From owner-freebsd-pf@freebsd.org Sun Feb 26 21:00:29 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5CE78CEC712 for ; Sun, 26 Feb 2017 21:00:29 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 37AB68EE for ; Sun, 26 Feb 2017 21:00:29 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v1QL01aM061275 for ; Sun, 26 Feb 2017 21:00:29 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201702262100.v1QL01aM061275@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 26 Feb 2017 21:00:29 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Feb 2017 21:00:29 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Mon Feb 27 12:08:14 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1F5FCEEBB1 for ; Mon, 27 Feb 2017 12:08:14 +0000 (UTC) (envelope-from basarevych@gmail.com) Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BDDD37B7 for ; Mon, 27 Feb 2017 12:08:14 +0000 (UTC) (envelope-from basarevych@gmail.com) Received: by mail-io0-x22b.google.com with SMTP id j18so29909525ioe.2 for ; Mon, 27 Feb 2017 04:08:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=B+cq9j99ntFLFiSUw+fq5ITLMD+2xEGRI+41CWtP15s=; b=jTlGPSgJAiOVMMjZNg/1z3qoQkeOCzzMzKXU+eIfCYnF47Fx1gv/k8A2eZ7naBYMf8 tgSfIWZ+QGDwZVIelZ4NwQ9rw/tsz3sNSm7ko0HGcUembjj7tBwm4P3YoRuVlGLxoKJY 3GEmG4dqS25rDkfMQUnYH15nWD77rRFg2WORiwo67kWPdaQBAH1KR+W64COQ4zVh4KoY Go9/6ubi0DB/DAferwQ68P4E/C9h4/A4kYcgkAwdJJLbz2ppICVcLNyABE7CMTq0BNgH UucBZp+hcnw2NwknSb4RMdEZ0TEjSyCAbkGQyyrH2yF+DlYhqE4V9UxOvGHkqJnhxDZU ilWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=B+cq9j99ntFLFiSUw+fq5ITLMD+2xEGRI+41CWtP15s=; b=SlL18vhoPGG5l097886e+TWx0KyMHL7KeHzocsonQ/3rDD743NbVyZHapX4FLpagwn NemZLT6POVct96N5ElLJHiW/XNiWwoueZ7pKvcUIEAe2l1nJ+VlXEbCU4cxf2Rf1If/w tk50pN0XH9ydjEmBQKuJVTGeY8wXdVz25N9oSQFh3hR4s9HLP4auluFxdpJSGtfhXsLG T5Mk6rfslrPYvKfNky6YMztnc9r9yfTT+EQ4S+pGUoCV3od4cI2qSEpMHG244uPPE4oM Qapn38GTPObFSoLSmzFtBahT2BpOLh3/ux+OJf5oJ+8j53gleZmt4qA82VGp4uWQLzyi wawg== X-Gm-Message-State: AMke39kO5qUu6LIWyucy4Oloctz5wJOnJZj1UmV9GJgjWNEWX1nOimvhN2qusA2dZ/m9ugvw0BJfu7xh+gX8LQ== X-Received: by 10.107.165.146 with SMTP id o140mr13273310ioe.42.1488197293957; Mon, 27 Feb 2017 04:08:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.39.75 with HTTP; Mon, 27 Feb 2017 04:08:13 -0800 (PST) From: Ross Date: Mon, 27 Feb 2017 14:08:13 +0200 Message-ID: Subject: sonewconn: pru_attach() failed and kernel panic in PF To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Feb 2017 12:08:15 -0000 Hello One of my machines panics almost every day. It is always like this: first there is a number of messages about "sonewconn: pcb 0xfffff80085478740: pru_attach() failed" at the same time and then panic. Here's an example: ... many lines of sonewconn ... Feb 27 13:41:43 core kernel: sonewconn: pcb 0xfffff8008575bcb0: pru_attach() failed Feb 27 13:41:43 core kernel: Feb 27 13:41:43 core kernel: Feb 27 13:41:43 core kernel: Fatal trap 12: page fault while in kernel mode Feb 27 13:41:43 core kernel: cpuid = 5; apic id = 0a Feb 27 13:41:43 core kernel: fault virtual address = 0x0 Feb 27 13:41:43 core kernel: fault code = supervisor write data, page not present Feb 27 13:41:43 core kernel: instruction pointer = 0x20:0xffffffff80e45383 Feb 27 13:41:43 core kernel: stack pointer = 0x28:0xfffffe00d7dd7f80 Feb 27 13:41:43 core kernel: frame pointer = 0x28:0xfffffe00d7dd7fe0 Feb 27 13:41:43 core kernel: code segment = base 0x0, limit 0xfffff, type 0x1b Feb 27 13:41:43 core kernel: = DPL 0, pres 1, long 1, def32 0, gran 1 Feb 27 13:41:43 core kernel: processor eflags = interrupt enabled, resume, IOPL = 0 Feb 27 13:41:43 core kernel: current process = 0 (em0 taskq) Feb 27 13:41:43 core kernel: trap number = 12 Feb 27 13:41:43 core kernel: panic: page fault Feb 27 13:41:43 core kernel: cpuid = 5 Feb 27 13:41:43 core kernel: KDB: stack backtrace: Feb 27 13:41:43 core kernel: #0 0xffffffff80b312c7 at kdb_backtrace+0x67 Feb 27 13:41:43 core kernel: #1 0xffffffff80ae5c92 at vpanic+0x182 Feb 27 13:41:43 core kernel: #2 0xffffffff80ae5b03 at panic+0x43 Feb 27 13:41:43 core kernel: #3 0xffffffff80fd6d51 at trap_fatal+0x351 Feb 27 13:41:43 core kernel: #4 0xffffffff80fd6f43 at trap_pfault+0x1e3 Feb 27 13:41:43 core kernel: #5 0xffffffff80fd64ec at trap+0x26c Feb 27 13:41:43 core kernel: #6 0xffffffff80fb9d61 at calltrap+0x8 Feb 27 13:41:43 core kernel: #7 0xffffffff80e4185e at uma_zfree_arg+0x4fe Feb 27 13:41:43 core kernel: #8 0xffffffff82442165 at pf_get_translation+0x2c5 Feb 27 13:41:43 core kernel: #9 0xffffffff824369d3 at pf_test_rule+0x2b3 Feb 27 13:41:43 core kernel: #10 0xffffffff82433e23 at pf_test+0x1a23 Feb 27 13:41:43 core kernel: #11 0xffffffff8244596d at pf_check_in+0x1d Feb 27 13:41:43 core kernel: #12 0xffffffff80c1e983 at pfil_run_hooks+0x83 Feb 27 13:41:43 core kernel: #13 0xffffffff80c82d7b at ip_input+0x3bb Feb 27 13:41:43 core kernel: #14 0xffffffff80c1d905 at netisr_dispatch_src+0xa5 Feb 27 13:41:43 core kernel: #15 0xffffffff80c0636a at ether_demux+0x12a Feb 27 13:41:43 core kernel: #16 0xffffffff80c06fc2 at ether_nh_input+0x322 Feb 27 13:41:43 core kernel: #17 0xffffffff80c1d905 at netisr_dispatch_src+0xa5 What should I do to fix it? PS This is FreeBSD 11.0-RELEASE From owner-freebsd-pf@freebsd.org Thu Mar 2 03:17:55 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D90C8CEA5DE for ; Thu, 2 Mar 2017 03:17:55 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com [IPv6:2a00:1450:400c:c0c::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 908D1838 for ; Thu, 2 Mar 2017 03:17:55 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wr0-x230.google.com with SMTP id u48so43048378wrc.0 for ; Wed, 01 Mar 2017 19:17:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=5glkWZA+AlrKYYjJyirgRWLVBK44m+ZaX9+hK+LbSxo=; b=tHwDsdcZWaTw1TlVBk11cQDlQJpBZeZPsK+AsgVRKKJOScvaHfGjOGT08ZRJCCb8w0 W1KoTl9IjoEA0RM5AIneMWgPkz2WIjteGIgQeiyU4irbti7wghayfzLVH/NlyDOtr1IH FNogtT91tSVyB2zxMQF1WYrTckoJLnCHLNSWnZFWmaEMM4SxQ/k3X0cWJPXcog09bWhb RGpXVGB2Au/loWYyoq4Z30BkeLkOEDAtM71VaQkQqKMzNIpYeDPbGEBGaxowR+yPs1DX CXasa/Tmj45GsxckH4csO2ZbsLBqz34Pm+puloD56Y1G9FgsXgyXypEmWHdVHxMk5QqZ BZ5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=5glkWZA+AlrKYYjJyirgRWLVBK44m+ZaX9+hK+LbSxo=; b=j2l1ZGUoBzHyr8pqCJH7+F0tACLEOhIVsq0twF1PgFyi5rjk/LGqq/RjYXxFtmHmbw EuyfEu7qoSIKk4L8b9lnBL1/iqjYl804t74MZhzAUzTaXiQOU9ToVla0/9VN5kEGOojT EBKucc2JvimXc/mVWkUvMZK1xhHnrtbQpBOfmgBwMACYRSvEiL98Zjy7170Lp5+B73gX PBl5Hzjic+JhITpBfVG8pOzudfnDYC63rtp/Uk6CMf/Yy4gE4w7WwlBlQWYAQMm93PGM csM35en84Eq/IM4hd/tmNgWKFxQsh/MJM2fDSO5eO0nj75MfpSi9Ua/5YYTiGuCE9jvP pQJA== X-Gm-Message-State: AMke39nykRhwx5RmWUAlaf8RVneUZA8cMgriBOdgVb1B6l1OCgwRoop1zkT4FWJzFc+ezvQ4agZO9iyTiAmWRQ== X-Received: by 10.223.156.2 with SMTP id f2mr11317410wrc.4.1488424673357; Wed, 01 Mar 2017 19:17:53 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.174.164 with HTTP; Wed, 1 Mar 2017 19:17:53 -0800 (PST) From: David Mehler Date: Wed, 1 Mar 2017 22:17:53 -0500 Message-ID: Subject: pf and a natted jailed web server To: freebsd-pf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Mar 2017 03:17:56 -0000 Hello, I'm running FreeBSD 10.3 in a vps. I've got one public IP and am running a jail server using /etc/jail.conf. My problem is I'm trying to pass in port 8080 traffic in to the jailed web server which then goes to port 80 which the jailed web server has a web server listening on. My problem is either the pf nat or rdr is not happy and I've been on this for several hours and it's running together. To me the configuration looks right. A separate maybe related problem maybe not is that when I create a new jail then bring it up it gets a new ip on lo1 for example 10.0.0.16 in order to allow that jail to the network I have to reload my pf rules. Is this correct behavior? Any help appreciated. My pf.conf is below. Thanks. Dave. pf.conf: ext_if=3D"fxp0" int_if =3D "lo1" jailnet =3D $int_if:network icmp_types=3D"echoreq" icmp6_types=3D"{ 2, 128 }" # packet too big, echo request (ping6) # Neighbor Discovery Protocol (NDP) (types 133-137): # Router Solicitation (RS), Router Advertisement (RA) # Neighbor Solicitation (NS), Neighbor Advertisement (NA) # Route Redirection icmp6_types_ext_if=3D"{ 128, 133, 134, 135, 136, 137 }" synstate =3D"flags S/SA synproxy state" tcpstate =3D"flags S/SA modulate state" udpstate =3D"keep state" # Name and IP of jails webmail=3D"10.0.0.15" # allowed traffic tcp_services=3D"{bootpc, bootps, ftp-data, ftp, ssh, domain, smtp, http, https, imap, imaps, 3690, 7, 2703 587}" udp_services=3D"{bootpc, bootps, domain, ntp, 3690, 6277, 24441}" # Options set block-policy return set skip on lo0 set skip on lo1 scrub on $ext_if all reassemble tcp no-df random-id max-mss 1440 # NAT nat on $ext_if inet from $jailnet to any -> ($ext_if) # Redirect any packets requesting port 8080 or 4430 to jailed webserver rdr pass on $ext_if inet proto tcp from any to any port 8080 -> $webmail port http # Tables table persist file "/etc/pf/bruteforce" # Pass anything on the lo* interfaces pass quick on lo0 all pass quick on lo1 all # Block by default block all # Explicitly block unroutable addresses antispoof quick for ($ext_if) # Explicitly block anything in the bruteforce table block quick from # Pass out only the desired ports from host and jails pass quick proto tcp from {self} to port $tcp_services keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) pass quick proto tcp from $jailnet to port $tcp_services keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) pass quick proto {tcp, udp} from {self} to port $udp_services keep state pass quick proto {tcp, udp} from $jailnet to port $udp_services keep state # allow ping pass inet proto icmp icmp-type $icmp_types keep state # Traceroute # allow out the default range for traceroute(8): # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) pass inet proto udp to port 33433:33626 # For IPv4 # allow https traffic out from the jails pass out proto tcp from $jailnet port https to any keep state # Allow ssh connections in from the internet pass in proto tcp from any to $ext_if port ssh keep state # Pass in http traffic from the internet pass in inet proto tcp to $ext_if port 80 keep state # Pass in https traffic from the internet pass in inet proto tcp to $ext_if port 443 keep state # Pass in smtp traffic from the internet pass in inet proto tcp to $ext_if port 25 keep state # Pass in submission traffic from the internet pass in inet proto tcp to $ext_if port 587 keep state # Pass in imaps traffic from the internet pass in inet proto tcp to $ext_if port 993 keep state # Pass in port 8080 to the jailed web server #pass in inet proto tcp to $webmail port 80 keep state # IPv6 pass quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep st= ate pass quick on $ext_if inet6 proto ipv6-icmp from any to { ($ext_if ), ff02::/16 } icmp6-type $icmp6_types_ext_if keep state From owner-freebsd-pf@freebsd.org Sat Mar 4 05:49:56 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 30DF7CF85A3 for ; Sat, 4 Mar 2017 05:49:56 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C7095107E for ; Sat, 4 Mar 2017 05:49:55 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wr0-x22c.google.com with SMTP id u108so85773036wrb.3 for ; Fri, 03 Mar 2017 21:49:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=1VPu6JbJhidPYY+ansVP1DYWx2Q4eBiahDOyCgaq4GQ=; b=J1GSwxt2EOhW8iads8T0prG/QYxHC4EC/FPz63JqdA1IFVnEgTSn0DJEaAY3xoCHI/ S4HQHvBhFdK54YR1mMzGh5dTlYCbSO/paXqkxEdzYHyBSIdyAgaQLeC5AJqjrooib62V Nwfy8YctRFM3noF68BL3d/hlsAukKO94eaPYSagNRIqlwCqdeM4EkU1lNU0tq8AQEcjw iGgJZNCx0iOqNQdi/XUC1Cc947pU0Tst6TPr83G0qQYD0+dPqXJ6t12lfQl+5RMGxwGW fxMlBdMMpyKLsQyAjlzfPCd01iIuebAn1I9Ep3gr1FBpNslLcSkfwgi52pTZpEMZoHLp Q+Dg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=1VPu6JbJhidPYY+ansVP1DYWx2Q4eBiahDOyCgaq4GQ=; b=sOVILDykqxB+EIuXJlM73zSa9iBiJsj3uvvBGaA2NUaiEwC0Kmmni/qwyDCnFV+yEa 5QittOr2Sd+QUTGmW1btMGJP+H4J7O9Vu7pT3JuypGAl1rmawVpUvOos2gnknQgI7KSj Hqi7fFHuKRtm83f0VSJCn3j6yk79glfyDlLr9o+PaGudfpbGgGuQZOrmStDD0iQdbhk2 9L6C1urMMRAnCslxSbGE0vX/cuRX+krMmId7dP9eT6UfMxAqnaHfKtmSMObmm2X0o+9I S2MimWvH9WYnj2Exi4Wo4BtuDy/T4CvxSxLArfBW/kp21HGDMehMwYsIHn5QkS9YmF6q 0GaA== X-Gm-Message-State: AMke39nyn5c6xTEsYy+nURfW/ez0dV6HmhRiS+VQ85iyh3cM4CnsOuqN1WEZ5ftAbYprUhjg/CzzC9qdZ4m60g== X-Received: by 10.223.156.2 with SMTP id f2mr6349037wrc.4.1488606593275; Fri, 03 Mar 2017 21:49:53 -0800 (PST) MIME-Version: 1.0 Received: by 10.223.148.35 with HTTP; Fri, 3 Mar 2017 21:49:52 -0800 (PST) From: David Mehler Date: Sat, 4 Mar 2017 00:49:52 -0500 Message-ID: Subject: pf rules sanity check To: freebsd-pf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Mar 2017 05:49:56 -0000 Hello, Can someone take a look at these rules and let me know where I'm going wron= g? I'm running a 10.3 system that was working great, but now I've added some jails to it and am noticing two behaviors. The first is that whenever I bring up a new jail and it gets an ip address I have to do a pfctl -f pf.conf in order to get that new host out to the internet, otherwise it just sits there. Secondly and more urgent is that while traffic outbound from both the host and the jails is passing fine, (the jail traffic is natted), the reverse is not true. Traffic can come in from the host, but if I try to get traffic through to the jail just hangs finally timing out. Thanks. Dave. pf.conf: ext_if=3D"vtnet0" int_if =3D "lo1" jailnet =3D $int_if:network icmp_types=3D"echoreq" icmp6_types=3D"{ 2, 128 }" # packet too big, echo request (ping6) # Neighbor Discovery Protocol (NDP) (types 133-137): # Router Solicitation (RS), Router Advertisement (RA) # Neighbor Solicitation (NS), Neighbor Advertisement (NA) # Route Redirection icmp6_types_ext_if=3D"{ 128, 133, 134, 135, 136, 137 }" synstate =3D"flags S/SA synproxy state" tcpstate =3D"flags S/SA modulate state" udpstate =3D"keep state" webmail=3D"192.168.52.22" tcp_services=3D"{bootpc, bootps, ftp-data, ftp, ssh, domain, smtp, http, https, imap, imaps, 3690, 7, 2703, 587, 8080}" udp_services=3D"{bootpc, bootps, domain, ntp, 3690, 6277, 24441}" set block-policy return set skip on lo0 # Normalization # normalize all incoming traffic. Set ttl 254: limits mapping of hosts behi= nd # firewall. Set random-id to help same. # Set mss to ATM network frame size for easy splitting upstream. scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble # NAT nat on $ext_if inet from $jailnet to any -> ($ext_if) # Redirect any packets requesting port 8080 or 4430 to jailed webserver rdr on $ext_if inet proto tcp from any to $ext_if port 8080 -> $webmail port 8080 #rdr pass on $ext_if inet proto tcp to port 8080 -> $webmail port http #rdr pass on $ext_if inet proto tcp to port 4430 -> $webmail port https table persist file "/etc/pf/bruteforce" table persist file "/etc/pf/fail2ban" pass quick on lo0 all # Block by default block all # Explicitly block anything in the bruteforce table block in quick from # Explicitly block anything in the fail2ban table block in quick from # Pass out only the desired ports from host and jails pass quick proto tcp from {self} to port $tcp_services keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) pass quick proto tcp from $jailnet to port $tcp_services keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) pass quick proto {tcp, udp} from {self} to port $udp_services keep state pass quick proto {tcp, udp} from $jailnet to port $udp_services keep state # allow ping pass inet proto icmp icmp-type $icmp_types keep state # Traceroute # allow out the default range for traceroute(8): # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) pass inet proto udp to port 33433:33626 # For IPv4 # allow https traffic out from the jails pass out proto tcp from $jailnet port https to any keep state # Allow ssh connections in from the internet pass in proto tcp from any to $ext_if port ssh keep state # Pass in http traffic from the internet pass in inet proto tcp to $ext_if port 80 keep state # Pass in https traffic from the internet pass in inet proto tcp to $ext_if port 443 keep state # Pass in smtp traffic from the internet pass in inet proto tcp to $ext_if port 25 keep state # Pass in submission traffic from the internet pass in inet proto tcp to $ext_if port 587 keep state # Pass in imaps traffic from the internet pass in inet proto tcp to $ext_if port 993 keep state # Pass in port 8080 to the jailed web server pass in inet proto tcp to $webmail port 80 keep state # IPv6 pass quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep st= ate pass quick on $ext_if inet6 proto ipv6-icmp from any to { ($ext_if ), ff02::/16 } icmp6-type $icmp6_types_ext_if keep state