Pf Nat getting started ??

[neurosis]

I created a very very simple set of PF rules to try and get my idea for a simplified home network setup. I have some what of a question on this posted in another thread but it became a bit off topic and this is a little more specific. Ive created a very simple set of rules in PF for NAT and some redirecting and before I put this together would like some opinions/suggestions. This is not meant to be a secure set up as of yet although I would love some suggestions to help secure it without breaking it with my limited knowledge.

Code:

# Macros: define common values, so they can be referenced and changed easily.
ext_if="re0"                                            # The external interface to internet
int_if="rl0"                                            # The internal interface to Linksys wrt54gl


#external_addr="192.168.42.5"                           # My external address is DHCP so this doesnt do me any good?
webserver="10.1.10.10"                                   #jailed in host
ftpserver="10.1.10.11"                    	         #jailed in host
webports="{80, 8080, 443, 22}"
ftpports="21, 22"
internal_ports="{55, 88}" #just entered some arbitrary numbers that will be forwarded to linksys to be changed later.

#Options
set block-policy return
set loginterface $ext_if
set skip on lo

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.

nat on $ext_if from !($ext_if) to any -> ($ext_if) 


# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.

rdr on $ext_if proto tcp from any to ($ext_if) port $webports -> $webserver
rdr on $ext_if proto tcp from any to ($ext_if) port $ftpports -> $ftpserver

# Make sure we don't block any traffic to test setup. 
# Rules
pass in all
pass out all

My goal is to allow anything coming from my int_if out to the internet and have few ports allowed to connect to it. I also eventually I want to start blocking what is allowed from int_if to my firewall but i dont have that figured out yet. I also eventually want to limit what is allowed in and out of the jails. does this look like something that would work or are my rules very bad?

[J65nko]

You can define a simple default policy to block all traffic. Then you tag the allowed traffic. Only let this pass in (on the internal interface) and out on the external one.

Code:

# cat test.pf

ext_if = bge0
int_if = re0


TCP_services="{ www whois}"
UDP_services="{ domain ntp }"

nat on $ext_if tagged OUT_OK  -> $ext_if

block log (all)

pass out quick on $ext_if tagged OUT_OK

pass in quick on $int_if inet proto tcp to any  port $TCP_services tag OUT_OK
pass in quick on $int_if inet proto udp to any  port $UDP_services tag OUT_OK

A test load shows how these rules expand

Code:

ext_if = "bge0"
int_if = "re0"
TCP_services = "{ www whois}"
UDP_services = "{ domain ntp }"
@0 nat on bge0 inet all tagged OUT_OK -> 192.168.222.20
@0 block drop log (all) all
@1 pass out quick on bge0 all flags S/SA keep state tagged OUT_OK
@2 pass in quick on re0 inet proto tcp from any to any port = www flags S/SA keep state tag OUT_OK
@3 pass in quick on re0 inet proto tcp from any to any port = whois flags S/SA keep state tag OUT_OK
@4 pass in quick on re0 inet proto udp from any to any port = domain keep state tag OUT_OK
@5 pass in quick on re0 inet proto udp from any to any port = ntp keep state tag OUT_OK

[neurosis]

This will be my soon future plan. I will start blocking once I get the connection figured out. Right now I have the BSD box connected to the internet through my isp and it works fine. I configured the internal nic to use 10.1.10.1 and hooked my Linksys router up to that. My plan is to allow "all" out from the linksys but only selected ports in. I know this sounds strange maybe but im in a learning process here My problem is, I plug the router in to int_if . I set the router ip static and to 10.1.10.2 netmask 255.255.255.0 gateway 10.1.10.1 dns to what my isp assigned. I can ping 10.1.10.1 from the router. I can ping 10.1.10.2 from the router <grin> but I cant ping 10.1.10.2 from the Freebsd box. I can however ping 10.1.10.1 from the freebsd box. I cant figure out yet why I am having a hard time with this connection. It seems like it should be so simple. Using PF should take care of all of my routing needs shouldnt it? no need for natd?

[J65nko]

pf does network address/port translation as well as redirects. So there is no need to use natd at all.

I have a hard time understanding your problem Can you post a simple network diagram of what you are trying to do.

BTW adding some whitespace, e.g. hitting return once in a while, will make your posts more easy to understand

[neurosis]

Quote:

Originally Posted by J65nko

pf does network address/port translation as well as redirects. So there is no need to use natd at all.

I have a hard time understanding your problem Can you post a simple network diagram of what you are trying to do.

BTW adding some whitespace, e.g. hitting return once in a while, will make your posts more easy to understand

Haha! Sorry for that. It was late and I was trying to relay what I could without losing my train of thought. I was a bit frustrated too at my problem. I'll try to explain and sorry if this is a bit long winded.

The problem with my connection was DNS. I could ping but not resolve anything coming from inside of the private network. The freebsd box is hooked directly up to my isp and works fine.

Today to fix my problem, I brought a laptop home from work. It allows me to troubleshoot allot easier than trying to send commands from my router.

Today I hooked my router up to my ISP like normal.

I put the FreeBSD box behind the router and set up ext_if to DHCP.

I set int_if to 10.1.10.1.

I rebooted the FreeBSD machine and loaded the firewall and rules for nat (lack of rules is more like it <GRIN>

I set my laptop up using 10.1.10.2 255.255.255.0 Gateway 10.1.10.1.

Instead of using the gateway ip for DNS, I used what my isp sent to my router. That solved my DNS problem.

I can now traverse the internet from my laptop connected to the FreeBSD Gateway. Now I am going to add rules and will be able to test them before I set my FreeBSD firewall up in front of the router.

My goal is to have a setup like this.

Internet <-> FreeBSD Gateway <-> Linksys Router <-> Private Network

My FreeBSD Gateway will be running three jails. Mail, WWW, FTPD
My internal network should be completely protected if I do this right and not allowing any connections in through the router. I want to limit connections in and out of each jail and also in and out of the FreeBSD Gateway itself.

I do have one question however. Is it possible to write a rule that allows all traffic to pass out through the Gateway from 10.1.10.2 but not in?

pass out quick on $ext_if from 10.1.10.2 to any flags S/SA modulate state <-- would that rule work?

That is my next step. I also need to make sure to open SSH to the Gateway before blocking anything so if I screw up I can ssh in and fix it.

Enough for now. Thanks for your help.

[J65nko]

Quote:

Originally Posted by neurosis

Internet <-> FreeBSD Gateway <-> Linksys Router <-> Private Network

I wonder why you still would need the Linksys router if your FreeBSD box, plays for firewall/gateway

Quote:

Originally Posted by neurosis

I do have one question however. Is it possible to write a rule that allows all traffic to pass out through the Gateway from 10.1.10.2 but not in?

Code:

pass out quick on $ext_if from 10.1.10.2 to any flags S/SA modulate state

<-- would that rule work?

Yes that would work for TCP traffic. You would need a similar rule for UDP like this

Code:

pass out quick on $ext_if inet proto udp from 10.1.10.2 to any keep state

The icmp one is similar although I would restrict that to echo requests only (used by ping ).

[neurosis]

Quote:

Originally Posted by J65nko

I wonder why you still would need the Linksys router if your FreeBSD box, plays for firewall/gateway

Because I dont trust my ability to make a secure firewall yet of course. Its my "onion" of security so to speak.

Quote:

Yes that would work for TCP traffic. You would need a similar rule for UDP like this

Code:

pass out quick on $ext_if inet proto udp from 10.1.10.2 to any keep state

The icmp one is similar although I would restrict that to echo requests only (used by ping ).

One other question about this rule to simplify it. can it look like this?

Code:

pass out quick on $ext_if inet proto { tcp, udp, icmp } from $int_if:10.1.10.2 \ 
to any modulate state

I want to make sure that what is so liberally allowed out is coming from that ip only on my int_if. Is $int_if:10.1.10.2 even a viable option? I added the rule in my pf.conf to use int_if:network, im just wondering how flexible that is.
Ive only seen $int_if:network in examples but I would like to limit it down a bit more.

I also would like to limit the icmp more as you said above, only to echo requests, but is that necessary for outgoing icmp from inside of my personal network? Just looking for opinions.

Also, would there be any reason to not add the quick option to this rule since I dont want any rules affecting this later on although Im not sure what they would be.

Here is the example I saw on the pf faq.

Code:

Keep state on outgoing TCP, UDP, and ICMP packets and modulate TCP ISNs:

    pass out on fxp0 proto { tcp, udp, icmp } from any \
        to any modulate state

Thanks a bunch for your help. I really appreciate it.

[neurosis]

I just wanted to follow up here. First off the

Code:

pass out quick on $ext_if inet proto { tcp, udp, icmp } from $int_if:10.1.10.2 \ 
to any modulate state

rule did not work out for me. Ive tried it several ways.

Code:

pass out quick on $ext_if inet proto { tcp, udp, icmp } from ($int_if) \ 
to any modulate state

to

Code:

pass out quick on $ext_if from  ($int_if) to any modulate state

to

Code:

pass out quick on $ext_if from 10.1.10.2 to any

So far with my limited knowledge, the only way I have been able to pass through the Gateway is with this combination of rules.

Code:

ext_if="fxp0"
int_if="fxp1"
lan_hosts="{10.1.10.2 10.1.10.3}"

nat on $ext_if from { 192.168.0.1/16 } to any -> ($ext_if)

# allow traffic initiated from Router to outside
pass out quick on $ext_if from ($ext_if) to any modulate state

# allow all traffic only for connections initiated from LAN to Internet
pass in quick on $int_if from $lan_hosts to any modulate state

This allows traffic from the lan to the internet but does not allow unsolicited traffic in to my lan. This is a good starting point, but to do what I am trying to accomplish I I can modify this rule:

Code:

pass in quick on $int_if from $lan_hosts to any modulate state

to regulate what the lan is doing. Then the problem is, I want to regulate what traffic is allowed out of the Gateway

This rule:

Code:

pass out quick on $ext_if from ($ext_if) to any modulate state

It just allows all traffic initiated by itself out. Man I feel dense. This seems like it would be somewhat insecure??

I will change the above rule in to several rules to regulate what is allowed out of the gateway. My thinking is, that the rules minimally have to match the LAN rules to not break the LAN connection to the internet but what If i want to restrict the gateway separately? Is this even intelligent thinking or am I just being thick?

[J65nko]

I don't understand why you don't use the rules I proposed in one of the first posts and add the one for the firewall initiated traffic

Code:

block log (all)

pass out quick on $ext_if tagged OUT_OK

pass out  on $ext_if from ($ext_if) to any modulate state tag OUT_OK

pass in quick on $int_if inet proto tcp to any  port $TCP_services tag OUT_OK
pass in quick on $int_if inet proto udp to any  port $UDP_services tag OUT_OK

The advantage of having a block log (all) rule is debugging. All packets that are being blocked by pf will show up on the pflog0 device. You can watch these packets by running tcpdump on this device:

Code:

# tcpdump -eni pflog0

Re: examples of OpenBSD pf user guide

If you are not running OpenBSD you have to be careful with using the examples from the pf user guide. That guide is up-to-date for OpenBSD only

It usually takes some time before the newest pf features available for OpenBSD, have been migrated/ported to FreeBSD.
That is why I am a little bit conservative in recommending you the latest and greatest pf features

[neurosis]

I am just now starting to understand how the tags work. The tags look like a very good idea! I will probably add them very soon to my rules.

When i look at the pflog0 device it is cluttered very badly with DHCP BootP and Igmp queries from my isp.

When I run

Code:

 tcpdump -eni re0

it has a very big flow of information.

Youve helped out so much can I pick your brain with one more question. I think this will help me get a better understanding overall of how pf works.


I have an ftpd set up inside of a jail. It is set up to use passive and ports 30000 to 50000. I have all of my nat with rdr set up correctly and with the firewall set to pass in all and pass out all it works flawlessly. Once i set up the firewall to block all, it breaks the ftpd.

I have my int_if set to 10.1.10.1 and am using 10.1.10.10 for the ftpd jail. I have port 21 and 30000:50000 -> 10.1.10.1

ive been struggling trying to get this to work. I am also having a hard time finding and example searching google. Most just use a ftp proxy. I know that I could set one up but would rather learn this first.

[J65nko]

Oops, I made an mistake in my post showing you how to use tcpdump for watching blocked packets by a block log (all) rule.

The correct command is to specify the pflog0 device

Code:

tcpdump -eni pflog0

[neurosis]

Well, I figured it out! I figured out how to allow the connection to pass through my firewall to the jail running the ftpd and use the passive ports. It was very simple and I cant believe that I didnt understand it sooner.