Date: Mon, 12 Mar 2007 20:28:24 -0300 From: =?iso-8859-1?q?Jos=E9_Pablo_Fern=E1ndez?= <pablo.fernandez@rs.com.ar> To: freebsd-questions@freebsd.org Subject: PF questions Message-ID: <200703122028.25655.pablo.fernandez@rs.com.ar>
next in thread | raw e-mail | index | archive | help
Hello,
I have a couple of PF questions. First I am NATing a set of computers on th=
e <free4> table, to allow them to go out I write ($lans is lans =3D "{" $la=
n0 $lan1 "}" where $lan0 is re0 and $lan1 is $re1):
pass in on $lans from <free4> to any flags S/SA keep state
pass out on $lans from <free4> to any flags S/SA keep state
or otherwise
pass on $lans from <free4> to any flags S/SA keep state
What puzzles me is why is the "pass out" rule needed. I never do a block ou=
t all, only a block in all; basically I am never doing any block out and pr=
actically never a pass out. The other exception is:
pass out from $me4 flags S/SA keep state
which is there mainly to keep state and flags. Here's the second thing that=
puzzles me. Why don't I need a pass out from $me6 to reach IPv6 places. ($=
me is the collection of IPv4 ips assigned to this host and $me6 the same fo=
r IPv6).
The other question is also regarding IPv6. To let hosts inside my network g=
o out I needed to have this rule:
pass out on $wan6 from <free6> to any flags S/SA keep state
when I would have thought that since I am blocking everything in, and nothi=
ng out, this one should have done the trick.
pass in on $lans from <free6> to any flags S/SA keep state
That is, who is letting those IPv6 packages in, and why do I need to let th=
e out specifically?
If you need context, my whole rules are below. Any answer and or hint is ap=
preciated.
=2D-=20
Jos=E9 Pablo Fern=E1ndez
pablo.fernandez@example.org
PS: IPs and names have changed.
# My interfaces.
lan0 =3D "re0"
lan1 =3D "re1"
wan =3D "fxp0"
wan6 =3D "stf0"
# My me, me and I.
#me =3D "{(" $lan0 ") (" $lan1 ") (" $wan ") (" $wan6 ") }"
me4 =3D "{" 192.168.0.102 192.168.1.102 210.223.83.1 127.0.0.1 "}"
me6 =3D "{" 2002:87:15i:0::102 2002:87:15i:1::102 2002:87:15i::1 ::1 "}"
# Globally accessable services.
mi_tcp_services =3D "{domain ssh http xmpp-c2s xmpps-c2s xmpp-s2s}"
mi_udp_services =3D "{domain ssh http xmpp-c2s xmpps-c2s xmpp-s2s}"
# LAN-only accessable services.
mi_internal_tcp_services =3D "{http-proxy}"
mi_internal_udp_services =3D "{ntp}"
# The network.
lans =3D "{" $lan0 $lan1 "}"
lans_network =3D "{" $lan0:network $lan1:network "}"
# Hosts that are free to reach the outside world directly.
table <free4> { black.example.org red.example.org blue.example.org brown.ex=
ample.org green.example.org yellow.example.org 192.168.0.0/24 192.168.1.1/2=
4 }
table <free6> { black.example.org red.example.org blue.example.org }
# IPv6 reachable computers by service.
table <ip6_web> { red.example.org orange.example.org voip.example.org }
table <ip6_ssh> { red.example.org black.example.org }
# Available for everybody from anywhere.
tcp_for_everybody =3D "{smtp smtps pop3 pop3s imap imaps}"
udp_for_everybody =3D "{smtp smtps pop3 pop3s imap imaps}"
# Making a return of a no-go is better than droping a package because it hi=
des the fact that there's a firewall.
set block-policy return
# No filteblue on lo0.
set skip on lo
# This will normalize and defragment all packages. Filteblue will work bett=
er and extrange packets will be droped.
scrub in
# NAT.
nat on $wan from <free4> to any -> ($wan)
# Port forwarding. See below for the assosiatde passing rules.
rdr on $wan proto tcp from any to any port 5901 -> brown.example.org port v=
nc # Andres' VNC. Pupeno, 2007-02-12 14:50:02.
# Temp port forwarding.
# None so far. Pupeno, 2007-02-12 14:50:25.
# Block everything in, latter allowing some stuff. A more paranoic setup wo=
uld be to block everything, in and out. But that is much more complex.
block in log
# Block RFC1918 (private) from the external card, private addresses in the =
public internet can't be good.
PrivateAddresses =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.=
0/8 }"
block in quick on {$wan, $wan6} from $PrivateAddresses to any
block out quick on {$wan, $wan6} from any to $PrivateAddresses
# When going out (which can be done anyway), keep state, so return packages=
can come in.
pass out from $me4 flags S/SA keep state
# Let some people reach all the services.
pass in on $lans from <free4> to any flags S/SA keep state
pass out on $lans from <free4> to any flags S/SA keep state
pass out on $wan6 from <free6> to any flags S/SA keep state # Possibly onl=
y to keep the state. Pupeno, 2007-03-12 20:04:19.
# Let all the people reach some services.
pass in on $lans proto tcp to any port $tcp_for_everybody flags S/SA keep s=
tate # in
pass in on $lans proto udp to any port $udp_for_everybody keep state # in
# Let some services be reachable by the world in some internal IPs.
pass in on $wan6 proto icmp6 from any to <free6> keep state #=
Allow anyone on the free6 chunk to be pinged.
pass in on $wan6 proto tcp from any to <ipv6_ssh> port {ssh} flags S/SA k=
eep state
# Let forwarders pass and more importantly, be synproxied, whatever that is=
=2E See above for the assosiated rdr (redirection) rules.
pass in proto tcp from any to brown.example.org port vnc synproxy state # A=
ndres' VNC. Pupeno, 2007-02-12 15:45:16.
# Let anyone ping me.
pass in proto icmp to $me4 =
keep state
pass in proto icmp6 to $me6 =
keep state
# Services that should be reached from anywhere (including the LAN).
pass in proto tcp to $me4 port $mi_tcp_services=
flags S/SA keep state
pass in proto udp to $me4 port $mi_udp_services=
keep state
pass in proto tcp to $me6 port $mi_tcp_services=
flags S/SA keep state
pass in proto udp to $me6 port $mi_udp_services=
keep state
# Services that should be reached only from the LAN.
pass in on $lans proto tcp from $lans_network to $me4 port $mi_internal_tcp=
_services flags S/SA keep state
pass in on $lans proto udp from $lans_network to $me4 port $mi_internal_udp=
_services keep state
pass in on $lans proto tcp from $lans_network to $me6 port $mi_internal_tcp=
_services flags S/SA keep state
pass in on $lans proto udp from $lans_network to $me6 port $mi_internal_udp=
_services keep state
# Particular services.
pass in proto tcp from dir.backup.example.org to $me4 port bacula-dir flags=
S/SA keep state
# Allow comunication between the two networks.
pass in on $lan0 from $lan0:network to $lan1:network flags S/SA keep state
pass in on $lan1 from $lan1:network to $lan0:network flags S/SA keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703122028.25655.pablo.fernandez>