy.
  The following rules will pass all traffic because it is the last matching rule:
  Code:

  block all
  pass all
  block all
  pass all

  Use the quick keyword to escape this "last matching rule wins" strategy.
  
• If you are new to pf build your rule set incrementally.
  The father of Pascal and Modula, Niklaus Wirth called this approach "stepwise refinement".
  
• Use interface groups and interface modifiers to get rid of those $ext_if and $IntNet macroes:
  
  Code:

  # ifconfig 
  
  xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
          lladdr 00:10:4b:d1:ab:5d
          priority: 0
          groups: egress
          media: Ethernet autoselect (100baseTX full-duplex)
          status: active
  
  [snip]
  xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
          lladdr 00:10:5a:14:52:a5
          priority: 0
          groups: internal
          media: Ethernet 100baseTX full-duplex
          status: active
          inet 192.168.222.10 netmask 0xffffff00 broadcast 192.168.222.255

  Now you can use rules like
  
  Code:

  pass in quick on internal inet proto tcp from internal:network .......
  pass out quick on egress inet proto tcp from any to any port = 80

  You can define the interface group in a hostname.if(5) file:
  
  Code:

  # cat /etc/hostname.xl1
  
  inet       192.168.222.10 255.255.255.0 NONE group internal
  inet alias 192.168.222.11 255.255.255.255
  !ifconfig xl1 media 100baseTX mediaopt full-duplex

[Popelicious]

Thank for the tricks, I'll try to log pf tomorrow and see where is the problem.

Cheers.

[daemonfowl]

Hi J65nko !
I'd like to thank you so much for those interesting tips !

[Popelicious]

Hello everyone. After thinkering with pf and reading all the pf stuff i could find i got a ruleset working for my conf.

My only problem is that i can only reach the services behind the pf box if i use the same machine as a gateway for the box that is running those services, something that unfortunatelly can't be done.

At the minute I have 2 routers from my ISP with 8 public ip's each, one of them being 192.168.0.1 and the other is 192.168.10.1.
The .0.1 router uses NAT for his 8 public ip's and .10.1 routes his 8 public ip's to a single iptables based firewall, with if_ext 192.168.10.5 and if_int 192.168.200.25.

My pf box is behind one of the nat adresses, and everything seems to be fine if i use it as gw for all the boxes i i redirect ports to. The problems arises when i redirect ports to a box that has gw 192.168.200.25.

For example, lets say i have 192.168.200.93 as the www server, the pf box is 192.168.200.152 If i have set .200.93 gateway as .200.152 (the pf box) everything works and i can access the www server from outside with no problems.
Now, if that gateway gets changed to the .200.25 box it won't.

What is eating me is that this configuration does work for other machines if i use iptables, so i'm sure it's my pf configuration.

Here is it:

Code:

#interfaces
ext_if="rl0"  
int_if="nfe0" 

#ftp
anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

#networks
lan="192.168.200/24"  
ip="public ip"

#services pf box
servicios_tcp="{domain}" 
servicios_udp="{domain}" 
servicios_icmp="echoreq"

# internal server
serv_ip="192.168.200.93"
servicios_serv="{ldap,smtp,www,https,imaps}"

#block policy and log
set block-policy return
set loginterface $ext_if
set skip on {lo enc0}

#scrub in all #commented due to testing


block in log all 
pass out keep state
pass quick on { lo }
antispoof quick for { lo $int_if }

pass in quick log on $int_if

#nat
match out log on egress from $int_if:network to any nat-to (egress) #test nat

match in log on $ext_if proto tcp from any to any port 80 rdr-to $serv_ip port 80
match in log on $ext_if proto tcp from any to any port 443 rdr-to $serv_ip port 443

pass in on $ext_if inet proto tcp from any to ($ext_if) port $servicios_tcp keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $servicios_udp keep state
pass in inet proto icmp all icmp-type $servicios_icmp keep state
synproxy state
pass in on $ext_if proto tcp from any to any port $servicios_serv flags S/SA synproxy state

Anyone can explain to me what is happening?

Thanks

[J65nko]

Without a detailed network diagram it is very difficult to visualize your network setup and thus to diagnose your problem.

[Popelicious]

Hey, thanks for the answer. Sorry for the confused explanation.

Ok, I''l try to post a diagram today.

Thanks.

[Popelicious]

Hi guys, just updating situation here. I set up an OpenBSD box with pf, pftop and pfstats and I'm using it as firewall for my users connection to the outside. It's working greatly.

I still need to solve the problem I posted previously, I will post soon a network diagram.

Thanks.