From owner-freebsd-questions@FreeBSD.ORG Mon Mar 12 23:28:33 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1B05C16A400 for ; Mon, 12 Mar 2007 23:28:33 +0000 (UTC) (envelope-from pablo.fernandez@rs.com.ar) Received: from mail.reliable.com.ar (mail.reliable.com.ar [200.55.63.143]) by mx1.freebsd.org (Postfix) with ESMTP id 2E6BD13C45D for ; Mon, 12 Mar 2007 23:28:31 +0000 (UTC) (envelope-from pablo.fernandez@rs.com.ar) Received: (qmail 9503 invoked by uid 1007); 12 Mar 2007 20:28:29 -0300 Received: from customer123-183-91.iplannetworks.net (HELO plab.bsas.rs.com.ar) (pablo.fernandez@reliable.com.ar@200.123.183.91) by mail.reliable.com.ar with AES256-SHA encrypted SMTP; 12 Mar 2007 20:28:29 -0300 From: =?iso-8859-1?q?Jos=E9_Pablo_Fern=E1ndez?= Organization: RS To: freebsd-questions@freebsd.org Date: Mon, 12 Mar 2007 20:28:24 -0300 User-Agent: KMail/1.9.5 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200703122028.25655.pablo.fernandez@rs.com.ar> Subject: PF questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 23:28:33 -0000 Hello, I have a couple of PF questions. First I am NATing a set of computers on th= e table, to allow them to go out I write ($lans is lans =3D "{" $la= n0 $lan1 "}" where $lan0 is re0 and $lan1 is $re1): pass in on $lans from to any flags S/SA keep state pass out on $lans from to any flags S/SA keep state or otherwise pass on $lans from to any flags S/SA keep state What puzzles me is why is the "pass out" rule needed. I never do a block ou= t all, only a block in all; basically I am never doing any block out and pr= actically never a pass out. The other exception is: pass out from $me4 flags S/SA keep state which is there mainly to keep state and flags. Here's the second thing that= puzzles me. Why don't I need a pass out from $me6 to reach IPv6 places. ($= me is the collection of IPv4 ips assigned to this host and $me6 the same fo= r IPv6). The other question is also regarding IPv6. To let hosts inside my network g= o out I needed to have this rule: pass out on $wan6 from to any flags S/SA keep state when I would have thought that since I am blocking everything in, and nothi= ng out, this one should have done the trick. pass in on $lans from to any flags S/SA keep state That is, who is letting those IPv6 packages in, and why do I need to let th= e out specifically? If you need context, my whole rules are below. Any answer and or hint is ap= preciated. =2D-=20 Jos=E9 Pablo Fern=E1ndez pablo.fernandez@example.org PS: IPs and names have changed. # My interfaces. lan0 =3D "re0" lan1 =3D "re1" wan =3D "fxp0" wan6 =3D "stf0" # My me, me and I. #me =3D "{(" $lan0 ") (" $lan1 ") (" $wan ") (" $wan6 ") }" me4 =3D "{" 192.168.0.102 192.168.1.102 210.223.83.1 127.0.0.1 "}" me6 =3D "{" 2002:87:15i:0::102 2002:87:15i:1::102 2002:87:15i::1 ::1 "}" # Globally accessable services. mi_tcp_services =3D "{domain ssh http xmpp-c2s xmpps-c2s xmpp-s2s}" mi_udp_services =3D "{domain ssh http xmpp-c2s xmpps-c2s xmpp-s2s}" # LAN-only accessable services. mi_internal_tcp_services =3D "{http-proxy}" mi_internal_udp_services =3D "{ntp}" # The network. lans =3D "{" $lan0 $lan1 "}" lans_network =3D "{" $lan0:network $lan1:network "}" # Hosts that are free to reach the outside world directly. table { black.example.org red.example.org blue.example.org brown.ex= ample.org green.example.org yellow.example.org 192.168.0.0/24 192.168.1.1/2= 4 } table { black.example.org red.example.org blue.example.org } # IPv6 reachable computers by service. table { red.example.org orange.example.org voip.example.org } table { red.example.org black.example.org } # Available for everybody from anywhere. tcp_for_everybody =3D "{smtp smtps pop3 pop3s imap imaps}" udp_for_everybody =3D "{smtp smtps pop3 pop3s imap imaps}" # Making a return of a no-go is better than droping a package because it hi= des the fact that there's a firewall. set block-policy return # No filteblue on lo0. set skip on lo # This will normalize and defragment all packages. Filteblue will work bett= er and extrange packets will be droped. scrub in # NAT. nat on $wan from to any -> ($wan) # Port forwarding. See below for the assosiatde passing rules. rdr on $wan proto tcp from any to any port 5901 -> brown.example.org port v= nc # Andres' VNC. Pupeno, 2007-02-12 14:50:02. # Temp port forwarding. # None so far. Pupeno, 2007-02-12 14:50:25. # Block everything in, latter allowing some stuff. A more paranoic setup wo= uld be to block everything, in and out. But that is much more complex. block in log # Block RFC1918 (private) from the external card, private addresses in the = public internet can't be good. PrivateAddresses =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.= 0/8 }" block in quick on {$wan, $wan6} from $PrivateAddresses to any block out quick on {$wan, $wan6} from any to $PrivateAddresses # When going out (which can be done anyway), keep state, so return packages= can come in. pass out from $me4 flags S/SA keep state # Let some people reach all the services. pass in on $lans from to any flags S/SA keep state pass out on $lans from to any flags S/SA keep state pass out on $wan6 from to any flags S/SA keep state # Possibly onl= y to keep the state. Pupeno, 2007-03-12 20:04:19. # Let all the people reach some services. pass in on $lans proto tcp to any port $tcp_for_everybody flags S/SA keep s= tate # in pass in on $lans proto udp to any port $udp_for_everybody keep state # in # Let some services be reachable by the world in some internal IPs. pass in on $wan6 proto icmp6 from any to keep state #= Allow anyone on the free6 chunk to be pinged. pass in on $wan6 proto tcp from any to port {ssh} flags S/SA k= eep state # Let forwarders pass and more importantly, be synproxied, whatever that is= =2E See above for the assosiated rdr (redirection) rules. pass in proto tcp from any to brown.example.org port vnc synproxy state # A= ndres' VNC. Pupeno, 2007-02-12 15:45:16. # Let anyone ping me. pass in proto icmp to $me4 = keep state pass in proto icmp6 to $me6 = keep state # Services that should be reached from anywhere (including the LAN). pass in proto tcp to $me4 port $mi_tcp_services= flags S/SA keep state pass in proto udp to $me4 port $mi_udp_services= keep state pass in proto tcp to $me6 port $mi_tcp_services= flags S/SA keep state pass in proto udp to $me6 port $mi_udp_services= keep state # Services that should be reached only from the LAN. pass in on $lans proto tcp from $lans_network to $me4 port $mi_internal_tcp= _services flags S/SA keep state pass in on $lans proto udp from $lans_network to $me4 port $mi_internal_udp= _services keep state pass in on $lans proto tcp from $lans_network to $me6 port $mi_internal_tcp= _services flags S/SA keep state pass in on $lans proto udp from $lans_network to $me6 port $mi_internal_udp= _services keep state # Particular services. pass in proto tcp from dir.backup.example.org to $me4 port bacula-dir flags= S/SA keep state # Allow comunication between the two networks. pass in on $lan0 from $lan0:network to $lan1:network flags S/SA keep state pass in on $lan1 from $lan1:network to $lan0:network flags S/SA keep state