From owner-freebsd-pf@freebsd.org Sun Apr 16 21:00:37 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83F50D41DA0 for ; Sun, 16 Apr 2017 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 619351976 for ; Sun, 16 Apr 2017 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v3GL01jZ022636 for ; Sun, 16 Apr 2017 21:00:37 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201704162100.v3GL01jZ022636@kenobi.freebsd.org> From: bugzilla-noreply@FreeBSD.org To: freebsd-pf@FreeBSD.org Subject: Problem reports for freebsd-pf@FreeBSD.org that need special attention Date: Sun, 16 Apr 2017 21:00:37 +0000 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Apr 2017 21:00:37 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p 1 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Thu Apr 20 00:24:50 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB591D453A5; Thu, 20 Apr 2017 00:24:50 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yb0-x229.google.com (mail-yb0-x229.google.com [IPv6:2607:f8b0:4002:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 63247F0E; Thu, 20 Apr 2017 00:24:50 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yb0-x229.google.com with SMTP id 6so17216165ybq.2; Wed, 19 Apr 2017 17:24:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=d6sV7tL1USHGRelKAgoQHKdcoxlavYnJULGpq/nhKhs=; b=n/bKsGp09zvvu3C2U3j1aUiwI+oGclRs4YFH1WMVjGjyI54t2MaCf70Wi/HiXuJq5V H7Wki8i8V36hN7jpKYjArrQBfjMYcblvzW4ATAPhkmIrAf+LWiubrJjocvWTSg+DF/ZQ vpwWAnca8JDy+0PjqKjoHcxks/9cUfC3eeTiDvjCA9VPDdvhd5NYH2TguqFdQEqg92lG vgW9waKpvVY7eIMuzARmfJpaQLvXJ+2ke7TDWOhj23Kw192DSm0gkK3f84kHImT8drqX Nr1C51ceUGYUG+V5DQfmoC0fYUr0ZNETdegSqIzDKjX+EbF1lc5KodAIbmSvLzidWLJO DNhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=d6sV7tL1USHGRelKAgoQHKdcoxlavYnJULGpq/nhKhs=; b=qzkaMWst2GDr+UuaC8nJWH4pF7O4G2uVJTN+WuFDjvzOfFcjoXLvnWdNBVvWJXxoOP FCQ8lkwOgWPMz7+Xqke4y0H1/gUtf8rShmFIM9iLkRVZFYPFkbB6xsELjkZTy6CFrgcZ FhHI2WFodDX79zCfIfdMCLt6tUqDXBp8HBA3YHysK4fKr2Th76GcWOVyciCUrGDrxq6y JDoH16XZ0wCWulryH8quuAqVBLtY9HczB2Zv1DKtmtu2hBj0+hh3nkhSSwV37MRhUvH7 Z3vZH3jMM5bxkaHPudkur42QIKZ9ERyDutIQg3MTn1HvJTN3NGgMb4sa6TfAiFVlatcG qWLA== X-Gm-Message-State: AN3rC/4+g+XkK0/SZhC2mmwF0AFwCDlTV/9FPCdDAQFe0AwLaVqGmWaA l0pVw4EInFyhwHc6P5QG2Xz2NjGYG2KKnsg= X-Received: by 10.37.17.68 with SMTP id 65mr4768827ybr.62.1492647889123; Wed, 19 Apr 2017 17:24:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.72.144 with HTTP; Wed, 19 Apr 2017 17:24:48 -0700 (PDT) In-Reply-To: References: From: Ultima Date: Wed, 19 Apr 2017 20:24:48 -0400 Message-ID: Subject: Re: freebsd 10.3, pf, and openvpn To: David Mehler Cc: FreeBSD Mailing List , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2017 00:24:50 -0000 I keep looking at the rules and finally decided to rewrite some of them. This may not fix the issue you are having with openvpn tho. The issue with that is most likely the passing out rules. This rule is kinda written wierd and I suggest just removing it and passing everything out and verifying if that is the cause. The problem is many connections that the host will open is opened at the high end ports, I believe it was around 40000:65535. I could be wrong tho and hope someone corrects my errors if so. > # Pass out only the desired ports from host and jails > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port $tcp_services $tcpstate > pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services $udpstate If ur still having issues with openvpn, with this ruleset, then first, try changing the block all rule to block on ext_if. This will determine if a pass rule internally is the cause. > block all block on $ext_if all Going to CC freebsd-pf@freebsd.org I hope this helps Ultima # # Required order: macros, options, normalization, queueing, # translation, filtering. # Note: translation rules are first match while filter rules are last match= . # Macros ext_if=3D"vtnet0" ext_gateway=3D"10.0.0.1" int_if =3D "lo1" vpn_if =3D "tun0" jailnet =3D "10.0.0.0/8" vpnnet=3D"10.8.0.0/8" icmp_types=3D"{echoreq, unreach}" #IPV6 ICMP types: # packet to big and echo request type ping # Neighbor Discovery Protocol (NDP) (types 133-137): # Router Solicitation (RS), Router Advertisement (RA) # Neighbor Solicitation (NS), Neighbor Advertisement (NA) # Route Redirection icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global)" tcpstate=3D"flags S/SA modulate state" udpstate=3D"keep state" # allowed traffic tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, http, imap, https, submission, imaps, 2703}" udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500, 500, 50, 51}" # Name and IP of jails webmail=3D"10.0.0.15" # Name and IP of jailed ssh servers jssh1=3D"10.0.0.15" jssh2=3D"10.0.0.16" jssh3=3D"10.0.0.17" jssh4=3D"10.0.0.18" jssh1_tcp=3D"2220" jssh2_tcp=3D"2221" jssh3_tcp=3D"2222" jssh4_tcp=3D"2223" # The Asterisk Server asterisk=3D"10.0.0.17" asterisk_tcp=3D"5060:5061" asterisk_udp=3D"5060, 10000:10500" # The vpn server vpn=3D"10.8.0.1" # Options # block-policy can be either drop or return set block-policy drop set optimization conservative set skip on lo0 # Normalization # normalize all incoming traffic. Set ttl 254: limits mapping of hosts behind # firewall. Set random-id to help same. # Set mss to ATM network frame size for easy splitting upstream. scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble # NAT nat on $ext_if from $jailnet to any -> ($ext_if) static-port nat on $ext_if from $vpnnet to any -> ($ext_if) # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to jailed ssh servers # External redirect & reflect for internal hosts # Note, the -> $ip port $port is only required for port triggering. rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port { $jssh1_tcp } tag jssh1 -> $jssh1 rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port { $jssh2_tcp } tag jssh2 -> $jssh2 rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port { $jssh3_tcp } tag jssh3 -> $jssh3 rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port { $jssh4_tcp } tag jssh4 -> $jssh4 # Redirect traffic to the vpn server # External redirect rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if), ($int_if) } port 1194 tag vpn -> $vpn # Redirect traffic to the asterisk server # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. # RTSP ports 10000 to 10500 rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag asterisk_udp -> $asterisk rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag asterisk_tcp -> $asterisk # Tables table persist file "/etc/pf/bruteforce" table persist file "/etc/pf/pf.drop.lasso.conf" table persist file "/etc/pf/fail2ban" table persist file "/etc/pf/martians" # The ZeuS blocklist of c&c servers table persist file "/etc/pf/ZeuS" # The malwaredomain ip block list table persist file "/etc/pf/malwaredomain" # Table of selected country IP addresses table persist file "/etc/pf/blocked_countries" # Table of apache mod_evasive blocks table persist file "/etc/pf/evasive" antispoof for { $ext_if, $int_if } # Start by blocking by default block all # Block anything in the blocked_countries table first block in quick from # Block nmap scans block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP # Explicitly block unroutable addresses block drop in quick on $ext_if from to any block drop out quick on $ext_if from any to # Explicitly block anything in the bruteforce table block in quick from # Explicitly block anything in the fail2ban table block in quick from # Explicitly block anything in the droplasso table block in quick from # Explicitly block anything in the ZeuS table block in quick from # Explicitly block anything in the malwaredomain table block in quick from # Block anything in the evasive table block in quick from # allow ping and host unreach pass inet proto icmp icmp-type $icmp_types keep state # Traceroute # allow out the default range for traceroute(8): # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) pass inet proto udp to port 33433:33626 # For IPv4 # Pass out only the desired ports from host and jails pass inet proto tcp from {self, $jailnet, $vpnnet} to any port $tcp_services $tcpstate pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services $udpstate # Allow ssh connections in from the internet pass in inet proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # Pass in ssh traffic to the jails # pass rules for nat redirect pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged jssh1 jssh2 jssh3 jssh4 \ flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags S/SA keep state # Pass traffic to the vpn pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp } tagged vpn $udpstate pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate pass out on tun0 keep state #pass quick on tun0 all keep state # Pass in smtp, http, https, submission, imaps traffic from the internet pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \ flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # pass traffic from the asterisk server pass inet proto tcp tagged asterisk_tcp keep state pass inet proto udp tagged asterisk_udp keep state On Wed, Apr 19, 2017 at 11:06 AM, David Mehler wrote: > Hi, > > Thanks. Still no go on the vpn.In answer to your questions: > > > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > > > $tcp_services $tcpstate > > > pass inet proto udp from {self, $jailnet, $vpnnet} to port > > > $udp_services $udpstate > > > > > I've got only a selected list of ports that I want in or out, > everything else should be blocked. > > I tried commenting out the pass quick on tun0 all and replaced it with > set skip on tun0 no joy. > > I took out the second nat line on the vpnnet as of now I'm wanting to > keep the jailnet and the vpnnet ranges the same, though if this issue > doesn't soon resolve I might change that idea. > > > > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > > > > global) > > > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > > > What I wanted to achieve with this was nat reflection, external > connections to these hosts worked fine on the desired ports, but on > the host itself if I tried to do an ssh to one of my jails port 2220 > it failed, these rules corrected that. > > Right now I'll settle for working. > > Thanks. > Dave. > > On 4/19/17, Ultima wrote: > > After a full look, I suspect this being a problem entry. > > > >> # Pass out only the desired ports from host and jails > >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > >> $tcp_services $tcpstate > >> pass inet proto udp from {self, $jailnet, $vpnnet} to port > >> $udp_services $udpstate > > > > Try commenting them and adding pass out all or pass inet proto { tcp, > udp } > > any and see if that works. > > > > > >> pass quick on tun0 all keep state > > This is another problem area, but probably not the cause. The quick is > > probably not handled as you are expecting. Pf reads the filtering rules > in > > priority from bottom to top bottom being highest priority to top being > > lowest priority. When quick is added, this is more or less reversed for > the > > rule and because its near the bottom it has a lower priority. In genera= l > > the "quick" directive can make pf very confusing and a ruleset harder t= o > > read so other than the top blocking entires with quick, I suggest never > > using it, or use it for all filters and make it simple the opposite way= . > > > > > >> jailnet =3D "10.0.0.0/8" > >> vpnnet=3D"10.8.0.0/8" > > One thing I noticed is that the subnet chosen is an /8 subnet. Because = of > > this, the entire 10.* address space applies to jailnet making all > jailnet + > > vpnnet entries redundant. This also allows all addresses to communicate= , > at > > least if pf isn't filtering them. Usually segmenting the subnet is > desired > > to limit communication between them. > > > >> pass quick on lo0 all > > Why not just skip on lo0? > > > > > >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > > global) > >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > > Why does this nearly duplicate rules exist? > > > > > > Optimizing pf is fun, but one thing that is important to remember is th= e > > more rules added, the more cycles used per packet. This is typically no= t > > noticed on a small deployments but it can become huge issue if grown. > > > > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler > > wrote: > > > >> Hello Ultima, > >> > >> Thank you for your reply. Thanks for the information, I'm liking the > >> new way the rules are looking. Unfortunately, still no go on the vpn. > >> Everything else is working, just not the vpn. > >> > >> Thanks. > >> Dave. > >> PS, here's my rules as they stand now. > >> > >> pf.conf: > >> # > >> # Required order: macros, options, normalization, queueing, > >> # translation, filtering. > >> # Note: translation rules are first match while filter rules are last > >> match. > >> > >> # Macros > >> ext_if=3D"vtnet0" > >> int_if =3D "lo1" > >> vpn_if =3D "tun0" > >> jailnet =3D "10.0.0.0/8" > >> vpnnet=3D"10.8.0.0/8" > >> icmp_types=3D"{echoreq, unreach}" > >> #IPV6 ICMP types: > >> # packet to big and echo request type ping > >> # Neighbor Discovery Protocol (NDP) (types 133-137): > >> # Router Solicitation (RS), Router Advertisement (RA) > >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) > >> # Route Redirection > >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" > >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, > >> max-src-conn-rate 5/3, overload flush global)" > >> tcpstate =3D"flags S/SA modulate state" > >> udpstate =3D"keep state" > >> voipports =3D "{5060, 5061, 10000:10500}" > >> > >> # allowed traffic > >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, > >> bootpc, http, imap, https, submission, imaps, 2703}" > >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, > >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441, > >> 4500, 500, 50, 51}" > >> > >> # Name and IP of jails > >> webmail=3D"10.0.0.15" > >> # Name and IP of jailed ssh servers > >> jssh1=3D"10.0.0.15" > >> jssh2=3D"10.0.0.16" > >> jssh3=3D"10.0.0.17" > >> jssh4=3D"10.0.0.18" > >> # The Asterisk Server > >> asterisk=3D"10.0.0.17" > >> # The vpn server > >> vpn=3D"10.8.0.1" > >> > >> # Options > >> # block-policy can be either drop or return > >> set block-policy drop > >> set optimization conservative > >> set skip on tun0 > >> > >> # Normalization > >> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts > >> behind > >> # firewall. Set random-id to help same. > >> # Set mss to ATM network frame size for easy splitting upstream. > >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp > >> fragment reassemble > >> > >> # NAT > >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port > >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port > >> > >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to > >> jailed ssh servers > >> # External redirect > >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port 2220 > >> # reflect for internal hosts > >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port 2220 > >> > >> # External redirect > >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port 2221 > >> # reflect for internal hosts > >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port 2221 > >> > >> # External redirect > >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port 2222 > >> # reflect for internal hosts > >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port 2222 > >> > >> # External redirect > >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port 2223 > >> # reflect for internal hosts > >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port 2223 > >> > >> # Redirect traffic to the vpn server > >> # External redirect > >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn po= rt > >> 1194 > >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn > port > >> 1194 > >> # reflect for internal hosts > >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn po= rt > >> 1194 > >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn > port > >> 1194 > >> > >> # Redirect traffic to the asterisk server > >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. > >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 -> > >> $asterisk port 5060 > >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk > >> port > >> 5060 > >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port > 5061 > >> # RTSP ports 10000 to 10500 > >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> $asterisk > >> port 10000:10500 > >> > >> # Tables > >> table persist file "/etc/pf/bruteforce" > >> table persist file "/etc/pf/pf.drop.lasso.conf" > >> table persist file "/etc/pf/fail2ban" > >> table persist file "/etc/pf/martians" > >> # The ZeuS blocklist of c&c servers > >> table persist file "/etc/pf/ZeuS" > >> # The malwaredomain ip block list > >> table persist file "/etc/pf/malwaredomain" > >> # Table of selected country IP addresses > >> table persist file "/etc/pf/blocked_countries" > >> # Table of apache mod_evasive blocks > >> table persist file "/etc/pf/evasive" > >> > >> # for the spamd greylist/blacklist service > >> # (not related to spamassassin's spamd daemon) > >> #table persist > >> #table persist > >> > >> antispoof for $ext_if > >> antispoof for $int_if > >> > >> # Start by blocking by default > >> block all > >> > >> # Block anything in the blocked_countries table first > >> block in quick from > >> > >> # Block nmap scans > >> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP > >> > >> # Explicitly block unroutable addresses > >> block drop in quick on $ext_if from to any > >> block drop out quick on $ext_if from any to > >> > >> # Explicitly block anything in the bruteforce table > >> block in quick from > >> > >> # Explicitly block anything in the fail2ban table > >> block in quick from > >> > >> # Explicitly block anything in the droplasso table > >> block in quick from > >> > >> # Explicitly block anything in the ZeuS table > >> block in quick from > >> > >> # Explicitly block anything in the malwaredomain table > >> block in quick from > >> > >> # Block anything in the evasive table > >> block in quick from > >> > >> # pass everything on the loopback interface > >> pass quick on lo0 all > >> > >> # allow ping and host unreach > >> pass inet proto icmp icmp-type $icmp_types keep state > >> > >> # Traceroute > >> # allow out the default range for traceroute(8): > >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) > >> pass inet proto udp to port 33433:33626 # For IPv4 > >> > >> # Pass out only the desired ports from host and jails > >> pass inet proto tcp from { self, $jailnet } to any port $tcp_services > >> $tcpstate > >> pass inet proto udp from { self, $jailnet } to port $udp_services > >> $udpstate > >> > >> # Allow ssh connections in from the internet > >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> # Pass in ssh traffic to the jails > >> # pass rules for nat redirect > >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state > >> > >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >> > >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state > >> > >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state > >> > >> # Pass traffic to the vpn > >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate > >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate > >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate > >> #pass inet proto tcp from any to $vpn port 1194 $udpstate > >> > >> # Pass in http traffic from the internet > >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # Pass in https traffic from the internet > >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # Pass in smtp traffic from the internet > >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # Pass in submission traffic from the internet > >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # Pass in imaps traffic from the internet > >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # pass traffic from the asterisk server > >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state > >> > >> > >> On 4/18/17, Ultima wrote: > >> > I didn't have time to read and look through this entire post, but I > >> think I > >> > know the issue you're running into and this suggestion should push y= ou > >> > in > >> > the right direction. > >> > > >> > this rule for example, > >> > > >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn port > >> > 1194 > >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn port > >> > 1194 > >> > # reflect for internal hosts > >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn port > >> > 1194 > >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn port > >> > 1194 > >> > > >> > This is probably not giving you the results you desire. Basically > >> > because > >> > no from or to ip is specified ALL and I quite literally mean ALL > >> > packets > >> > using port 1194 are being sent to $vpn port 1194. Usually you want t= o > >> make > >> > it something like, > >> > > >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn > >> > port > >> > 1194 > >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn > >> > port > >> > 1194 > >> > > >> > Now the traffic will be passed only when the packet is going to the > >> > host, > >> > not all traffic on a specific port. Another thing you may want to do > is > >> > combined many of these rules you have. > >> > > >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn > >> > port > >> > 1194 > >> > > >> > Also note the above, because we are specifying any for from, we can > >> remove > >> > the form rule entirely and make it shorter. > >> > > >> > Hope this helps > >> > > >> > Ultima > >> > > >> > > > From owner-freebsd-pf@freebsd.org Thu Apr 20 00:27:28 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13602D4565F; Thu, 20 Apr 2017 00:27:28 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yb0-x233.google.com (mail-yb0-x233.google.com [IPv6:2607:f8b0:4002:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BE83C112F; Thu, 20 Apr 2017 00:27:27 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yb0-x233.google.com with SMTP id s22so18892559ybe.3; Wed, 19 Apr 2017 17:27:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=a2yneehXTS1OGSPPIx9E7jcz8o46BkOg98AakciHcvc=; b=gKdjvS941qoRDAWBYtwBN8/HvQREcG+xTCiHFNBtirzxx0dlEOJNqZ8DKfqjIDlTmQ MrHb/bI+3HIjE88FL8dBMUAnpc0lFr291vPZFg+AJb0GBU7C0R2Tk4wcUoP2ctR5sHJ0 156tsnJ2nwvtAr4BvHKHivkYCj2cEpkrcQbXmUpfqSILXoxH96bHX9gPoOjnvJi4yHAS 4Yeevr23+aIIBkWs/cZqDrw+KejUnWgkYNBtGEwR9KlsPjgBp5+x0FQVVNJ8F+Vq1kLf qKeXZOCqMk8hQk2h4bMkWpE68LnTLPENWu5hMilmXUZgqhQ4uIQN3SSUlcgH923aCQao Q8VA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=a2yneehXTS1OGSPPIx9E7jcz8o46BkOg98AakciHcvc=; b=kRVq07iIkYVRrtWcp4yRZZzbEYlh8u5/yJ8NvOgy97TL5Gmy34CcInZ5vHfZ3xQVN2 iFNkdcPGf3Hsd8SAzMF2PfunRwo1nlz9VEdFb0bkYHXIV3sjqQ86qMoa+8Jc0JIeTo0T nuyus7h5/1gM+9YRZDfBtxHI2/3Tw84+hxlLUSOlgGHbrLmOwE6M/ktSpvlIa7pjnWDt QVYztgAJa1o1KiPr7Ote9VT8o8d3pwzHw2Ahsr/g21oSLq117zw1Pzpmb4GbWYPpPq+U fB4lC8NOjsIGl6yKz7P9EiKlu9EBx9YBRmu1siYz2jOZQ1qG2D1tJhSYQRU4xvtAS+zS 8YKQ== X-Gm-Message-State: AN3rC/7rM4iam3J8XvqzoTkihMzli3+7YOuEGvc4pQYOB3I0qcb4ArMG NmlsZ6CntZtdhf2YsVhTxnXmTfSfCXJm X-Received: by 10.37.173.29 with SMTP id y29mr4514394ybi.52.1492648046805; Wed, 19 Apr 2017 17:27:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.72.144 with HTTP; Wed, 19 Apr 2017 17:27:26 -0700 (PDT) In-Reply-To: References: From: Ultima Date: Wed, 19 Apr 2017 20:27:26 -0400 Message-ID: Subject: Re: freebsd 10.3, pf, and openvpn To: David Mehler Cc: FreeBSD Mailing List , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2017 00:27:28 -0000 I forgot to mention, make sure the ext_gateway variable changed to the correct gateway. On Wed, Apr 19, 2017 at 8:24 PM, Ultima wrote: > I keep looking at the rules and finally decided to rewrite some of them. > This may not fix the issue you are having with openvpn tho. The issue wit= h > that is most likely the passing out rules. This rule is kinda written wie= rd > and I suggest just removing it and passing everything out and verifying i= f > that is the cause. The problem is many connections that the host will ope= n > is opened at the high end ports, I believe it was around 40000:65535. I > could be wrong tho and hope someone corrects my errors if so. > > > # Pass out only the desired ports from host and jails > > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > $tcp_services $tcpstate > > pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_service= s > $udpstate > > If ur still having issues with openvpn, with this ruleset, then first, tr= y > changing the block all rule to block on ext_if. This will determine if a > pass rule internally is the cause. > > > block all > block on $ext_if all > > Going to CC freebsd-pf@freebsd.org I hope this helps > > Ultima > > > # > # Required order: macros, options, normalization, queueing, > # translation, filtering. > # Note: translation rules are first match while filter rules are last > match. > > # Macros > ext_if=3D"vtnet0" > ext_gateway=3D"10.0.0.1" > int_if =3D "lo1" > vpn_if =3D "tun0" > jailnet =3D "10.0.0.0/8" > vpnnet=3D"10.8.0.0/8" > icmp_types=3D"{echoreq, unreach}" > #IPV6 ICMP types: > # packet to big and echo request type ping > # Neighbor Discovery Protocol (NDP) (types 133-137): > # Router Solicitation (RS), Router Advertisement (RA) > # Neighbor Solicitation (NS), Neighbor Advertisement (NA) > # Route Redirection > icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" > #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-rat= e > 5/3, overload flush global)" > tcpstate=3D"flags S/SA modulate state" > udpstate=3D"keep state" > > # allowed traffic > tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, > http, imap, https, submission, imaps, 2703}" > udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, > http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500, > 500, 50, 51}" > > # Name and IP of jails > webmail=3D"10.0.0.15" > # Name and IP of jailed ssh servers > jssh1=3D"10.0.0.15" > jssh2=3D"10.0.0.16" > jssh3=3D"10.0.0.17" > jssh4=3D"10.0.0.18" > jssh1_tcp=3D"2220" > jssh2_tcp=3D"2221" > jssh3_tcp=3D"2222" > jssh4_tcp=3D"2223" > # The Asterisk Server > asterisk=3D"10.0.0.17" > asterisk_tcp=3D"5060:5061" > asterisk_udp=3D"5060, 10000:10500" > # The vpn server > vpn=3D"10.8.0.1" > > # Options > # block-policy can be either drop or return > set block-policy drop > set optimization conservative > set skip on lo0 > > # Normalization > # normalize all incoming traffic. Set ttl 254: limits mapping of hosts > behind > # firewall. Set random-id to help same. > # Set mss to ATM network frame size for easy splitting upstream. > scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp > fragment reassemble > > # NAT > nat on $ext_if from $jailnet to any -> ($ext_if) static-port > nat on $ext_if from $vpnnet to any -> ($ext_if) > > # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to > jailed ssh servers > # External redirect & reflect for internal hosts > # Note, the -> $ip port $port is only required for port triggering. > rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } > port { $jssh1_tcp } tag jssh1 -> $jssh1 > rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } > port { $jssh2_tcp } tag jssh2 -> $jssh2 > rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } > port { $jssh3_tcp } tag jssh3 -> $jssh3 > rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } > port { $jssh4_tcp } tag jssh4 -> $jssh4 > > # Redirect traffic to the vpn server > # External redirect > rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if), > ($int_if) } port 1194 tag vpn -> $vpn > > # Redirect traffic to the asterisk server > # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. > # RTSP ports 10000 to 10500 > rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag > asterisk_udp -> $asterisk > rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag > asterisk_tcp -> $asterisk > > # Tables > table persist file "/etc/pf/bruteforce" > table persist file "/etc/pf/pf.drop.lasso.conf" > table persist file "/etc/pf/fail2ban" > table persist file "/etc/pf/martians" > # The ZeuS blocklist of c&c servers > table persist file "/etc/pf/ZeuS" > # The malwaredomain ip block list > table persist file "/etc/pf/malwaredomain" > # Table of selected country IP addresses > table persist file "/etc/pf/blocked_countries" > # Table of apache mod_evasive blocks > table persist file "/etc/pf/evasive" > > antispoof for { $ext_if, $int_if } > > # Start by blocking by default > block all > > # Block anything in the blocked_countries table first > block in quick from > > # Block nmap scans > block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP > > # Explicitly block unroutable addresses > block drop in quick on $ext_if from to any > block drop out quick on $ext_if from any to > > # Explicitly block anything in the bruteforce table > block in quick from > > # Explicitly block anything in the fail2ban table > block in quick from > > # Explicitly block anything in the droplasso table > block in quick from > > # Explicitly block anything in the ZeuS table > block in quick from > > # Explicitly block anything in the malwaredomain table > block in quick from > > # Block anything in the evasive table > block in quick from > > # allow ping and host unreach > pass inet proto icmp icmp-type $icmp_types keep state > > # Traceroute > # allow out the default range for traceroute(8): > # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) > pass inet proto udp to port 33433:33626 # For IPv4 > > # Pass out only the desired ports from host and jails > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > $tcp_services $tcpstate > pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services > $udpstate > > # Allow ssh connections in from the internet > pass in inet proto tcp from any to ($ext_if) port ssh \ > flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) > # Pass in ssh traffic to the jails > # pass rules for nat redirect > pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged > jssh1 jssh2 jssh3 jssh4 \ > flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) > pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags > S/SA keep state > > # Pass traffic to the vpn > pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp } > tagged vpn $udpstate > pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate > pass out on tun0 keep state > #pass quick on tun0 all keep state > > # Pass in smtp, http, https, submission, imaps traffic from the internet > pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \ > flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) > > # pass traffic from the asterisk server > pass inet proto tcp tagged asterisk_tcp keep state > pass inet proto udp tagged asterisk_udp keep state > > On Wed, Apr 19, 2017 at 11:06 AM, David Mehler > wrote: > >> Hi, >> >> Thanks. Still no go on the vpn.In answer to your questions: >> >> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >> >> > $tcp_services $tcpstate >> >> > pass inet proto udp from {self, $jailnet, $vpnnet} to port >> >> > $udp_services $udpstate >> >> >> >> >> I've got only a selected list of ports that I want in or out, >> everything else should be blocked. >> >> I tried commenting out the pass quick on tun0 all and replaced it with >> set skip on tun0 no joy. >> >> I took out the second nat line on the vpnnet as of now I'm wanting to >> keep the jailnet and the vpnnet ranges the same, though if this issue >> doesn't soon resolve I might change that idea. >> >> >> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> >> >> global) >> >> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> >> >> What I wanted to achieve with this was nat reflection, external >> connections to these hosts worked fine on the desired ports, but on >> the host itself if I tried to do an ssh to one of my jails port 2220 >> it failed, these rules corrected that. >> >> Right now I'll settle for working. >> >> Thanks. >> Dave. >> >> On 4/19/17, Ultima wrote: >> > After a full look, I suspect this being a problem entry. >> > >> >> # Pass out only the desired ports from host and jails >> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >> >> $tcp_services $tcpstate >> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port >> >> $udp_services $udpstate >> > >> > Try commenting them and adding pass out all or pass inet proto { tcp, >> udp } >> > any and see if that works. >> > >> > >> >> pass quick on tun0 all keep state >> > This is another problem area, but probably not the cause. The quick is >> > probably not handled as you are expecting. Pf reads the filtering rule= s >> in >> > priority from bottom to top bottom being highest priority to top being >> > lowest priority. When quick is added, this is more or less reversed fo= r >> the >> > rule and because its near the bottom it has a lower priority. In gener= al >> > the "quick" directive can make pf very confusing and a ruleset harder = to >> > read so other than the top blocking entires with quick, I suggest neve= r >> > using it, or use it for all filters and make it simple the opposite wa= y. >> > >> > >> >> jailnet =3D "10.0.0.0/8" >> >> vpnnet=3D"10.8.0.0/8" >> > One thing I noticed is that the subnet chosen is an /8 subnet. Because >> of >> > this, the entire 10.* address space applies to jailnet making all >> jailnet + >> > vpnnet entries redundant. This also allows all addresses to >> communicate, at >> > least if pf isn't filtering them. Usually segmenting the subnet is >> desired >> > to limit communication between them. >> > >> >> pass quick on lo0 all >> > Why not just skip on lo0? >> > >> > >> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> > (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> > global) >> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> > Why does this nearly duplicate rules exist? >> > >> > >> > Optimizing pf is fun, but one thing that is important to remember is t= he >> > more rules added, the more cycles used per packet. This is typically n= ot >> > noticed on a small deployments but it can become huge issue if grown. >> > >> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler >> > wrote: >> > >> >> Hello Ultima, >> >> >> >> Thank you for your reply. Thanks for the information, I'm liking the >> >> new way the rules are looking. Unfortunately, still no go on the vpn. >> >> Everything else is working, just not the vpn. >> >> >> >> Thanks. >> >> Dave. >> >> PS, here's my rules as they stand now. >> >> >> >> pf.conf: >> >> # >> >> # Required order: macros, options, normalization, queueing, >> >> # translation, filtering. >> >> # Note: translation rules are first match while filter rules are last >> >> match. >> >> >> >> # Macros >> >> ext_if=3D"vtnet0" >> >> int_if =3D "lo1" >> >> vpn_if =3D "tun0" >> >> jailnet =3D "10.0.0.0/8" >> >> vpnnet=3D"10.8.0.0/8" >> >> icmp_types=3D"{echoreq, unreach}" >> >> #IPV6 ICMP types: >> >> # packet to big and echo request type ping >> >> # Neighbor Discovery Protocol (NDP) (types 133-137): >> >> # Router Solicitation (RS), Router Advertisement (RA) >> >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) >> >> # Route Redirection >> >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" >> >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, >> >> max-src-conn-rate 5/3, overload flush global)" >> >> tcpstate =3D"flags S/SA modulate state" >> >> udpstate =3D"keep state" >> >> voipports =3D "{5060, 5061, 10000:10500}" >> >> >> >> # allowed traffic >> >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >> >> bootpc, http, imap, https, submission, imaps, 2703}" >> >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441, >> >> 4500, 500, 50, 51}" >> >> >> >> # Name and IP of jails >> >> webmail=3D"10.0.0.15" >> >> # Name and IP of jailed ssh servers >> >> jssh1=3D"10.0.0.15" >> >> jssh2=3D"10.0.0.16" >> >> jssh3=3D"10.0.0.17" >> >> jssh4=3D"10.0.0.18" >> >> # The Asterisk Server >> >> asterisk=3D"10.0.0.17" >> >> # The vpn server >> >> vpn=3D"10.8.0.1" >> >> >> >> # Options >> >> # block-policy can be either drop or return >> >> set block-policy drop >> >> set optimization conservative >> >> set skip on tun0 >> >> >> >> # Normalization >> >> # normalize all incoming traffic. Set ttl 254: limits mapping of host= s >> >> behind >> >> # firewall. Set random-id to help same. >> >> # Set mss to ATM network frame size for easy splitting upstream. >> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tc= p >> >> fragment reassemble >> >> >> >> # NAT >> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port >> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port >> >> >> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to >> >> jailed ssh servers >> >> # External redirect >> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port 222= 0 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port 222= 0 >> >> >> >> # External redirect >> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port 222= 1 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port 222= 1 >> >> >> >> # External redirect >> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port 222= 2 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port 222= 2 >> >> >> >> # External redirect >> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port 222= 3 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port 222= 3 >> >> >> >> # Redirect traffic to the vpn server >> >> # External redirect >> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn >> port >> >> 1194 >> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn >> port >> >> 1194 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn >> port >> >> 1194 >> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn >> port >> >> 1194 >> >> >> >> # Redirect traffic to the asterisk server >> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. >> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 -> >> >> $asterisk port 5060 >> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk >> >> port >> >> 5060 >> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port >> 5061 >> >> # RTSP ports 10000 to 10500 >> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> $asteris= k >> >> port 10000:10500 >> >> >> >> # Tables >> >> table persist file "/etc/pf/bruteforce" >> >> table persist file "/etc/pf/pf.drop.lasso.conf" >> >> table persist file "/etc/pf/fail2ban" >> >> table persist file "/etc/pf/martians" >> >> # The ZeuS blocklist of c&c servers >> >> table persist file "/etc/pf/ZeuS" >> >> # The malwaredomain ip block list >> >> table persist file "/etc/pf/malwaredomain" >> >> # Table of selected country IP addresses >> >> table persist file "/etc/pf/blocked_countries" >> >> # Table of apache mod_evasive blocks >> >> table persist file "/etc/pf/evasive" >> >> >> >> # for the spamd greylist/blacklist service >> >> # (not related to spamassassin's spamd daemon) >> >> #table persist >> >> #table persist >> >> >> >> antispoof for $ext_if >> >> antispoof for $int_if >> >> >> >> # Start by blocking by default >> >> block all >> >> >> >> # Block anything in the blocked_countries table first >> >> block in quick from >> >> >> >> # Block nmap scans >> >> block in quick on $ext_if inet proto tcp from any to any flags FUP/FU= P >> >> >> >> # Explicitly block unroutable addresses >> >> block drop in quick on $ext_if from to any >> >> block drop out quick on $ext_if from any to >> >> >> >> # Explicitly block anything in the bruteforce table >> >> block in quick from >> >> >> >> # Explicitly block anything in the fail2ban table >> >> block in quick from >> >> >> >> # Explicitly block anything in the droplasso table >> >> block in quick from >> >> >> >> # Explicitly block anything in the ZeuS table >> >> block in quick from >> >> >> >> # Explicitly block anything in the malwaredomain table >> >> block in quick from >> >> >> >> # Block anything in the evasive table >> >> block in quick from >> >> >> >> # pass everything on the loopback interface >> >> pass quick on lo0 all >> >> >> >> # allow ping and host unreach >> >> pass inet proto icmp icmp-type $icmp_types keep state >> >> >> >> # Traceroute >> >> # allow out the default range for traceroute(8): >> >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) >> >> pass inet proto udp to port 33433:33626 # For IPv4 >> >> >> >> # Pass out only the desired ports from host and jails >> >> pass inet proto tcp from { self, $jailnet } to any port $tcp_services >> >> $tcpstate >> >> pass inet proto udp from { self, $jailnet } to port $udp_services >> >> $udpstate >> >> >> >> # Allow ssh connections in from the internet >> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> # Pass in ssh traffic to the jails >> >> # pass rules for nat redirect >> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state >> >> >> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> >> >> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state >> >> >> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state >> >> >> >> # Pass traffic to the vpn >> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate >> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate >> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate >> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate >> >> >> >> # Pass in http traffic from the internet >> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # Pass in https traffic from the internet >> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # Pass in smtp traffic from the internet >> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # Pass in submission traffic from the internet >> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # Pass in imaps traffic from the internet >> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # pass traffic from the asterisk server >> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state >> >> >> >> >> >> On 4/18/17, Ultima wrote: >> >> > I didn't have time to read and look through this entire post, but I >> >> think I >> >> > know the issue you're running into and this suggestion should push >> you >> >> > in >> >> > the right direction. >> >> > >> >> > this rule for example, >> >> > >> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn por= t >> >> > 1194 >> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn por= t >> >> > 1194 >> >> > # reflect for internal hosts >> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn por= t >> >> > 1194 >> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn por= t >> >> > 1194 >> >> > >> >> > This is probably not giving you the results you desire. Basically >> >> > because >> >> > no from or to ip is specified ALL and I quite literally mean ALL >> >> > packets >> >> > using port 1194 are being sent to $vpn port 1194. Usually you want = to >> >> make >> >> > it something like, >> >> > >> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn >> >> > port >> >> > 1194 >> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn >> >> > port >> >> > 1194 >> >> > >> >> > Now the traffic will be passed only when the packet is going to the >> >> > host, >> >> > not all traffic on a specific port. Another thing you may want to d= o >> is >> >> > combined many of these rules you have. >> >> > >> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn >> >> > port >> >> > 1194 >> >> > >> >> > Also note the above, because we are specifying any for from, we can >> >> remove >> >> > the form rule entirely and make it shorter. >> >> > >> >> > Hope this helps >> >> > >> >> > Ultima >> >> > >> >> >> > >> > > From owner-freebsd-pf@freebsd.org Thu Apr 20 02:01:26 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65B40D46652; Thu, 20 Apr 2017 02:01:26 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EB34D10C2; Thu, 20 Apr 2017 02:01:25 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wr0-x22e.google.com with SMTP id c55so26207972wrc.3; Wed, 19 Apr 2017 19:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Q2XaaMRfkBlIIBMWOSmEcRVgEQFIXVAwQG8uL7oMq1k=; b=SpckbWSObZtEgfEZZlN71Zon5DR+RLCfUFa3krFvBGSK3NtuMZKQ87GrdQ2DDMleYl /lRvX6c9qRzTbTKL9g2LwzD5IsO+LmiwjGxyVmW0jvEz8Fognbe3MQTAsKaolSaFtf0w BxprEXOUUNY9O1r8oNW4B/09F3E7mPOiW7NrEJ4HMjRYzfneLmJI22Sd/CFoZX8yFsWM hckW9V1XWYK6aSbGQZ+wnFFrglE37eQVFHgYiCHTdcrF5ExpuYDXR5lNkFx0LmxOT/kk ZLDcsBBclyF3JcyIiKzU9Zcz67ro7WRWF98cArCx2sDxr+SF1JSEjEX0IizRy3egyvfJ qwdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Q2XaaMRfkBlIIBMWOSmEcRVgEQFIXVAwQG8uL7oMq1k=; b=l7OitDd7zz52C7C4GTqVDvtl24+PzFnnKhLKFIixon6QZ9PDPL4l+CXnvz37zPLc1l abe5yzrZU1pjKaEbFuFnHic3YV889QREzWTMDXlFScUuQt0BJ8xvVNnYCqd3u+euF6TZ 4kYjjJ/6jvCmg6D15to9FFLJAJVwM8iOywIcazzbJoroQnpkF79xwpl8P+R3P14z+fOk meEefNy5YjLh4ROn/hV8Ii11LYuO/DtGzLg0mi2LpnSsLCwom2Ps8lduqMKjhuMwFqCD jTwagZNEDUoDWLkJ4KeRob24H4jXIlU+e11XcCMLBWVtXS9obI/vc+vvpKr6UJk4U/Nh AWng== X-Gm-Message-State: AN3rC/4+LyqPxRQIwDSVP/B1TVgv2N2hsXS+QXQKmxg4YFC/DRatEp6x v8jV8c0EuL6DMD2OuuYZpRI4eT5OjA== X-Received: by 10.223.133.133 with SMTP id 5mr5130634wrt.83.1492653682858; Wed, 19 Apr 2017 19:01:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.182.175 with HTTP; Wed, 19 Apr 2017 19:01:22 -0700 (PDT) In-Reply-To: References: From: David Mehler Date: Wed, 19 Apr 2017 22:01:22 -0400 Message-ID: Subject: Re: freebsd 10.3, pf, and openvpn To: Ultima Cc: FreeBSD Mailing List , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2017 02:01:26 -0000 Hello, I commented out the rules indicated and still nothing. Thanks. DAve. On 4/19/17, Ultima wrote: > I forgot to mention, make sure the ext_gateway variable changed to the > correct gateway. > > On Wed, Apr 19, 2017 at 8:24 PM, Ultima wrote: > >> I keep looking at the rules and finally decided to rewrite some of them. >> This may not fix the issue you are having with openvpn tho. The issue >> with >> that is most likely the passing out rules. This rule is kinda written >> wierd >> and I suggest just removing it and passing everything out and verifying >> if >> that is the cause. The problem is many connections that the host will >> open >> is opened at the high end ports, I believe it was around 40000:65535. I >> could be wrong tho and hope someone corrects my errors if so. >> >> > # Pass out only the desired ports from host and jails >> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >> $tcp_services $tcpstate >> > pass inet proto udp from {self, $jailnet, $vpnnet} to port >> > $udp_services >> $udpstate >> >> If ur still having issues with openvpn, with this ruleset, then first, >> try >> changing the block all rule to block on ext_if. This will determine if a >> pass rule internally is the cause. >> >> > block all >> block on $ext_if all >> >> Going to CC freebsd-pf@freebsd.org I hope this helps >> >> Ultima >> >> >> # >> # Required order: macros, options, normalization, queueing, >> # translation, filtering. >> # Note: translation rules are first match while filter rules are last >> match. >> >> # Macros >> ext_if=3D"vtnet0" >> ext_gateway=3D"10.0.0.1" >> int_if =3D "lo1" >> vpn_if =3D "tun0" >> jailnet =3D "10.0.0.0/8" >> vpnnet=3D"10.8.0.0/8" >> icmp_types=3D"{echoreq, unreach}" >> #IPV6 ICMP types: >> # packet to big and echo request type ping >> # Neighbor Discovery Protocol (NDP) (types 133-137): >> # Router Solicitation (RS), Router Advertisement (RA) >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) >> # Route Redirection >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-ra= te >> 5/3, overload flush global)" >> tcpstate=3D"flags S/SA modulate state" >> udpstate=3D"keep state" >> >> # allowed traffic >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc= , >> http, imap, https, submission, imaps, 2703}" >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc= , >> http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500= , >> 500, 50, 51}" >> >> # Name and IP of jails >> webmail=3D"10.0.0.15" >> # Name and IP of jailed ssh servers >> jssh1=3D"10.0.0.15" >> jssh2=3D"10.0.0.16" >> jssh3=3D"10.0.0.17" >> jssh4=3D"10.0.0.18" >> jssh1_tcp=3D"2220" >> jssh2_tcp=3D"2221" >> jssh3_tcp=3D"2222" >> jssh4_tcp=3D"2223" >> # The Asterisk Server >> asterisk=3D"10.0.0.17" >> asterisk_tcp=3D"5060:5061" >> asterisk_udp=3D"5060, 10000:10500" >> # The vpn server >> vpn=3D"10.8.0.1" >> >> # Options >> # block-policy can be either drop or return >> set block-policy drop >> set optimization conservative >> set skip on lo0 >> >> # Normalization >> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts >> behind >> # firewall. Set random-id to help same. >> # Set mss to ATM network frame size for easy splitting upstream. >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp >> fragment reassemble >> >> # NAT >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port >> nat on $ext_if from $vpnnet to any -> ($ext_if) >> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to >> jailed ssh servers >> # External redirect & reflect for internal hosts >> # Note, the -> $ip port $port is only required for port triggering. >> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >> port { $jssh1_tcp } tag jssh1 -> $jssh1 >> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >> port { $jssh2_tcp } tag jssh2 -> $jssh2 >> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >> port { $jssh3_tcp } tag jssh3 -> $jssh3 >> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >> port { $jssh4_tcp } tag jssh4 -> $jssh4 >> >> # Redirect traffic to the vpn server >> # External redirect >> rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if), >> ($int_if) } port 1194 tag vpn -> $vpn >> >> # Redirect traffic to the asterisk server >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. >> # RTSP ports 10000 to 10500 >> rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag >> asterisk_udp -> $asterisk >> rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag >> asterisk_tcp -> $asterisk >> >> # Tables >> table persist file "/etc/pf/bruteforce" >> table persist file "/etc/pf/pf.drop.lasso.conf" >> table persist file "/etc/pf/fail2ban" >> table persist file "/etc/pf/martians" >> # The ZeuS blocklist of c&c servers >> table persist file "/etc/pf/ZeuS" >> # The malwaredomain ip block list >> table persist file "/etc/pf/malwaredomain" >> # Table of selected country IP addresses >> table persist file "/etc/pf/blocked_countries" >> # Table of apache mod_evasive blocks >> table persist file "/etc/pf/evasive" >> >> antispoof for { $ext_if, $int_if } >> >> # Start by blocking by default >> block all >> >> # Block anything in the blocked_countries table first >> block in quick from >> >> # Block nmap scans >> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP >> >> # Explicitly block unroutable addresses >> block drop in quick on $ext_if from to any >> block drop out quick on $ext_if from any to >> >> # Explicitly block anything in the bruteforce table >> block in quick from >> >> # Explicitly block anything in the fail2ban table >> block in quick from >> >> # Explicitly block anything in the droplasso table >> block in quick from >> >> # Explicitly block anything in the ZeuS table >> block in quick from >> >> # Explicitly block anything in the malwaredomain table >> block in quick from >> >> # Block anything in the evasive table >> block in quick from >> >> # allow ping and host unreach >> pass inet proto icmp icmp-type $icmp_types keep state >> >> # Traceroute >> # allow out the default range for traceroute(8): >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) >> pass inet proto udp to port 33433:33626 # For IPv4 >> >> # Pass out only the desired ports from host and jails >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >> $tcp_services $tcpstate >> pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services >> $udpstate >> >> # Allow ssh connections in from the internet >> pass in inet proto tcp from any to ($ext_if) port ssh \ >> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) >> # Pass in ssh traffic to the jails >> # pass rules for nat redirect >> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged >> jssh1 jssh2 jssh3 jssh4 \ >> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) >> pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags >> S/SA keep state >> >> # Pass traffic to the vpn >> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp } >> tagged vpn $udpstate >> pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate >> pass out on tun0 keep state >> #pass quick on tun0 all keep state >> >> # Pass in smtp, http, https, submission, imaps traffic from the internet >> pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \ >> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) >> >> # pass traffic from the asterisk server >> pass inet proto tcp tagged asterisk_tcp keep state >> pass inet proto udp tagged asterisk_udp keep state >> >> On Wed, Apr 19, 2017 at 11:06 AM, David Mehler >> wrote: >> >>> Hi, >>> >>> Thanks. Still no go on the vpn.In answer to your questions: >>> >>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >>> >>> > $tcp_services $tcpstate >>> >>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port >>> >>> > $udp_services $udpstate >>> >>> >>> >>> >>> I've got only a selected list of ports that I want in or out, >>> everything else should be blocked. >>> >>> I tried commenting out the pass quick on tun0 all and replaced it with >>> set skip on tun0 no joy. >>> >>> I took out the second nat line on the vpnnet as of now I'm wanting to >>> keep the jailnet and the vpnnet ranges the same, though if this issue >>> doesn't soon resolve I might change that idea. >>> >>> >>> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >>> >>> >>> global) >>> >>> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> >>> >>> What I wanted to achieve with this was nat reflection, external >>> connections to these hosts worked fine on the desired ports, but on >>> the host itself if I tried to do an ssh to one of my jails port 2220 >>> it failed, these rules corrected that. >>> >>> Right now I'll settle for working. >>> >>> Thanks. >>> Dave. >>> >>> On 4/19/17, Ultima wrote: >>> > After a full look, I suspect this being a problem entry. >>> > >>> >> # Pass out only the desired ports from host and jails >>> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >>> >> $tcp_services $tcpstate >>> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port >>> >> $udp_services $udpstate >>> > >>> > Try commenting them and adding pass out all or pass inet proto { tcp, >>> udp } >>> > any and see if that works. >>> > >>> > >>> >> pass quick on tun0 all keep state >>> > This is another problem area, but probably not the cause. The quick i= s >>> > probably not handled as you are expecting. Pf reads the filtering >>> > rules >>> in >>> > priority from bottom to top bottom being highest priority to top bein= g >>> > lowest priority. When quick is added, this is more or less reversed >>> > for >>> the >>> > rule and because its near the bottom it has a lower priority. In >>> > general >>> > the "quick" directive can make pf very confusing and a ruleset harder >>> > to >>> > read so other than the top blocking entires with quick, I suggest >>> > never >>> > using it, or use it for all filters and make it simple the opposite >>> > way. >>> > >>> > >>> >> jailnet =3D "10.0.0.0/8" >>> >> vpnnet=3D"10.8.0.0/8" >>> > One thing I noticed is that the subnet chosen is an /8 subnet. Becaus= e >>> of >>> > this, the entire 10.* address space applies to jailnet making all >>> jailnet + >>> > vpnnet entries redundant. This also allows all addresses to >>> communicate, at >>> > least if pf isn't filtering them. Usually segmenting the subnet is >>> desired >>> > to limit communication between them. >>> > >>> >> pass quick on lo0 all >>> > Why not just skip on lo0? >>> > >>> > >>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> > (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> > global) >>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> > Why does this nearly duplicate rules exist? >>> > >>> > >>> > Optimizing pf is fun, but one thing that is important to remember is >>> > the >>> > more rules added, the more cycles used per packet. This is typically >>> > not >>> > noticed on a small deployments but it can become huge issue if grown. >>> > >>> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler >>> > wrote: >>> > >>> >> Hello Ultima, >>> >> >>> >> Thank you for your reply. Thanks for the information, I'm liking the >>> >> new way the rules are looking. Unfortunately, still no go on the vpn= . >>> >> Everything else is working, just not the vpn. >>> >> >>> >> Thanks. >>> >> Dave. >>> >> PS, here's my rules as they stand now. >>> >> >>> >> pf.conf: >>> >> # >>> >> # Required order: macros, options, normalization, queueing, >>> >> # translation, filtering. >>> >> # Note: translation rules are first match while filter rules are las= t >>> >> match. >>> >> >>> >> # Macros >>> >> ext_if=3D"vtnet0" >>> >> int_if =3D "lo1" >>> >> vpn_if =3D "tun0" >>> >> jailnet =3D "10.0.0.0/8" >>> >> vpnnet=3D"10.8.0.0/8" >>> >> icmp_types=3D"{echoreq, unreach}" >>> >> #IPV6 ICMP types: >>> >> # packet to big and echo request type ping >>> >> # Neighbor Discovery Protocol (NDP) (types 133-137): >>> >> # Router Solicitation (RS), Router Advertisement (RA) >>> >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) >>> >> # Route Redirection >>> >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" >>> >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, >>> >> max-src-conn-rate 5/3, overload flush global)" >>> >> tcpstate =3D"flags S/SA modulate state" >>> >> udpstate =3D"keep state" >>> >> voipports =3D "{5060, 5061, 10000:10500}" >>> >> >>> >> # allowed traffic >>> >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >>> >> bootpc, http, imap, https, submission, imaps, 2703}" >>> >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >>> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441= , >>> >> 4500, 500, 50, 51}" >>> >> >>> >> # Name and IP of jails >>> >> webmail=3D"10.0.0.15" >>> >> # Name and IP of jailed ssh servers >>> >> jssh1=3D"10.0.0.15" >>> >> jssh2=3D"10.0.0.16" >>> >> jssh3=3D"10.0.0.17" >>> >> jssh4=3D"10.0.0.18" >>> >> # The Asterisk Server >>> >> asterisk=3D"10.0.0.17" >>> >> # The vpn server >>> >> vpn=3D"10.8.0.1" >>> >> >>> >> # Options >>> >> # block-policy can be either drop or return >>> >> set block-policy drop >>> >> set optimization conservative >>> >> set skip on tun0 >>> >> >>> >> # Normalization >>> >> # normalize all incoming traffic. Set ttl 254: limits mapping of >>> >> hosts >>> >> behind >>> >> # firewall. Set random-id to help same. >>> >> # Set mss to ATM network frame size for easy splitting upstream. >>> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble >>> >> tcp >>> >> fragment reassemble >>> >> >>> >> # NAT >>> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port >>> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port >>> >> >>> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to >>> >> jailed ssh servers >>> >> # External redirect >>> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port >>> >> 2220 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port >>> >> 2220 >>> >> >>> >> # External redirect >>> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port >>> >> 2221 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port >>> >> 2221 >>> >> >>> >> # External redirect >>> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port >>> >> 2222 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port >>> >> 2222 >>> >> >>> >> # External redirect >>> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port >>> >> 2223 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port >>> >> 2223 >>> >> >>> >> # Redirect traffic to the vpn server >>> >> # External redirect >>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn >>> port >>> >> 1194 >>> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn >>> port >>> >> 1194 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn >>> port >>> >> 1194 >>> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn >>> port >>> >> 1194 >>> >> >>> >> # Redirect traffic to the asterisk server >>> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. >>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 -> >>> >> $asterisk port 5060 >>> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asteris= k >>> >> port >>> >> 5060 >>> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port >>> 5061 >>> >> # RTSP ports 10000 to 10500 >>> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> >>> >> $asterisk >>> >> port 10000:10500 >>> >> >>> >> # Tables >>> >> table persist file "/etc/pf/bruteforce" >>> >> table persist file "/etc/pf/pf.drop.lasso.conf" >>> >> table persist file "/etc/pf/fail2ban" >>> >> table persist file "/etc/pf/martians" >>> >> # The ZeuS blocklist of c&c servers >>> >> table persist file "/etc/pf/ZeuS" >>> >> # The malwaredomain ip block list >>> >> table persist file "/etc/pf/malwaredomain" >>> >> # Table of selected country IP addresses >>> >> table persist file "/etc/pf/blocked_countries" >>> >> # Table of apache mod_evasive blocks >>> >> table persist file "/etc/pf/evasive" >>> >> >>> >> # for the spamd greylist/blacklist service >>> >> # (not related to spamassassin's spamd daemon) >>> >> #table persist >>> >> #table persist >>> >> >>> >> antispoof for $ext_if >>> >> antispoof for $int_if >>> >> >>> >> # Start by blocking by default >>> >> block all >>> >> >>> >> # Block anything in the blocked_countries table first >>> >> block in quick from >>> >> >>> >> # Block nmap scans >>> >> block in quick on $ext_if inet proto tcp from any to any flags >>> >> FUP/FUP >>> >> >>> >> # Explicitly block unroutable addresses >>> >> block drop in quick on $ext_if from to any >>> >> block drop out quick on $ext_if from any to >>> >> >>> >> # Explicitly block anything in the bruteforce table >>> >> block in quick from >>> >> >>> >> # Explicitly block anything in the fail2ban table >>> >> block in quick from >>> >> >>> >> # Explicitly block anything in the droplasso table >>> >> block in quick from >>> >> >>> >> # Explicitly block anything in the ZeuS table >>> >> block in quick from >>> >> >>> >> # Explicitly block anything in the malwaredomain table >>> >> block in quick from >>> >> >>> >> # Block anything in the evasive table >>> >> block in quick from >>> >> >>> >> # pass everything on the loopback interface >>> >> pass quick on lo0 all >>> >> >>> >> # allow ping and host unreach >>> >> pass inet proto icmp icmp-type $icmp_types keep state >>> >> >>> >> # Traceroute >>> >> # allow out the default range for traceroute(8): >>> >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) >>> >> pass inet proto udp to port 33433:33626 # For IPv4 >>> >> >>> >> # Pass out only the desired ports from host and jails >>> >> pass inet proto tcp from { self, $jailnet } to any port $tcp_service= s >>> >> $tcpstate >>> >> pass inet proto udp from { self, $jailnet } to port $udp_services >>> >> $udpstate >>> >> >>> >> # Allow ssh connections in from the internet >>> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> # Pass in ssh traffic to the jails >>> >> # pass rules for nat redirect >>> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state >>> >> >>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> >> >>> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state >>> >> >>> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state >>> >> >>> >> # Pass traffic to the vpn >>> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate >>> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate >>> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate >>> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate >>> >> >>> >> # Pass in http traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # Pass in https traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # Pass in smtp traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # Pass in submission traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # Pass in imaps traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # pass traffic from the asterisk server >>> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state >>> >> >>> >> >>> >> On 4/18/17, Ultima wrote: >>> >> > I didn't have time to read and look through this entire post, but = I >>> >> think I >>> >> > know the issue you're running into and this suggestion should push >>> you >>> >> > in >>> >> > the right direction. >>> >> > >>> >> > this rule for example, >>> >> > >>> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn >>> >> > port >>> >> > 1194 >>> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn >>> >> > port >>> >> > 1194 >>> >> > # reflect for internal hosts >>> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn >>> >> > port >>> >> > 1194 >>> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn >>> >> > port >>> >> > 1194 >>> >> > >>> >> > This is probably not giving you the results you desire. Basically >>> >> > because >>> >> > no from or to ip is specified ALL and I quite literally mean ALL >>> >> > packets >>> >> > using port 1194 are being sent to $vpn port 1194. Usually you want >>> >> > to >>> >> make >>> >> > it something like, >>> >> > >>> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vp= n >>> >> > port >>> >> > 1194 >>> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vp= n >>> >> > port >>> >> > 1194 >>> >> > >>> >> > Now the traffic will be passed only when the packet is going to th= e >>> >> > host, >>> >> > not all traffic on a specific port. Another thing you may want to >>> >> > do >>> is >>> >> > combined many of these rules you have. >>> >> > >>> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vp= n >>> >> > port >>> >> > 1194 >>> >> > >>> >> > Also note the above, because we are specifying any for from, we ca= n >>> >> remove >>> >> > the form rule entirely and make it shorter. >>> >> > >>> >> > Hope this helps >>> >> > >>> >> > Ultima >>> >> > >>> >> >>> > >>> >> >> > From owner-freebsd-pf@freebsd.org Sat Apr 22 18:35:16 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2595D4B5D9; Sat, 22 Apr 2017 18:35:16 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 30EAE389; Sat, 22 Apr 2017 18:35:16 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wm0-x22c.google.com with SMTP id r190so39067566wme.1; Sat, 22 Apr 2017 11:35:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=lZGTzZ9c90zbvqJXryb+rXZUe/x72zE009zdKd2fRrw=; b=TVu74WDOXWAqTPfvAxStVmdAiih4f8gfRbxee7AfECYStMO/2ShHm8yWr5K/h4A6rn CdSiqQ1vrCV9wqqDkhTxsiauM3DCjoCddmv6Q9lmrntx2NQMWoRLPsq2zr14ZDQRKbXk vJF3dYpUD7PqsF1WmWN0uIKcc6WBZVZCuNhT7UafzqrFcr02XaVBiRkLSQd5t81lWJxz W1hqRTzQmPDIJbz1u5TGytA3b6UNt8RuuRgHAXaUStIPAeSQilRvbiuwVuLv624cY4MG SrB+A78OOLNhTniBJoN3haGPKPfObSSGwhksJDUGh26eo56WO9Io7i9amuzaCJH5vuuI m20g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=lZGTzZ9c90zbvqJXryb+rXZUe/x72zE009zdKd2fRrw=; b=Iu+q3nA/rjw10ICIZj1VrGBMlwjXq8HpiY1MfzQnZzqEEiILpyKoLYtNY/YA/g4C4s O9oGyutYn1wQPgfBoH6ALaKluqFlYFRzJYxS9Tf8ZnTaoWQ3DFVfKYWlQeHpfov8zqDK BgCptRZ/daTi+p2JV6hm4wzGn8j/C2xhekZAh9oa+QQPuVUZNYWH0vLrjV+a7SdRhtQx cLohz2ngKKfLLiXsa+D0caqH0CkKixJOC2lWTM7vCjd7KWhH4/W9FpUj2usrSoIiWTM7 q+dJmuT8FOOymatsCMdnN4pP29OgBwc/+Ok2wG2mkxQagQNvszGDF9WIFh4R57l43I+j EtPA== X-Gm-Message-State: AN3rC/6z3tf6ghcC66ueaEb+qKq7DAmL+OlrvUFUxDX+06q2yQf6zH/U qspXBRZfUohhWNoCnlZ/Vty68qSiWj8y X-Received: by 10.28.138.209 with SMTP id m200mr3578624wmd.109.1492886113197; Sat, 22 Apr 2017 11:35:13 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.182.175 with HTTP; Sat, 22 Apr 2017 11:35:12 -0700 (PDT) In-Reply-To: References: From: David Mehler Date: Sat, 22 Apr 2017 14:35:12 -0400 Message-ID: Subject: Re: freebsd 10.3, pf, and openvpn To: Ultima Cc: FreeBSD Mailing List , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Apr 2017 18:35:16 -0000 Hello, First of all my thanks to everyone who has been helping me with my FreeBSD, pf, and Openvpn issue over the past few days. It is much appreciated. The good news is I have it, FreeBSD, pf, and Openvpn with the external Windows client now working, that is I can connect. I can ping the 192.168.0.1 vpn server address, as well as from server to client I haven't done much else but it is working. The bad news is I have it by accident, I'm not sure how or why it is working. I don't think it should be. Below I've placed the relevant portions of my before (non-working) and after (working) pf configuration files In the working configuration there's no rdr lines, shouldn't there be? Non-working pf configuration: ext_if=3D"vtnet0" vpn_if =3D "tun0" vpnnet=3D"192.168.0.0/24" udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441}" # This line is required for dns, removing the 1194 from this line did not effect the outcome vpn=3D"192.168.0.1" set skip on tun0 scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble # Are these values correct? nat on $ext_if from $vpnnet to any -> ($ext_if) static-port rdr on $ext_if inet proto udp to $ext_if port 1194 -> $vpn port 1194 pass inet proto tcp from { self, $jailnet, $vpnnet } to any port $tcp_services $tcpstate pass inet proto udp from { self, $jailnet, $vpnnet } to port $udp_services $udpstate # Pass traffic to the vpn pass inet proto { tcp, udp } to $vpn port 1194 $udpstate Working pf configuration: ext_if=3D"vtnet0" vpn_if =3D "tun0" vpnnet=3D"192.168.0.0/24" vpn=3D"192.168.0.1" set skip on tun0 scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble nat on $ext_if inet from $vpnnet to any -> $ext_if # Pass traffic to the vpn pass in quick on $ext_if proto udp from any to $ext_if port 1194 keep state I'm wondering why my second config works? Are my scrub values right. Here's my server's network device configurations: vtnet0: flags=3D8843 metric 0 mtu 1= 500 options=3D6c07bb ether EthernetAddress inet6 fe80::f03c:91ff:fedf:6fc%vtnet0 prefixlen 64 scopeid 0x1 inet6 inet6Address autoconf inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.255 nd6 options=3D23 media: Ethernet 10Gbase-T status: active tun0: flags=3D8051 metric 0 mtu 1500 options=3D80000 inet6 fe80::6424:fcc1:8d67:8fc6%tun0 prefixlen 64 scopeid 0x4 inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffff00 nd6 options=3D21 Opened by PID 81855 pflog0: flags=3D141 metric 0 mtu 33160 I'm also curious as to whether my tls configuration is correct, using the most secure ciphers and protocols and pfs for both the control and data channels? Do I also need to uncomment the lz4 lines? Here's the relevant portions of my client and server configs: server configuration: local xxx.xxx.xxx.xxxport 1194 proto udp4 dev tun0 ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/openvpn-server.crt key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret dh /usr/local/etc/openvpn/keys/dh.pem topology subnet server 192.168.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 ;push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" ;client-to-client keepalive 10 120 tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret cipher AES-256-GCM ;compress lz4-v2 ;push "compress lz4-v2" max-clients 16 user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log verb 4 mute 20 mute-replay-warnings remote-cert-tls client tls-version-min 1.2 auth SHA512 tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-1= 28-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-25= 6-CBC-SHA256 explicit-exit-notify 1 client configuration: client dev tun proto udp4 tun-mtu 1500 remote xxx.xxx.xxx.xxx 1194 resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ca ca.crt cert client1.crt key client1.key tls-auth ta.key 1 remote-cert-tls server cipher AES-256-GCM verb 4 tls-version-min 1.2 tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-1= 28-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-25= 6-CBC-SHA256 auth SHA512 route-method exe route-delay 5 route-metric 550 Thanks again. Dave. PS, Ultima can I get a look at your pf configuration? On 4/19/17, David Mehler wrote: > Hello, > > I commented out the rules indicated and still nothing. > > Thanks. > DAve. > > On 4/19/17, Ultima wrote: >> I forgot to mention, make sure the ext_gateway variable changed to the >> correct gateway. >> >> On Wed, Apr 19, 2017 at 8:24 PM, Ultima wrote: >> >>> I keep looking at the rules and finally decided to rewrite some of them= . >>> This may not fix the issue you are having with openvpn tho. The issue >>> with >>> that is most likely the passing out rules. This rule is kinda written >>> wierd >>> and I suggest just removing it and passing everything out and verifying >>> if >>> that is the cause. The problem is many connections that the host will >>> open >>> is opened at the high end ports, I believe it was around 40000:65535. I >>> could be wrong tho and hope someone corrects my errors if so. >>> >>> > # Pass out only the desired ports from host and jails >>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >>> $tcp_services $tcpstate >>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port >>> > $udp_services >>> $udpstate >>> >>> If ur still having issues with openvpn, with this ruleset, then first, >>> try >>> changing the block all rule to block on ext_if. This will determine if = a >>> pass rule internally is the cause. >>> >>> > block all >>> block on $ext_if all >>> >>> Going to CC freebsd-pf@freebsd.org I hope this helps >>> >>> Ultima >>> >>> >>> # >>> # Required order: macros, options, normalization, queueing, >>> # translation, filtering. >>> # Note: translation rules are first match while filter rules are last >>> match. >>> >>> # Macros >>> ext_if=3D"vtnet0" >>> ext_gateway=3D"10.0.0.1" >>> int_if =3D "lo1" >>> vpn_if =3D "tun0" >>> jailnet =3D "10.0.0.0/8" >>> vpnnet=3D"10.8.0.0/8" >>> icmp_types=3D"{echoreq, unreach}" >>> #IPV6 ICMP types: >>> # packet to big and echo request type ping >>> # Neighbor Discovery Protocol (NDP) (types 133-137): >>> # Router Solicitation (RS), Router Advertisement (RA) >>> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) >>> # Route Redirection >>> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" >>> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-r= ate >>> 5/3, overload flush global)" >>> tcpstate=3D"flags S/SA modulate state" >>> udpstate=3D"keep state" >>> >>> # allowed traffic >>> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootp= c, >>> http, imap, https, submission, imaps, 2703}" >>> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootp= c, >>> http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, >>> 4500, >>> 500, 50, 51}" >>> >>> # Name and IP of jails >>> webmail=3D"10.0.0.15" >>> # Name and IP of jailed ssh servers >>> jssh1=3D"10.0.0.15" >>> jssh2=3D"10.0.0.16" >>> jssh3=3D"10.0.0.17" >>> jssh4=3D"10.0.0.18" >>> jssh1_tcp=3D"2220" >>> jssh2_tcp=3D"2221" >>> jssh3_tcp=3D"2222" >>> jssh4_tcp=3D"2223" >>> # The Asterisk Server >>> asterisk=3D"10.0.0.17" >>> asterisk_tcp=3D"5060:5061" >>> asterisk_udp=3D"5060, 10000:10500" >>> # The vpn server >>> vpn=3D"10.8.0.1" >>> >>> # Options >>> # block-policy can be either drop or return >>> set block-policy drop >>> set optimization conservative >>> set skip on lo0 >>> >>> # Normalization >>> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts >>> behind >>> # firewall. Set random-id to help same. >>> # Set mss to ATM network frame size for easy splitting upstream. >>> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp >>> fragment reassemble >>> >>> # NAT >>> nat on $ext_if from $jailnet to any -> ($ext_if) static-port >>> nat on $ext_if from $vpnnet to any -> ($ext_if) >>> >>> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to >>> jailed ssh servers >>> # External redirect & reflect for internal hosts >>> # Note, the -> $ip port $port is only required for port triggering. >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >>> port { $jssh1_tcp } tag jssh1 -> $jssh1 >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >>> port { $jssh2_tcp } tag jssh2 -> $jssh2 >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >>> port { $jssh3_tcp } tag jssh3 -> $jssh3 >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >>> port { $jssh4_tcp } tag jssh4 -> $jssh4 >>> >>> # Redirect traffic to the vpn server >>> # External redirect >>> rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if), >>> ($int_if) } port 1194 tag vpn -> $vpn >>> >>> # Redirect traffic to the asterisk server >>> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. >>> # RTSP ports 10000 to 10500 >>> rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag >>> asterisk_udp -> $asterisk >>> rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag >>> asterisk_tcp -> $asterisk >>> >>> # Tables >>> table persist file "/etc/pf/bruteforce" >>> table persist file "/etc/pf/pf.drop.lasso.conf" >>> table persist file "/etc/pf/fail2ban" >>> table persist file "/etc/pf/martians" >>> # The ZeuS blocklist of c&c servers >>> table persist file "/etc/pf/ZeuS" >>> # The malwaredomain ip block list >>> table persist file "/etc/pf/malwaredomain" >>> # Table of selected country IP addresses >>> table persist file "/etc/pf/blocked_countries" >>> # Table of apache mod_evasive blocks >>> table persist file "/etc/pf/evasive" >>> >>> antispoof for { $ext_if, $int_if } >>> >>> # Start by blocking by default >>> block all >>> >>> # Block anything in the blocked_countries table first >>> block in quick from >>> >>> # Block nmap scans >>> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP >>> >>> # Explicitly block unroutable addresses >>> block drop in quick on $ext_if from to any >>> block drop out quick on $ext_if from any to >>> >>> # Explicitly block anything in the bruteforce table >>> block in quick from >>> >>> # Explicitly block anything in the fail2ban table >>> block in quick from >>> >>> # Explicitly block anything in the droplasso table >>> block in quick from >>> >>> # Explicitly block anything in the ZeuS table >>> block in quick from >>> >>> # Explicitly block anything in the malwaredomain table >>> block in quick from >>> >>> # Block anything in the evasive table >>> block in quick from >>> >>> # allow ping and host unreach >>> pass inet proto icmp icmp-type $icmp_types keep state >>> >>> # Traceroute >>> # allow out the default range for traceroute(8): >>> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) >>> pass inet proto udp to port 33433:33626 # For IPv4 >>> >>> # Pass out only the desired ports from host and jails >>> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >>> $tcp_services $tcpstate >>> pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_service= s >>> $udpstate >>> >>> # Allow ssh connections in from the internet >>> pass in inet proto tcp from any to ($ext_if) port ssh \ >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >>> flush global) >>> # Pass in ssh traffic to the jails >>> # pass rules for nat redirect >>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged >>> jssh1 jssh2 jssh3 jssh4 \ >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >>> flush global) >>> pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags >>> S/SA keep state >>> >>> # Pass traffic to the vpn >>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp } >>> tagged vpn $udpstate >>> pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate >>> pass out on tun0 keep state >>> #pass quick on tun0 all keep state >>> >>> # Pass in smtp, http, https, submission, imaps traffic from the interne= t >>> pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \ >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >>> flush global) >>> >>> # pass traffic from the asterisk server >>> pass inet proto tcp tagged asterisk_tcp keep state >>> pass inet proto udp tagged asterisk_udp keep state >>> >>> On Wed, Apr 19, 2017 at 11:06 AM, David Mehler >>> wrote: >>> >>>> Hi, >>>> >>>> Thanks. Still no go on the vpn.In answer to your questions: >>>> >>>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >>>> >>>> > $tcp_services $tcpstate >>>> >>>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port >>>> >>>> > $udp_services $udpstate >>>> >>>> >>>> >>>> >>>> I've got only a selected list of ports that I want in or out, >>>> everything else should be blocked. >>>> >>>> I tried commenting out the pass quick on tun0 all and replaced it with >>>> set skip on tun0 no joy. >>>> >>>> I took out the second nat line on the vpnnet as of now I'm wanting to >>>> keep the jailnet and the vpnnet ranges the same, though if this issue >>>> doesn't soon resolve I might change that idea. >>>> >>>> >>>> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>> >>>> >>>> >>>> global) >>>> >>>> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>>> >>>> >>>> What I wanted to achieve with this was nat reflection, external >>>> connections to these hosts worked fine on the desired ports, but on >>>> the host itself if I tried to do an ssh to one of my jails port 2220 >>>> it failed, these rules corrected that. >>>> >>>> Right now I'll settle for working. >>>> >>>> Thanks. >>>> Dave. >>>> >>>> On 4/19/17, Ultima wrote: >>>> > After a full look, I suspect this being a problem entry. >>>> > >>>> >> # Pass out only the desired ports from host and jails >>>> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >>>> >> $tcp_services $tcpstate >>>> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port >>>> >> $udp_services $udpstate >>>> > >>>> > Try commenting them and adding pass out all or pass inet proto { tcp= , >>>> udp } >>>> > any and see if that works. >>>> > >>>> > >>>> >> pass quick on tun0 all keep state >>>> > This is another problem area, but probably not the cause. The quick >>>> > is >>>> > probably not handled as you are expecting. Pf reads the filtering >>>> > rules >>>> in >>>> > priority from bottom to top bottom being highest priority to top >>>> > being >>>> > lowest priority. When quick is added, this is more or less reversed >>>> > for >>>> the >>>> > rule and because its near the bottom it has a lower priority. In >>>> > general >>>> > the "quick" directive can make pf very confusing and a ruleset harde= r >>>> > to >>>> > read so other than the top blocking entires with quick, I suggest >>>> > never >>>> > using it, or use it for all filters and make it simple the opposite >>>> > way. >>>> > >>>> > >>>> >> jailnet =3D "10.0.0.0/8" >>>> >> vpnnet=3D"10.8.0.0/8" >>>> > One thing I noticed is that the subnet chosen is an /8 subnet. >>>> > Because >>>> of >>>> > this, the entire 10.* address space applies to jailnet making all >>>> jailnet + >>>> > vpnnet entries redundant. This also allows all addresses to >>>> communicate, at >>>> > least if pf isn't filtering them. Usually segmenting the subnet is >>>> desired >>>> > to limit communication between them. >>>> > >>>> >> pass quick on lo0 all >>>> > Why not just skip on lo0? >>>> > >>>> > >>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>>> > (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>>> > global) >>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>>> > Why does this nearly duplicate rules exist? >>>> > >>>> > >>>> > Optimizing pf is fun, but one thing that is important to remember is >>>> > the >>>> > more rules added, the more cycles used per packet. This is typically >>>> > not >>>> > noticed on a small deployments but it can become huge issue if grown= . >>>> > >>>> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler >>>> > wrote: >>>> > >>>> >> Hello Ultima, >>>> >> >>>> >> Thank you for your reply. Thanks for the information, I'm liking th= e >>>> >> new way the rules are looking. Unfortunately, still no go on the >>>> >> vpn. >>>> >> Everything else is working, just not the vpn. >>>> >> >>>> >> Thanks. >>>> >> Dave. >>>> >> PS, here's my rules as they stand now. >>>> >> >>>> >> pf.conf: >>>> >> # >>>> >> # Required order: macros, options, normalization, queueing, >>>> >> # translation, filtering. >>>> >> # Note: translation rules are first match while filter rules are >>>> >> last >>>> >> match. >>>> >> >>>> >> # Macros >>>> >> ext_if=3D"vtnet0" >>>> >> int_if =3D "lo1" >>>> >> vpn_if =3D "tun0" >>>> >> jailnet =3D "10.0.0.0/8" >>>> >> vpnnet=3D"10.8.0.0/8" >>>> >> icmp_types=3D"{echoreq, unreach}" >>>> >> #IPV6 ICMP types: >>>> >> # packet to big and echo request type ping >>>> >> # Neighbor Discovery Protocol (NDP) (types 133-137): >>>> >> # Router Solicitation (RS), Router Advertisement (RA) >>>> >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) >>>> >> # Route Redirection >>>> >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" >>>> >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, >>>> >> max-src-conn-rate 5/3, overload flush global)" >>>> >> tcpstate =3D"flags S/SA modulate state" >>>> >> udpstate =3D"keep state" >>>> >> voipports =3D "{5060, 5061, 10000:10500}" >>>> >> >>>> >> # allowed traffic >>>> >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >>>> >> bootpc, http, imap, https, submission, imaps, 2703}" >>>> >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >>>> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, >>>> >> 24441, >>>> >> 4500, 500, 50, 51}" >>>> >> >>>> >> # Name and IP of jails >>>> >> webmail=3D"10.0.0.15" >>>> >> # Name and IP of jailed ssh servers >>>> >> jssh1=3D"10.0.0.15" >>>> >> jssh2=3D"10.0.0.16" >>>> >> jssh3=3D"10.0.0.17" >>>> >> jssh4=3D"10.0.0.18" >>>> >> # The Asterisk Server >>>> >> asterisk=3D"10.0.0.17" >>>> >> # The vpn server >>>> >> vpn=3D"10.8.0.1" >>>> >> >>>> >> # Options >>>> >> # block-policy can be either drop or return >>>> >> set block-policy drop >>>> >> set optimization conservative >>>> >> set skip on tun0 >>>> >> >>>> >> # Normalization >>>> >> # normalize all incoming traffic. Set ttl 254: limits mapping of >>>> >> hosts >>>> >> behind >>>> >> # firewall. Set random-id to help same. >>>> >> # Set mss to ATM network frame size for easy splitting upstream. >>>> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble >>>> >> tcp >>>> >> fragment reassemble >>>> >> >>>> >> # NAT >>>> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port >>>> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port >>>> >> >>>> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 t= o >>>> >> jailed ssh servers >>>> >> # External redirect >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port >>>> >> 2220 >>>> >> # reflect for internal hosts >>>> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port >>>> >> 2220 >>>> >> >>>> >> # External redirect >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port >>>> >> 2221 >>>> >> # reflect for internal hosts >>>> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port >>>> >> 2221 >>>> >> >>>> >> # External redirect >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port >>>> >> 2222 >>>> >> # reflect for internal hosts >>>> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port >>>> >> 2222 >>>> >> >>>> >> # External redirect >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port >>>> >> 2223 >>>> >> # reflect for internal hosts >>>> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port >>>> >> 2223 >>>> >> >>>> >> # Redirect traffic to the vpn server >>>> >> # External redirect >>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn >>>> port >>>> >> 1194 >>>> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vp= n >>>> port >>>> >> 1194 >>>> >> # reflect for internal hosts >>>> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn >>>> port >>>> >> 1194 >>>> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vp= n >>>> port >>>> >> 1194 >>>> >> >>>> >> # Redirect traffic to the asterisk server >>>> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. >>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 -> >>>> >> $asterisk port 5060 >>>> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> >>>> >> $asterisk >>>> >> port >>>> >> 5060 >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk por= t >>>> 5061 >>>> >> # RTSP ports 10000 to 10500 >>>> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> >>>> >> $asterisk >>>> >> port 10000:10500 >>>> >> >>>> >> # Tables >>>> >> table persist file "/etc/pf/bruteforce" >>>> >> table persist file "/etc/pf/pf.drop.lasso.conf" >>>> >> table persist file "/etc/pf/fail2ban" >>>> >> table persist file "/etc/pf/martians" >>>> >> # The ZeuS blocklist of c&c servers >>>> >> table persist file "/etc/pf/ZeuS" >>>> >> # The malwaredomain ip block list >>>> >> table persist file "/etc/pf/malwaredomain" >>>> >> # Table of selected country IP addresses >>>> >> table persist file "/etc/pf/blocked_countries" >>>> >> # Table of apache mod_evasive blocks >>>> >> table persist file "/etc/pf/evasive" >>>> >> >>>> >> # for the spamd greylist/blacklist service >>>> >> # (not related to spamassassin's spamd daemon) >>>> >> #table persist >>>> >> #table persist >>>> >> >>>> >> antispoof for $ext_if >>>> >> antispoof for $int_if >>>> >> >>>> >> # Start by blocking by default >>>> >> block all >>>> >> >>>> >> # Block anything in the blocked_countries table first >>>> >> block in quick from >>>> >> >>>> >> # Block nmap scans >>>> >> block in quick on $ext_if inet proto tcp from any to any flags >>>> >> FUP/FUP >>>> >> >>>> >> # Explicitly block unroutable addresses >>>> >> block drop in quick on $ext_if from to any >>>> >> block drop out quick on $ext_if from any to >>>> >> >>>> >> # Explicitly block anything in the bruteforce table >>>> >> block in quick from >>>> >> >>>> >> # Explicitly block anything in the fail2ban table >>>> >> block in quick from >>>> >> >>>> >> # Explicitly block anything in the droplasso table >>>> >> block in quick from >>>> >> >>>> >> # Explicitly block anything in the ZeuS table >>>> >> block in quick from >>>> >> >>>> >> # Explicitly block anything in the malwaredomain table >>>> >> block in quick from >>>> >> >>>> >> # Block anything in the evasive table >>>> >> block in quick from >>>> >> >>>> >> # pass everything on the loopback interface >>>> >> pass quick on lo0 all >>>> >> >>>> >> # allow ping and host unreach >>>> >> pass inet proto icmp icmp-type $icmp_types keep state >>>> >> >>>> >> # Traceroute >>>> >> # allow out the default range for traceroute(8): >>>> >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) >>>> >> pass inet proto udp to port 33433:33626 # For IPv4 >>>> >> >>>> >> # Pass out only the desired ports from host and jails >>>> >> pass inet proto tcp from { self, $jailnet } to any port >>>> >> $tcp_services >>>> >> $tcpstate >>>> >> pass inet proto udp from { self, $jailnet } to port $udp_services >>>> >> $udpstate >>>> >> >>>> >> # Allow ssh connections in from the internet >>>> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> # Pass in ssh traffic to the jails >>>> >> # pass rules for nat redirect >>>> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state >>>> >> >>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>>> >> >>>> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state >>>> >> >>>> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state >>>> >> >>>> >> # Pass traffic to the vpn >>>> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate >>>> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate >>>> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate >>>> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate >>>> >> >>>> >> # Pass in http traffic from the internet >>>> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> >>>> >> # Pass in https traffic from the internet >>>> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> >>>> >> # Pass in smtp traffic from the internet >>>> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> >>>> >> # Pass in submission traffic from the internet >>>> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> >>>> >> # Pass in imaps traffic from the internet >>>> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flus= h >>>> >> global) >>>> >> >>>> >> # pass traffic from the asterisk server >>>> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep stat= e >>>> >> >>>> >> >>>> >> On 4/18/17, Ultima wrote: >>>> >> > I didn't have time to read and look through this entire post, but >>>> >> > I >>>> >> think I >>>> >> > know the issue you're running into and this suggestion should pus= h >>>> you >>>> >> > in >>>> >> > the right direction. >>>> >> > >>>> >> > this rule for example, >>>> >> > >>>> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn >>>> >> > port >>>> >> > 1194 >>>> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn >>>> >> > port >>>> >> > 1194 >>>> >> > # reflect for internal hosts >>>> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn >>>> >> > port >>>> >> > 1194 >>>> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn >>>> >> > port >>>> >> > 1194 >>>> >> > >>>> >> > This is probably not giving you the results you desire. Basically >>>> >> > because >>>> >> > no from or to ip is specified ALL and I quite literally mean ALL >>>> >> > packets >>>> >> > using port 1194 are being sent to $vpn port 1194. Usually you wan= t >>>> >> > to >>>> >> make >>>> >> > it something like, >>>> >> > >>>> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> >>>> >> > $vpn >>>> >> > port >>>> >> > 1194 >>>> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> >>>> >> > $vpn >>>> >> > port >>>> >> > 1194 >>>> >> > >>>> >> > Now the traffic will be passed only when the packet is going to >>>> >> > the >>>> >> > host, >>>> >> > not all traffic on a specific port. Another thing you may want to >>>> >> > do >>>> is >>>> >> > combined many of these rules you have. >>>> >> > >>>> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> >>>> >> > $vpn >>>> >> > port >>>> >> > 1194 >>>> >> > >>>> >> > Also note the above, because we are specifying any for from, we >>>> >> > can >>>> >> remove >>>> >> > the form rule entirely and make it shorter. >>>> >> > >>>> >> > Hope this helps >>>> >> > >>>> >> > Ultima >>>> >> > >>>> >> >>>> > >>>> >>> >>> >> > From owner-freebsd-pf@freebsd.org Sat Apr 22 22:32:47 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD5D3D4B70E; Sat, 22 Apr 2017 22:32:47 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5F86AF82; Sat, 22 Apr 2017 22:32:47 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yw0-x233.google.com with SMTP id 203so62369616ywe.0; Sat, 22 Apr 2017 15:32:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2l0iPD8/LHe5aiKgL2PoSHVVueRN00F3fqWt5LLjCy0=; b=m4pihO50mpET9ET/rXKuh0eNli9i6Q+a39zeJPBaJhE0oDCmA7Re3D16Vk3fk3ri5H uG500F1U1ByKn0iymYQZ2oa37bOs81VuqyyvfJ0saidnEK338ieMdHRd7pqc95bpijdW V5M0TyTwFj5AIS5/LMidgvc5C5pvycH5ylEPUsJSmuetwG13y0qoBs1qh09Uv4ZyrGFs M3sBfJklFPP2/tZCef1izkATs1q5p+yrfh1tLd1mdNYlchFJLtQtRIKdW9KPRSLi0WbF aQwJbTzACQ63xEIISbm/02cEWRsVLDgD7Jui6//N5PQEEGWOD845RJnLx9m05ZhVGzzv ncOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2l0iPD8/LHe5aiKgL2PoSHVVueRN00F3fqWt5LLjCy0=; b=VRpD57dE9rL2yJRohGKymCNRHLUAFBwHVynvjyMQVUjr2AJ+toNxBH15BnqtxHanxY cqj3tEip1vk307CDmopMqeNNw7PRzZAYxZKGbLOCYvBAgeC1zhXmSE3yqXf+sb3Xh2MM 4oHvnoo4bIo7IyGMpMzZeS8h2gWu/zZGzAFX4UrghyOLFtpN54D9KaGl2cw0CsYaro0Z MXZhynWFNfiBU8Edk5io7A641c7Gik0M+2yXuzMZI30Bf8IBWWzM7Wkw+ntZjtU96GTb +ZFdvGOa1tIq5VNTkCJbIRm30Q7jVcMhdeEDsFABa/P3U+If3c/26zjL5gd9Teu+t40R 98sA== X-Gm-Message-State: AN3rC/6Kgl89ig/zb4+kspvnvyNYI8ESdEsnbqBU5eWTXrRy2ePhcZ8M 95efKUxL8T4PUMVlRvpVJIBB9Wg0Kw== X-Received: by 10.13.217.138 with SMTP id b132mr2666105ywe.81.1492900365816; Sat, 22 Apr 2017 15:32:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.72.144 with HTTP; Sat, 22 Apr 2017 15:32:45 -0700 (PDT) In-Reply-To: References: From: Ultima Date: Sat, 22 Apr 2017 18:32:45 -0400 Message-ID: Subject: Re: freebsd 10.3, pf, and openvpn To: David Mehler Cc: FreeBSD Mailing List , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Apr 2017 22:32:47 -0000 Bravo, I am glad you are still working on this and starting simple. > The bad news is I have it by accident, I'm not sure how or why it is > working. I don't think it should be. Below I've placed the relevant > portions of my before (non-working) and after (working) pf > configuration files In the working configuration there's no rdr lines, > shouldn't there be? rdr rule is only necessary when a packet should be routed to a different destination. In this case, openvpn looks to be listening on ext_if, because of this no rdr rule required. One thing you must ask yourself on the Non-working pf configuration is, because there are no block rules, how is it not working? > Non-working pf configuration: > ext_if=3D"vtnet0" > vpn_if =3D "tun0" > vpnnet=3D"192.168.0.0/24" > udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441}" # This line is required for dns, removing the 1194 from this line did not effect the outcome > vpn=3D"192.168.0.1" > set skip on tun0 > scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble # Are these values correct? If by correct, you are asking will it work, It should yes. I wouldn't worry so much about optimizing the scrub values unless you are running into a specific issue. If you're really interested find "scrub" in this section to read more about it. https://www.freebsd.org/cgi/man.cgi?query=3Dpf.conf&sektion=3D5 > nat on $ext_if from $vpnnet to any -> ($ext_if) static-port > rdr on $ext_if inet proto udp to $ext_if port 1194 -> $vpn port 1194 All traffic on port 1194 is being redirected to the vpn ip. It is highly unlikely openvpn is listening on that port to initiate a connection. That address pool is created for the outgoing traffic of a connected vpn client. > pass inet proto tcp from { self, $jailnet, $vpnnet } to any port $tcp_services $tcpstate > pass inet proto udp from { self, $jailnet, $vpnnet } to port $udp_services $udpstate > # Pass traffic to the vpn > pass inet proto { tcp, udp } to $vpn port 1194 $udpstate > Working pf configuration: > ext_if=3D"vtnet0" > vpn_if =3D "tun0" > vpnnet=3D"192.168.0.0/24" > vpn=3D"192.168.0.1" > set skip on tun0 > scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble > nat on $ext_if inet from $vpnnet to any -> $ext_if > # Pass traffic to the vpn > pass in quick on $ext_if proto udp from any to $ext_if port 1194 keep state This is beautifully simple and precisely what is needed if any block rules were in place. If you plan to not jail openvpn, this is an ideal starting place. From here I would remove the skip on tun0 and apply some rules to your internal vpn connections. Also, don't forget by default pf blocks nothing, so without a block rule nothing will be dropped. > I'm also curious as to whether my tls configuration is correct, using > the most secure ciphers and protocols and pfs for both the control and > data channels? Do I also need to uncomment the lz4 lines? Here's the > relevant portions of my client and server configs: I would suggest using compression for the performance boost. lz4 is fast, but always consider that its another layer, and that could possibly be compromised like other compression related performance boosting attacks. I'm no expert on this however just note it _may_ or _maynot_ be another vector in the future, and hopefully not present. Check out BEAST, BREACH, and CRIME vulns which are other compression based attacks. > tls-auth ta.key 1 Starting with Openvpn 2.4.0, tls-crypt was added and includes authentication. It is an improved version of tls-auth and replaces it. I think tls-auth is still present for compatibility purposes for older clients. This is a basic config for my desktop, very simple. This is my desktop config: set block-policy drop set skip on lo scrub all no-df max-mss 1440 random-id reassemble tcp block all pass in inet proto icmp all icmp-type echoreq pass in inet6 proto ipv6-icmp all icmp6-type { 128, 129, 133, 134, 135, 136, 137 } pass in inet proto tcp to any port { 22 } pass out all keep state This is a host with some jails, the jails are all using the same interface, with alias ip's. This is on a lan network. host=3D"192.168.1.8" host_tcp=3D"22, 53, 5902" host_udp=3D"53, 69" j1_jail=3D"192.168.1.9" j1_tcp=3D"80, 443, 42837" j1_udp=3D"42837" j2_jail=3D"192.168.1.10" j2_tcp=3D"2400" test_jail=3D"192.168.1.33" test_tcp=3D"80, 443, 12001" test_udp=3D"" set block-policy drop # Bridge1 and tap1 added for bhyve, pf + bhyve do not mix well. set skip on { lo, bridge1, tap1 } scrub all no-df max-mss 1440 random-id reassemble tcp block all pass in inet proto icmp all icmp-type echoreq pass in inet6 proto ipv6-icmp all icmp6-type { 1, 2, 3, 4, 128, 129, 133, 134, 135, 136, 137 } pass in proto tcp to $host port { $host_tcp } keep state pass in proto udp to $host port { $host_udp } keep state pass in proto tcp to $j1_jail port { $j1_tcp } keep state pass in proto udp to $j1_jail port { $j1_udp } keep state pass in proto tcp to $j2_jail port { $j2_tcp } keep state pass in proto tcp to $test_jail port { $test_tcp } keep state pass in proto udp to $test_jail port { $test_udp } keep state pass out all keep state This is not what I suggest unless you aren't worried too much about segregation, and most def not suggested if its attached to WAN like in your case. Having loopback for jails like you had before is better. Enabling icmp6-type 1 2 3 4 are not super important, more for errors. If you want more information on them check out this page: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_version_6 but the important ones to enable are 128, 129, 133, 134, 135, 136, 137. The important thing I want to suggest is to make a variable or table for everything that way if/when the config gets complicated it is much easier to read. I can also post a config of a decommissioned router but I would need time to get it, if you're interested. I hope this helps, Ultima On Sat, Apr 22, 2017 at 2:35 PM, David Mehler wrote= : > Hello, > > First of all my thanks to everyone who has been helping me with my > FreeBSD, pf, and Openvpn issue over the past few days. It is much > appreciated. > > The good news is I have it, FreeBSD, pf, and Openvpn with the external > Windows client now working, that is I can connect. I can ping the > 192.168.0.1 vpn server address, as well as from server to client I > haven't done much else but it is working. > > The bad news is I have it by accident, I'm not sure how or why it is > working. I don't think it should be. Below I've placed the relevant > portions of my before (non-working) and after (working) pf > configuration files In the working configuration there's no rdr lines, > shouldn't there be? > > Non-working pf configuration: > ext_if=3D"vtnet0" > vpn_if =3D "tun0" > vpnnet=3D"192.168.0.0/24" > udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, > bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, > 24441}" # This line is required for dns, removing the 1194 from this > line did not effect the outcome > vpn=3D"192.168.0.1" > set skip on tun0 > scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp > fragment reassemble # Are these values correct? > nat on $ext_if from $vpnnet to any -> ($ext_if) static-port > rdr on $ext_if inet proto udp to $ext_if port 1194 -> $vpn port 1194 > pass inet proto tcp from { self, $jailnet, $vpnnet } to any port > $tcp_services $tcpstate > pass inet proto udp from { self, $jailnet, $vpnnet } to port > $udp_services $udpstate > # Pass traffic to the vpn > pass inet proto { tcp, udp } to $vpn port 1194 $udpstate > > Working pf configuration: > ext_if=3D"vtnet0" > vpn_if =3D "tun0" > vpnnet=3D"192.168.0.0/24" > vpn=3D"192.168.0.1" > set skip on tun0 > scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp > fragment reassemble > nat on $ext_if inet from $vpnnet to any -> $ext_if > # Pass traffic to the vpn > pass in quick on $ext_if proto udp from any to $ext_if port 1194 keep sta= te > > I'm wondering why my second config works? Are my scrub values right. > Here's my server's network device configurations: > > vtnet0: flags=3D8843 metric 0 mtu > 1500 > options=3D6c07bb MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_ > IPV6,TXCSUM_IPV6> > ether EthernetAddress > inet6 fe80::f03c:91ff:fedf:6fc%vtnet0 prefixlen 64 scopeid 0x1 > inet6 inet6Address autoconf > inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.255 > nd6 options=3D23 > media: Ethernet 10Gbase-T > status: active > tun0: flags=3D8051 metric 0 mtu 1500 > options=3D80000 > inet6 fe80::6424:fcc1:8d67:8fc6%tun0 prefixlen 64 scopeid 0x4 > inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffff00 > nd6 options=3D21 > Opened by PID 81855 > pflog0: flags=3D141 metric 0 mtu 33160 > > I'm also curious as to whether my tls configuration is correct, using > the most secure ciphers and protocols and pfs for both the control and > data channels? Do I also need to uncomment the lz4 lines? Here's the > relevant portions of my client and server configs: > > server configuration: > local xxx.xxx.xxx.xxxport 1194 > proto udp4 > dev tun0 > ca /usr/local/etc/openvpn/keys/ca.crt > cert /usr/local/etc/openvpn/keys/openvpn-server.crt > key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should > be kept secret > dh /usr/local/etc/openvpn/keys/dh.pem > topology subnet > server 192.168.0.0 255.255.255.0 > ifconfig-pool-persist ipp.txt > ;client-config-dir ccd > ;route 10.9.0.0 255.255.255.252 > # Then add this line to ccd/Thelonious: > # ifconfig-push 10.9.0.1 10.9.0.2 > ;push "redirect-gateway def1 bypass-dhcp" > push "dhcp-option DNS 208.67.222.222" > push "dhcp-option DNS 208.67.220.220" > ;client-to-client > keepalive 10 120 > tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret > cipher AES-256-GCM > ;compress lz4-v2 > ;push "compress lz4-v2" > max-clients 16 > user nobody > group nobody > persist-key > persist-tun > status /var/log/openvpn/openvpn-status.log > log /var/log/openvpn/openvpn.log > verb 4 > mute 20 > mute-replay-warnings > remote-cert-tls client > tls-version-min 1.2 > auth SHA512 > tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA- > WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM- > SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 > explicit-exit-notify 1 > > client configuration: > client > > dev tun > > proto udp4 > > tun-mtu 1500 > > remote xxx.xxx.xxx.xxx 1194 > > resolv-retry infinite > > nobind > > persist-key > > persist-tun > > mute-replay-warnings > > ca ca.crt > > cert client1.crt > > key client1.key > > tls-auth ta.key 1 > > remote-cert-tls server > > cipher AES-256-GCM > > verb 4 > > tls-version-min 1.2 > > tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA- > WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM- > SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 > > auth SHA512 > > route-method exe > > route-delay 5 > > route-metric 550 > > Thanks again. > Dave. > > PS, Ultima can I get a look at your pf configuration? > > On 4/19/17, David Mehler wrote: > > Hello, > > > > I commented out the rules indicated and still nothing. > > > > Thanks. > > DAve. > > > > On 4/19/17, Ultima wrote: > >> I forgot to mention, make sure the ext_gateway variable changed to the > >> correct gateway. > >> > >> On Wed, Apr 19, 2017 at 8:24 PM, Ultima wrote: > >> > >>> I keep looking at the rules and finally decided to rewrite some of > them. > >>> This may not fix the issue you are having with openvpn tho. The issue > >>> with > >>> that is most likely the passing out rules. This rule is kinda written > >>> wierd > >>> and I suggest just removing it and passing everything out and verifyi= ng > >>> if > >>> that is the cause. The problem is many connections that the host will > >>> open > >>> is opened at the high end ports, I believe it was around 40000:65535.= I > >>> could be wrong tho and hope someone corrects my errors if so. > >>> > >>> > # Pass out only the desired ports from host and jails > >>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > >>> $tcp_services $tcpstate > >>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port > >>> > $udp_services > >>> $udpstate > >>> > >>> If ur still having issues with openvpn, with this ruleset, then first= , > >>> try > >>> changing the block all rule to block on ext_if. This will determine i= f > a > >>> pass rule internally is the cause. > >>> > >>> > block all > >>> block on $ext_if all > >>> > >>> Going to CC freebsd-pf@freebsd.org I hope this helps > >>> > >>> Ultima > >>> > >>> > >>> # > >>> # Required order: macros, options, normalization, queueing, > >>> # translation, filtering. > >>> # Note: translation rules are first match while filter rules are last > >>> match. > >>> > >>> # Macros > >>> ext_if=3D"vtnet0" > >>> ext_gateway=3D"10.0.0.1" > >>> int_if =3D "lo1" > >>> vpn_if =3D "tun0" > >>> jailnet =3D "10.0.0.0/8" > >>> vpnnet=3D"10.8.0.0/8" > >>> icmp_types=3D"{echoreq, unreach}" > >>> #IPV6 ICMP types: > >>> # packet to big and echo request type ping > >>> # Neighbor Discovery Protocol (NDP) (types 133-137): > >>> # Router Solicitation (RS), Router Advertisement (RA) > >>> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) > >>> # Route Redirection > >>> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" > >>> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, > max-src-conn-rate > >>> 5/3, overload flush global)" > >>> tcpstate=3D"flags S/SA modulate state" > >>> udpstate=3D"keep state" > >>> > >>> # allowed traffic > >>> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, boo= tpc, > >>> http, imap, https, submission, imaps, 2703}" > >>> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, boo= tpc, > >>> http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, > >>> 4500, > >>> 500, 50, 51}" > >>> > >>> # Name and IP of jails > >>> webmail=3D"10.0.0.15" > >>> # Name and IP of jailed ssh servers > >>> jssh1=3D"10.0.0.15" > >>> jssh2=3D"10.0.0.16" > >>> jssh3=3D"10.0.0.17" > >>> jssh4=3D"10.0.0.18" > >>> jssh1_tcp=3D"2220" > >>> jssh2_tcp=3D"2221" > >>> jssh3_tcp=3D"2222" > >>> jssh4_tcp=3D"2223" > >>> # The Asterisk Server > >>> asterisk=3D"10.0.0.17" > >>> asterisk_tcp=3D"5060:5061" > >>> asterisk_udp=3D"5060, 10000:10500" > >>> # The vpn server > >>> vpn=3D"10.8.0.1" > >>> > >>> # Options > >>> # block-policy can be either drop or return > >>> set block-policy drop > >>> set optimization conservative > >>> set skip on lo0 > >>> > >>> # Normalization > >>> # normalize all incoming traffic. Set ttl 254: limits mapping of host= s > >>> behind > >>> # firewall. Set random-id to help same. > >>> # Set mss to ATM network frame size for easy splitting upstream. > >>> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tc= p > >>> fragment reassemble > >>> > >>> # NAT > >>> nat on $ext_if from $jailnet to any -> ($ext_if) static-port > >>> nat on $ext_if from $vpnnet to any -> ($ext_if) > >>> > >>> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to > >>> jailed ssh servers > >>> # External redirect & reflect for internal hosts > >>> # Note, the -> $ip port $port is only required for port triggering. > >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) = } > >>> port { $jssh1_tcp } tag jssh1 -> $jssh1 > >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) = } > >>> port { $jssh2_tcp } tag jssh2 -> $jssh2 > >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) = } > >>> port { $jssh3_tcp } tag jssh3 -> $jssh3 > >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) = } > >>> port { $jssh4_tcp } tag jssh4 -> $jssh4 > >>> > >>> # Redirect traffic to the vpn server > >>> # External redirect > >>> rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if), > >>> ($int_if) } port 1194 tag vpn -> $vpn > >>> > >>> # Redirect traffic to the asterisk server > >>> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. > >>> # RTSP ports 10000 to 10500 > >>> rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag > >>> asterisk_udp -> $asterisk > >>> rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag > >>> asterisk_tcp -> $asterisk > >>> > >>> # Tables > >>> table persist file "/etc/pf/bruteforce" > >>> table persist file "/etc/pf/pf.drop.lasso.conf" > >>> table persist file "/etc/pf/fail2ban" > >>> table persist file "/etc/pf/martians" > >>> # The ZeuS blocklist of c&c servers > >>> table persist file "/etc/pf/ZeuS" > >>> # The malwaredomain ip block list > >>> table persist file "/etc/pf/malwaredomain" > >>> # Table of selected country IP addresses > >>> table persist file "/etc/pf/blocked_countries" > >>> # Table of apache mod_evasive blocks > >>> table persist file "/etc/pf/evasive" > >>> > >>> antispoof for { $ext_if, $int_if } > >>> > >>> # Start by blocking by default > >>> block all > >>> > >>> # Block anything in the blocked_countries table first > >>> block in quick from > >>> > >>> # Block nmap scans > >>> block in quick on $ext_if inet proto tcp from any to any flags FUP/FU= P > >>> > >>> # Explicitly block unroutable addresses > >>> block drop in quick on $ext_if from to any > >>> block drop out quick on $ext_if from any to > >>> > >>> # Explicitly block anything in the bruteforce table > >>> block in quick from > >>> > >>> # Explicitly block anything in the fail2ban table > >>> block in quick from > >>> > >>> # Explicitly block anything in the droplasso table > >>> block in quick from > >>> > >>> # Explicitly block anything in the ZeuS table > >>> block in quick from > >>> > >>> # Explicitly block anything in the malwaredomain table > >>> block in quick from > >>> > >>> # Block anything in the evasive table > >>> block in quick from > >>> > >>> # allow ping and host unreach > >>> pass inet proto icmp icmp-type $icmp_types keep state > >>> > >>> # Traceroute > >>> # allow out the default range for traceroute(8): > >>> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) > >>> pass inet proto udp to port 33433:33626 # For IPv4 > >>> > >>> # Pass out only the desired ports from host and jails > >>> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > >>> $tcp_services $tcpstate > >>> pass inet proto udp from {self, $jailnet, $vpnnet} to port > $udp_services > >>> $udpstate > >>> > >>> # Allow ssh connections in from the internet > >>> pass in inet proto tcp from any to ($ext_if) port ssh \ > >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overlo= ad > >>> flush global) > >>> # Pass in ssh traffic to the jails > >>> # pass rules for nat redirect > >>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged > >>> jssh1 jssh2 jssh3 jssh4 \ > >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overlo= ad > >>> flush global) > >>> pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flag= s > >>> S/SA keep state > >>> > >>> # Pass traffic to the vpn > >>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp= } > >>> tagged vpn $udpstate > >>> pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate > >>> pass out on tun0 keep state > >>> #pass quick on tun0 all keep state > >>> > >>> # Pass in smtp, http, https, submission, imaps traffic from the > internet > >>> pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \ > >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overlo= ad > >>> flush global) > >>> > >>> # pass traffic from the asterisk server > >>> pass inet proto tcp tagged asterisk_tcp keep state > >>> pass inet proto udp tagged asterisk_udp keep state > >>> > >>> On Wed, Apr 19, 2017 at 11:06 AM, David Mehler > >>> wrote: > >>> > >>>> Hi, > >>>> > >>>> Thanks. Still no go on the vpn.In answer to your questions: > >>>> > >>>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > >>>> > >>>> > $tcp_services $tcpstate > >>>> > >>>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port > >>>> > >>>> > $udp_services $udpstate > >>>> > >>>> > >>>> > >>>> > >>>> I've got only a selected list of ports that I want in or out, > >>>> everything else should be blocked. > >>>> > >>>> I tried commenting out the pass quick on tun0 all and replaced it wi= th > >>>> set skip on tun0 no joy. > >>>> > >>>> I took out the second nat line on the vpnnet as of now I'm wanting t= o > >>>> keep the jailnet and the vpnnet ranges the same, though if this issu= e > >>>> doesn't soon resolve I might change that idea. > >>>> > >>>> > >>>> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >>>> > >>>> > >>>> > >>>> global) > >>>> > >>>> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >>>> > >>>> > >>>> What I wanted to achieve with this was nat reflection, external > >>>> connections to these hosts worked fine on the desired ports, but on > >>>> the host itself if I tried to do an ssh to one of my jails port 2220 > >>>> it failed, these rules corrected that. > >>>> > >>>> Right now I'll settle for working. > >>>> > >>>> Thanks. > >>>> Dave. > >>>> > >>>> On 4/19/17, Ultima wrote: > >>>> > After a full look, I suspect this being a problem entry. > >>>> > > >>>> >> # Pass out only the desired ports from host and jails > >>>> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > >>>> >> $tcp_services $tcpstate > >>>> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port > >>>> >> $udp_services $udpstate > >>>> > > >>>> > Try commenting them and adding pass out all or pass inet proto { > tcp, > >>>> udp } > >>>> > any and see if that works. > >>>> > > >>>> > > >>>> >> pass quick on tun0 all keep state > >>>> > This is another problem area, but probably not the cause. The quic= k > >>>> > is > >>>> > probably not handled as you are expecting. Pf reads the filtering > >>>> > rules > >>>> in > >>>> > priority from bottom to top bottom being highest priority to top > >>>> > being > >>>> > lowest priority. When quick is added, this is more or less reverse= d > >>>> > for > >>>> the > >>>> > rule and because its near the bottom it has a lower priority. In > >>>> > general > >>>> > the "quick" directive can make pf very confusing and a ruleset > harder > >>>> > to > >>>> > read so other than the top blocking entires with quick, I suggest > >>>> > never > >>>> > using it, or use it for all filters and make it simple the opposit= e > >>>> > way. > >>>> > > >>>> > > >>>> >> jailnet =3D "10.0.0.0/8" > >>>> >> vpnnet=3D"10.8.0.0/8" > >>>> > One thing I noticed is that the subnet chosen is an /8 subnet. > >>>> > Because > >>>> of > >>>> > this, the entire 10.* address space applies to jailnet making all > >>>> jailnet + > >>>> > vpnnet entries redundant. This also allows all addresses to > >>>> communicate, at > >>>> > least if pf isn't filtering them. Usually segmenting the subnet is > >>>> desired > >>>> > to limit communication between them. > >>>> > > >>>> >> pass quick on lo0 all > >>>> > Why not just skip on lo0? > >>>> > > >>>> > > >>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >>>> > (max-src-conn 15, max-src-conn-rate 5/3, overload flu= sh > >>>> > global) > >>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >>>> > Why does this nearly duplicate rules exist? > >>>> > > >>>> > > >>>> > Optimizing pf is fun, but one thing that is important to remember = is > >>>> > the > >>>> > more rules added, the more cycles used per packet. This is typical= ly > >>>> > not > >>>> > noticed on a small deployments but it can become huge issue if > grown. > >>>> > > >>>> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler < > dave.mehler@gmail.com> > >>>> > wrote: > >>>> > > >>>> >> Hello Ultima, > >>>> >> > >>>> >> Thank you for your reply. Thanks for the information, I'm liking > the > >>>> >> new way the rules are looking. Unfortunately, still no go on the > >>>> >> vpn. > >>>> >> Everything else is working, just not the vpn. > >>>> >> > >>>> >> Thanks. > >>>> >> Dave. > >>>> >> PS, here's my rules as they stand now. > >>>> >> > >>>> >> pf.conf: > >>>> >> # > >>>> >> # Required order: macros, options, normalization, queueing, > >>>> >> # translation, filtering. > >>>> >> # Note: translation rules are first match while filter rules are > >>>> >> last > >>>> >> match. > >>>> >> > >>>> >> # Macros > >>>> >> ext_if=3D"vtnet0" > >>>> >> int_if =3D "lo1" > >>>> >> vpn_if =3D "tun0" > >>>> >> jailnet =3D "10.0.0.0/8" > >>>> >> vpnnet=3D"10.8.0.0/8" > >>>> >> icmp_types=3D"{echoreq, unreach}" > >>>> >> #IPV6 ICMP types: > >>>> >> # packet to big and echo request type ping > >>>> >> # Neighbor Discovery Protocol (NDP) (types 133-137): > >>>> >> # Router Solicitation (RS), Router Advertisement (RA) > >>>> >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) > >>>> >> # Route Redirection > >>>> >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" > >>>> >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, > >>>> >> max-src-conn-rate 5/3, overload flush global)" > >>>> >> tcpstate =3D"flags S/SA modulate state" > >>>> >> udpstate =3D"keep state" > >>>> >> voipports =3D "{5060, 5061, 10000:10500}" > >>>> >> > >>>> >> # allowed traffic > >>>> >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, > >>>> >> bootpc, http, imap, https, submission, imaps, 2703}" > >>>> >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, > >>>> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, > >>>> >> 24441, > >>>> >> 4500, 500, 50, 51}" > >>>> >> > >>>> >> # Name and IP of jails > >>>> >> webmail=3D"10.0.0.15" > >>>> >> # Name and IP of jailed ssh servers > >>>> >> jssh1=3D"10.0.0.15" > >>>> >> jssh2=3D"10.0.0.16" > >>>> >> jssh3=3D"10.0.0.17" > >>>> >> jssh4=3D"10.0.0.18" > >>>> >> # The Asterisk Server > >>>> >> asterisk=3D"10.0.0.17" > >>>> >> # The vpn server > >>>> >> vpn=3D"10.8.0.1" > >>>> >> > >>>> >> # Options > >>>> >> # block-policy can be either drop or return > >>>> >> set block-policy drop > >>>> >> set optimization conservative > >>>> >> set skip on tun0 > >>>> >> > >>>> >> # Normalization > >>>> >> # normalize all incoming traffic. Set ttl 254: limits mapping of > >>>> >> hosts > >>>> >> behind > >>>> >> # firewall. Set random-id to help same. > >>>> >> # Set mss to ATM network frame size for easy splitting upstream. > >>>> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassembl= e > >>>> >> tcp > >>>> >> fragment reassemble > >>>> >> > >>>> >> # NAT > >>>> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port > >>>> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port > >>>> >> > >>>> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 > to > >>>> >> jailed ssh servers > >>>> >> # External redirect > >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port > >>>> >> 2220 > >>>> >> # reflect for internal hosts > >>>> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port > >>>> >> 2220 > >>>> >> > >>>> >> # External redirect > >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port > >>>> >> 2221 > >>>> >> # reflect for internal hosts > >>>> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port > >>>> >> 2221 > >>>> >> > >>>> >> # External redirect > >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port > >>>> >> 2222 > >>>> >> # reflect for internal hosts > >>>> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port > >>>> >> 2222 > >>>> >> > >>>> >> # External redirect > >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port > >>>> >> 2223 > >>>> >> # reflect for internal hosts > >>>> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port > >>>> >> 2223 > >>>> >> > >>>> >> # Redirect traffic to the vpn server > >>>> >> # External redirect > >>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $v= pn > >>>> port > >>>> >> 1194 > >>>> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> > $vpn > >>>> port > >>>> >> 1194 > >>>> >> # reflect for internal hosts > >>>> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $v= pn > >>>> port > >>>> >> 1194 > >>>> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> > $vpn > >>>> port > >>>> >> 1194 > >>>> >> > >>>> >> # Redirect traffic to the asterisk server > >>>> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. > >>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 -> > >>>> >> $asterisk port 5060 > >>>> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> > >>>> >> $asterisk > >>>> >> port > >>>> >> 5060 > >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk > port > >>>> 5061 > >>>> >> # RTSP ports 10000 to 10500 > >>>> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> > >>>> >> $asterisk > >>>> >> port 10000:10500 > >>>> >> > >>>> >> # Tables > >>>> >> table persist file "/etc/pf/bruteforce" > >>>> >> table persist file "/etc/pf/pf.drop.lasso.conf" > >>>> >> table persist file "/etc/pf/fail2ban" > >>>> >> table persist file "/etc/pf/martians" > >>>> >> # The ZeuS blocklist of c&c servers > >>>> >> table persist file "/etc/pf/ZeuS" > >>>> >> # The malwaredomain ip block list > >>>> >> table persist file "/etc/pf/malwaredomain" > >>>> >> # Table of selected country IP addresses > >>>> >> table persist file "/etc/pf/blocked_countries= " > >>>> >> # Table of apache mod_evasive blocks > >>>> >> table persist file "/etc/pf/evasive" > >>>> >> > >>>> >> # for the spamd greylist/blacklist service > >>>> >> # (not related to spamassassin's spamd daemon) > >>>> >> #table persist > >>>> >> #table persist > >>>> >> > >>>> >> antispoof for $ext_if > >>>> >> antispoof for $int_if > >>>> >> > >>>> >> # Start by blocking by default > >>>> >> block all > >>>> >> > >>>> >> # Block anything in the blocked_countries table first > >>>> >> block in quick from > >>>> >> > >>>> >> # Block nmap scans > >>>> >> block in quick on $ext_if inet proto tcp from any to any flags > >>>> >> FUP/FUP > >>>> >> > >>>> >> # Explicitly block unroutable addresses > >>>> >> block drop in quick on $ext_if from to any > >>>> >> block drop out quick on $ext_if from any to > >>>> >> > >>>> >> # Explicitly block anything in the bruteforce table > >>>> >> block in quick from > >>>> >> > >>>> >> # Explicitly block anything in the fail2ban table > >>>> >> block in quick from > >>>> >> > >>>> >> # Explicitly block anything in the droplasso table > >>>> >> block in quick from > >>>> >> > >>>> >> # Explicitly block anything in the ZeuS table > >>>> >> block in quick from > >>>> >> > >>>> >> # Explicitly block anything in the malwaredomain table > >>>> >> block in quick from > >>>> >> > >>>> >> # Block anything in the evasive table > >>>> >> block in quick from > >>>> >> > >>>> >> # pass everything on the loopback interface > >>>> >> pass quick on lo0 all > >>>> >> > >>>> >> # allow ping and host unreach > >>>> >> pass inet proto icmp icmp-type $icmp_types keep state > >>>> >> > >>>> >> # Traceroute > >>>> >> # allow out the default range for traceroute(8): > >>>> >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) > >>>> >> pass inet proto udp to port 33433:33626 # For IPv4 > >>>> >> > >>>> >> # Pass out only the desired ports from host and jails > >>>> >> pass inet proto tcp from { self, $jailnet } to any port > >>>> >> $tcp_services > >>>> >> $tcpstate > >>>> >> pass inet proto udp from { self, $jailnet } to port $udp_services > >>>> >> $udpstate > >>>> >> > >>>> >> # Allow ssh connections in from the internet > >>>> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> # Pass in ssh traffic to the jails > >>>> >> # pass rules for nat redirect > >>>> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state > >>>> >> > >>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >>>> >> > >>>> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state > >>>> >> > >>>> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state > >>>> >> > >>>> >> # Pass traffic to the vpn > >>>> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate > >>>> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate > >>>> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate > >>>> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate > >>>> >> > >>>> >> # Pass in http traffic from the internet > >>>> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> > >>>> >> # Pass in https traffic from the internet > >>>> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> > >>>> >> # Pass in smtp traffic from the internet > >>>> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> > >>>> >> # Pass in submission traffic from the internet > >>>> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> > >>>> >> # Pass in imaps traffic from the internet > >>>> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state > >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload > flush > >>>> >> global) > >>>> >> > >>>> >> # pass traffic from the asterisk server > >>>> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep > state > >>>> >> > >>>> >> > >>>> >> On 4/18/17, Ultima wrote: > >>>> >> > I didn't have time to read and look through this entire post, b= ut > >>>> >> > I > >>>> >> think I > >>>> >> > know the issue you're running into and this suggestion should > push > >>>> you > >>>> >> > in > >>>> >> > the right direction. > >>>> >> > > >>>> >> > this rule for example, > >>>> >> > > >>>> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn > >>>> >> > port > >>>> >> > 1194 > >>>> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn > >>>> >> > port > >>>> >> > 1194 > >>>> >> > # reflect for internal hosts > >>>> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn > >>>> >> > port > >>>> >> > 1194 > >>>> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn > >>>> >> > port > >>>> >> > 1194 > >>>> >> > > >>>> >> > This is probably not giving you the results you desire. Basical= ly > >>>> >> > because > >>>> >> > no from or to ip is specified ALL and I quite literally mean AL= L > >>>> >> > packets > >>>> >> > using port 1194 are being sent to $vpn port 1194. Usually you > want > >>>> >> > to > >>>> >> make > >>>> >> > it something like, > >>>> >> > > >>>> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> > >>>> >> > $vpn > >>>> >> > port > >>>> >> > 1194 > >>>> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> > >>>> >> > $vpn > >>>> >> > port > >>>> >> > 1194 > >>>> >> > > >>>> >> > Now the traffic will be passed only when the packet is going to > >>>> >> > the > >>>> >> > host, > >>>> >> > not all traffic on a specific port. Another thing you may want = to > >>>> >> > do > >>>> is > >>>> >> > combined many of these rules you have. > >>>> >> > > >>>> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> > >>>> >> > $vpn > >>>> >> > port > >>>> >> > 1194 > >>>> >> > > >>>> >> > Also note the above, because we are specifying any for from, we > >>>> >> > can > >>>> >> remove > >>>> >> > the form rule entirely and make it shorter. > >>>> >> > > >>>> >> > Hope this helps > >>>> >> > > >>>> >> > Ultima > >>>> >> > > >>>> >> > >>>> > > >>>> > >>> > >>> > >> > > > From owner-freebsd-pf@freebsd.org Sat Apr 22 23:41:04 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36651D4BB37 for ; Sat, 22 Apr 2017 23:41:04 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B3C116BA for ; Sat, 22 Apr 2017 23:41:03 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 8D8DE2088C for ; Sat, 22 Apr 2017 19:31:48 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Sat, 22 Apr 2017 19:31:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=x6WOguE8Y6g1ZXkol1hC91lAT+iE53tpTNerJ5guM 1Y=; b=Xj7FO23sA1uF0NDTe47FLSAn7Zl/MZZQxygrCvxj2Irq8w5/Qg6S9unR4 T2PqqEYM9BpCRPdHEWCJUAic15cGlnoT8dFVVTYzFE53m+jsBcsLb19EinFHRkck MusvfnWDqCDMnY7FgRjsRtu4Z9Oazfh4rqrpItrXf73HNZGn9qlKcNsOjhBwioi+ yTQ3ZEGESKSb5VFf5K1yjwho15fsgGZGd4dDlLVrCryvUiJXBbg6FeKRoiaxrPiX ZZZN1pULfAr00zeUpyXLRcYMwUyUGv8NYAehbDqdZ1KmQm6amjLwnFrU6d/x9R/N 2OcM399gVem5FwBL33Xta9NRP/2Kw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=x6WOguE8Y6g1ZXkol1 hC91lAT+iE53tpTNerJ5guM1Y=; b=BwJ0PpdX15orxF5zgJ24so74k2pudBkv24 slIAhJOP1zdgbLETekEszXABP6LdMf9WD2qN+w9odbxNq2FE8ZWVsBXbROF1LNnK pqRc+VMr/KR2qwfG4naamVMrDJK0NDXVU2sxMflKwqK9A5ADA1VuM49k0NF/PX9e Nr9wT3SVvsv0YcKidQ7ms4qc9h743RTy2b5/39AjhLflyJqJVc1juBZi6xdMCev4 r5yq5vOxRHW3Tzp5Ve7ULxe7qccgOWsbg3W+7HzhYYLsvfO2ym/sgyDzG0Ao4QLa l7l2Usz9Ymt3RSDM2IMMYaf5kt2vRjFtRpIiW268RfKLpBBPJt9A== X-ME-Sender: X-Sasl-enc: OfCZgdnGrupMYlk2aygfJZrg+UxiPOj3thmtuzVuV2jY 1492903908 Received: from pumpkin.growveg.org (pumpkin.growveg.org [82.70.91.101]) by mail.messagingengine.com (Postfix) with ESMTPA id 2CBF77E15C for ; Sat, 22 Apr 2017 19:31:48 -0400 (EDT) To: freebsd-pf@freebsd.org From: tech-lists Subject: pf bridge and tap interfaces (12-current) Message-ID: <49d42a13-ebcc-1df2-1d45-ce55b9ddb740@zyxst.net> Date: Sun, 23 Apr 2017 00:31:43 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Apr 2017 23:41:04 -0000 Hello pf@ Is there a way of having PF protect the host yet allowing free traffic to tap interfaces? These tap interfaces will all have real IPs and will be brought up by bhyve guests. The ethernet interface and tap interfaces are all members of bridge0. Somehow, the host needs to also have a tap but I can't get my head around it because it's a host and it needs to be therefore, I guess, ethernet -> bridge -> tap and then pf on the tap and not the bridge or ethernet. Can the host also have a tap? And then set the host interface to be that tap. I can't see it working if PF is looking at ethernet. Is this correct? thanks, -- J.