FreeBSD + pf = whoops

Discussion in 'Linux & BSD' started by Dark Atheist, Nov 12, 2008.

  1. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    ext_if = "nfe0"
    int_if = "nfe1"

    block in on $ext_if from any to any
    pass in on $int_if from { 164.168.1.1/24 } to any
    pass in on $ext_if from { 192.168.1.1/24 } to any
    pass in on $ext_if from { xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
    table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
    pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

    so here is my pf.conf file, now i know i'm missing something from there as its now blocking all out going connections so i cannot even grab updates to port tree.

    I did have this issue wrote down somewhere but for the life of me i cant find the thread on here that gave me the solution or the txt file i thought i put it in :(

    Is there anyone out there can help me out?

    Thanks
     
  2. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    try slapping a "pass out quick on $ext_if from any to any" at the bottom and see if it helps. I'd expect it to not firewall outgoing as you've not told it to block it.
     
    Dark Atheist likes this.
  3. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    that doesnt seem to have sorted it :( - wonder if its because i have block in on $ext_if from any to any

    although i would have thought if i made the connection the incoming would be allowed
     
  4. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    http://www.freebsd.org/cgi/query-pr.cgi?pr=94877 - that had the solution :) - plus you were right Geffy any idea though why modulate-state appened to the end of your line would cause pf to freak out? i could have sworn i had that before and it never moaned about syntax
     
  5. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    modulate state does weird things to packets. You should keep it as keep-state.

    also change block to drop - stealth mode :)
     
  6. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    so to be clear then lord it should be

    ext_if = "nfe0"
    int_if = "nfe1"

    drop in on $ext_if from any to any
    pass out quick on $ext_if from any to any keep-state

    pass in on $int_if from { 164.168.1.1/24 } to any
    pass in on $ext_if from { 192.168.1.1/24 } to any
    pass in on $ext_if from { xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
    table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
    pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }
     
  7. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
  8. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    bah

    getting syntax errors now!!!!

    my-serv# pfctl -n -f /etc/pf.conf
    /etc/pf.conf:4: syntax error
    /etc/pf.conf:5: syntax error

    :(

    edit did a bit of reading on pf and i fixed it :)

    ext_if = "nfe0"
    int_if = "nfe1"

    block drop in on $ext_if from any to any
    pass out quick on $ext_if from any to any keep state

    pass in on $int_if from { 164.168.1.1/24 } to any
    pass in on $ext_if from { 192.168.1.1/24 } to any
    pass in on $ext_if from { xxx.xxx.xxx.xxx. } to { 80, 443, 2010, 6500-6510 }
    table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
    pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

    seems it required block on line 4 and keep state and not keep-state

    my-serv# pfctl -n -f /etc/pf.conf
    my-serv#

    and all is healthy again :p

    (would give you reps M but it wont let me seems i have to spread it about)
     
    Last edited: Mar 26, 2009
  9. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    drop in on $ext_if
    pass out quick on $ext_if keep-state
     
  10. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    guess i can give your suggestion a try as well X :) (would give reps but like lord i have to whore it about a bit first)

    edit get syntax errors with your suggestion too X - yet if i change it to

    block drop in on $ext_if
    pass out quick on $ext_if keep state

    works fine, i dont know what versions people are using but im on 7 would there be much of a change between 6 and 7 even if 7 was using updated pf package?
     
  11. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    set block-policy drop
    block in on $ext_if
    pass out quick on $ext_if keep state
     
  12. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    im guessing those are to replace first two lines ?
     
  13. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    yeah, setting the block policy just means you don't have to explicitly tell it to stealth your ports in every block line, though "block drop in $ext_if" is still only one occurrence. I just like using the set's when I can.
     
  14. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    ext_if = "nfe0"
    int_if = "nfe1"

    set block-policy drop
    block in on $ext_if
    pass out quick on $ext_if keep state
    pass in on $int_if from { 164.168.1.1/24 } to any
    pass in on $ext_if from { 192.168.1.1/24 } to any
    pass in on $ext_if from { xx.xx.xx.xx, xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
    table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
    pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

    This is my pf.conf file now but even so the ppl's who's ip's i have added cannot connect on any of the ports listed above, router is set to forward the ports correctly.

    Anyone shed some light on this? Should i add routers ip?

    pass in on $ext_if from { 192.168.1.15 } to { 80, 443, 2010, 6500-6510 }
     
  15. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    would help :)
     
  16. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    nope it doesnt - although after doing a bit of reading

    ext_if = "nfe0"
    int_if = "nfe1"

    set block-policy drop
    block in on $ext_if
    scrub in all
    antispoof for $ext_if inet
    pass out on $ext_if proto { tcp, udp, icmp } all modulate state

    pass in on $int_if from { 164.168.1.2/24 } to any
    pass in on $ext_if from { 192.168.1.2/24 } to any
    pass in on $ext_if proto tcp from { xx.xx.xx.xx, xx.xx.xx.xx } to $ext_if port www
    table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
    pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

    bits in bold have been changed an now people can connect to the web server on my pc suppose i will have to find out what name is given to 443 2010 etc or see if i can use port 80 instead of port www

    :)
     
  17. LordOfLA

    LordOfLA Godlike!

    Messages:
    7,027
    Location:
    Maidenhead, Berkshire, UK
    443 = HTTPS
    80/WWW same thing :)

    You could just use PF Sense though - thats freebsd with pf and a nice web interface to it all :)
     
  18. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    i thought that just a firewall os much like smoothwall and such, and too be honest all is working as it should now, and seeing as im using zfs if i reformat then all is lost on that drive, so i would have to back up and retransfer stuff backa nd forth - bit time consuming that
     
  19. Geffy

    Geffy Moderator Folding Team

    Messages:
    7,805
    Location:
    United Kingdom
    I've been playing with ZFS on a VM, at the moment I've got 40 file systems so I can do all sorts of mad things like selective compression on various parts of the file system. I've dumped the scripts I used to make them on gisthub
     
  20. Dark Atheist

    Dark Atheist Moderator Political User Folding Team

    Messages:
    6,376
    Location:
    In The Void
    hehehe nice - not sure how that would work on ftp/storage drive though, wouldnt the compression cause issues