Site Navigation

Date:      Tue, 31 Mar 2020 19:37:28 -0600
From:      The Doctor <doctor@doctor.nl2k.ab.ca>
To:        freebsd-pf@freebsd.org, freebsd-questions@freebsd.org
Subject:   Re: FreeBSD bridging security router
Message-ID:  <20200401013728.GA47776@doctor.nl2k.ab.ca>
In-Reply-To: <20200329202922.GA32467@doctor.nl2k.ab.ca>
References:  <20200329183406.GB5418@doctor.nl2k.ab.ca> <alpine.BSF.2.22.395.2003292114520.8527@enterprise.ximalas.info> <20200329202922.GA32467@doctor.nl2k.ab.ca>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Found it.  The bridging was not set properly.

However I run into a new problem.

This is suppose to be a border gateway, but when I plug in the
external interface, wireshark say traffic is flowing, but I test the browsers
and they cannot find their target.

So I have

1) pf.conf


## Set your public interface ##
ext_if="bce1"
##Internal bridge for virtually hosted machines
int_if="bce0"
bridge0="bridge0"
## Set your server public IP address ##
#ext_if_ip="192.168.81.7"
int_if_ip="192.168.81.14"
bridge0_ip="192.168.81.13"
intnet = $int_if:network
#Proxy for FTP
proxy="127.0.0.1"
proxyport="8021"
#All virtal machines go here!
win2019="192.168.81.18"
kali="192.168.81.15"
seconion="192.168.81.16"
parrot="192.168.81.17"
#In case you need a whole group
vhosts =" { 192.168.81.16, 192.168.81.15, 
           192.168.81.17,192.168.81.18 }"
## Set and drop these IP ranges on public interface and any other troublemakers ##

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
       10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
       0.0.0.0/8, 240.0.0.0/4 }"

## Set http(80)/https (443) port here and other ports that need accessing ##
webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,25,464,465,587,53,513,783,88,135,137,138,139,445,69,43,636,1024:65535}"
# Radius
radiusports = "{1645,1646,1812,1813 }"

## enable these services ##
int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20,88,ftp, ssh,110,139,137,138,135,143,636,993,995,443,445,464,561,636,783,7500,8443,43,63,1024:65535}"
int_udp_services = "{domain, ntp,69,88,137,138,139,445,464}"
int_radius_services = "{1645,1646,1812,1813 }"

 
## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts  ##
set skip on lo
set skip on bridge0
set skip on tap0
set skip on tap1
set skip on tap2
set skip on tap3

 
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
set fingerprints "/etc/pf.os" 

# Deal with attacks based on incorrect handling of packet fragments 
scrub in all

###################  TRANSLATION #############

#### NAT and RDR start
nat on $ext_if from $intnet to any -> ($ext_if)
nat on $intnet from $bridge0 to any -> ($intnet)
nat on $bridge0 from $kali to any -> ($bridge0)
nat on $bridge0 from $win2019 to any -> ($bridge0)
nat on $bridge0 from $kali to any -> ($bridge0)

## PLease note for virtual machines you are passing the packects via the
## Virtual switch so treat as michine (tap) into switch (Bridge) into
## your macine acting as the host (exit)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
 
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport


## Set default policy ##
block return in log all
block out all

# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 20
pass out proto tcp from $proxy to any port 21
pass out on $int_if inet proto {tcp, udp} from $int_if to any port ftp:ftp-proxy
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 20
pass in on egress proto tcp to port > 49151
pass out quick on egress inet proto tcp from any to 192.168.81.1 flags S/SA
pass out quick on egress inet proto tcp from any to 192.168.81.3 flags S/SA

#set up virtual switch

pass in quick on bridge0 all
pass quick on tap0 all 
pass quick on tap1 all 
pass quick on tap2 all 
pass quick on tap3 all 

# Drop all Non-Routable Addresses 
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop in quick on $vhosts from $martians to any
block drop out quick on $vhosts from any to $martians
 
## Blocking spoofed packets
antispoof quick for $int_if
antispoof quick for $ext_if
antispoof quick for $vhosts
 
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons 
#pass in quick on $ext_if inet proto tcp from 192.168.81.0/24 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
## pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
pass in inet proto tcp to $int_if port 22 
#pass in inet proto tcp to $ext_if port 22 
pass in inet proto tcp to $vhosts port 22 


pass in inet proto tcp to $int_if port 36941 
#pass in inet proto tcp to $ext_if port 36941 
pass in inet proto tcp to $vhosts port 36941 


# Allow Ping-Pong stuff. Be a good sysadmin 
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state
# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state
  
# All access to our Nginx/Apache/Lighttpd Webserver and other ports 
pass proto tcp from any to $int_if port $webports
pass proto udp from any to $int_if port $webports
pass proto udp from any to $int_if port $radiusports
#pass proto tcp from any to $ext_if port $webports
#pass proto udp from any to $ext_if port $webports
#pass proto udp from any to $ext_if port $radiusports
pass proto tcp from any to $vhosts port $webports
pass proto udp from any to $vhosts port $webports

pass in on $int_if proto tcp from any to any port = 36941 keep state 
pass in on $vhosts proto tcp from any to any port = 36941 keep state 
pass in on $kali proto tcp from any to any port = 36941 keep state 
 
# Allow essential outgoing traffic 
pass out quick on $int_if proto tcp to any port $int_tcp_services
pass out quick on $int_if proto udp to any port $int_udp_services
pass out quick on $int_if proto udp to any port $int_radius_services
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
pass out quick on $ext_if proto udp to any port $int_radius_services
pass out quick on $vhosts proto tcp to any port $int_tcp_services
pass out quick on $vhosts proto udp to any port $int_udp_services

#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1645 keep state
pass in log quick on $int_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1812 keep state

pass in log quick on $int_if proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state

pass in log quick on $ext_if proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 36941 keep state

pass in log quick on $vhosts proto tcp from any to any port = 36941 flags S/SA keep state

pass in log quick on $vhosts proto udp from any to any port = 36941 keep state
pass out quick all flags S/SA keep state
 
# Add custom rules below
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
    flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)
## I wonder if sshguard works with pf.

2)  rc.conf


## Set your public interface ##
ext_if="bce1"
##Internal bridge for virtually hosted machines
int_if="bce0"
bridge0="bridge0"
## Set your server public IP address ##
#ext_if_ip="192.168.81.7"
int_if_ip="192.168.81.14"
bridge0_ip="192.168.81.13"
intnet = $int_if:network
#Proxy for FTP
proxy="127.0.0.1"
proxyport="8021"
#All virtal machines go here!
win2019="192.168.81.18"
kali="192.168.81.15"
seconion="192.168.81.16"
parrot="192.168.81.17"
#In case you need a whole group
vhosts =" { 192.168.81.16, 192.168.81.15, 
           192.168.81.17,192.168.81.18 }"
## Set and drop these IP ranges on public interface and any other troublemakers ##

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
       10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
       0.0.0.0/8, 240.0.0.0/4 }"

## Set http(80)/https (443) port here and other ports that need accessing ##
webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,25,464,465,587,53,513,783,88,135,137,138,139,445,69,43,636,1024:65535}"
# Radius
radiusports = "{1645,1646,1812,1813 }"

## enable these services ##
int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20,88,ftp, ssh,110,139,137,138,135,143,636,993,995,443,445,464,561,636,783,7500,8443,43,63,1024:65535}"
int_udp_services = "{domain, ntp,69,88,137,138,139,445,464}"
int_radius_services = "{1645,1646,1812,1813 }"

 
## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts  ##
set skip on lo
set skip on bridge0
set skip on tap0
set skip on tap1
set skip on tap2
set skip on tap3

 
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
set fingerprints "/etc/pf.os" 

# Deal with attacks based on incorrect handling of packet fragments 
scrub in all

###################  TRANSLATION #############

#### NAT and RDR start
nat on $ext_if from $intnet to any -> ($ext_if)
nat on $intnet from $bridge0 to any -> ($intnet)
nat on $bridge0 from $kali to any -> ($bridge0)
nat on $bridge0 from $win2019 to any -> ($bridge0)
nat on $bridge0 from $kali to any -> ($bridge0)

## PLease note for virtual machines you are passing the packects via the
## Virtual switch so treat as michine (tap) into switch (Bridge) into
## your macine acting as the host (exit)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
 
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport


## Set default policy ##
block return in log all
block out all

# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 20
pass out proto tcp from $proxy to any port 21
pass out on $int_if inet proto {tcp, udp} from $int_if to any port ftp:ftp-proxy
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 20
pass in on egress proto tcp to port > 49151
pass out quick on egress inet proto tcp from any to 192.168.81.1 flags S/SA
pass out quick on egress inet proto tcp from any to 192.168.81.3 flags S/SA

#set up virtual switch

pass in quick on bridge0 all
pass quick on tap0 all 
pass quick on tap1 all 
pass quick on tap2 all 
pass quick on tap3 all 

# Drop all Non-Routable Addresses 
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop in quick on $vhosts from $martians to any
block drop out quick on $vhosts from any to $martians
 
## Blocking spoofed packets
antispoof quick for $int_if
antispoof quick for $ext_if
antispoof quick for $vhosts
 
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons 
#pass in quick on $ext_if inet proto tcp from 192.168.81.0/24 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
## pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
pass in inet proto tcp to $int_if port 22 
#pass in inet proto tcp to $ext_if port 22 
pass in inet proto tcp to $vhosts port 22 


pass in inet proto tcp to $int_if port 36941 
#pass in inet proto tcp to $ext_if port 36941 
pass in inet proto tcp to $vhosts port 36941 


# Allow Ping-Pong stuff. Be a good sysadmin 
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state
# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state
  
# All access to our Nginx/Apache/Lighttpd Webserver and other ports 
pass proto tcp from any to $int_if port $webports
pass proto udp from any to $int_if port $webports
pass proto udp from any to $int_if port $radiusports
#pass proto tcp from any to $ext_if port $webports
#pass proto udp from any to $ext_if port $webports
#pass proto udp from any to $ext_if port $radiusports
pass proto tcp from any to $vhosts port $webports
pass proto udp from any to $vhosts port $webports

pass in on $int_if proto tcp from any to any port = 36941 keep state 
pass in on $vhosts proto tcp from any to any port = 36941 keep state 
pass in on $kali proto tcp from any to any port = 36941 keep state 
 
# Allow essential outgoing traffic 
pass out quick on $int_if proto tcp to any port $int_tcp_services
pass out quick on $int_if proto udp to any port $int_udp_services
pass out quick on $int_if proto udp to any port $int_radius_services
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
pass out quick on $ext_if proto udp to any port $int_radius_services
pass out quick on $vhosts proto tcp to any port $int_tcp_services
pass out quick on $vhosts proto udp to any port $int_udp_services

#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1645 keep state
pass in log quick on $int_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1812 keep state

pass in log quick on $int_if proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state

pass in log quick on $ext_if proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 36941 keep state

pass in log quick on $vhosts proto tcp from any to any port = 36941 flags S/SA keep state

pass in log quick on $vhosts proto udp from any to any port = 36941 keep state
pass out quick all flags S/SA keep state
 
# Add custom rules below
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
    flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)
## I wonder if sshguard works with pf.

2) rc.conf


hostname="border.nk.ca"
ifconfig_bce0="inet 192.168.81.14 netmask 255.255.255.0 promisc "
ifconfig_bce1="up  media 100baseTX mediaopt full-duplex promisc "
ifconfig_bce2="up promisc"
ifconfig_bce3="up promisc"
defaultrouter="192.168.81.2"
hald_enable="YES"
named_enable="YES"
sshd_enable="YES"
sshguard_enable="YES"
moused_enable="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
gateway_enable="YES"
ipv6_gateway_enable="YES"
pf_enable="YES"
clamav_clamd_enable="YES"
clamd_enable="YES"
squid_enable="YES"
tcsd_enable="YES"
tcsd_mode="emulator"
tpmd_enable="YES"
dbus_enable="YES"
apache24_enable="yes"
postgresql_enable="YES"
firebird_enable="YES"
firebird_mode="superserver"
suricata_enable="YES"
suricata_divertport="8000"
cloned_interfaces="bridge0  tap0 tap1 tap2 tap3"
ifconfig_bridge0="addm bce2 addm tap0 addm tap1 addm tap2 addm tap3 up"
#cloned_interfaces="bce0 bce1"
ifconfig_bridge1="addm bce0 addm bce1 up"
#firewall_enable="YES"
#firewall_type="simple"
#firewall_quiet="YES"
#firewall_logging="YES"
vm_enable="YES"
vm_dir="/usr/vm/"
vboxdrv_load="YES"
xrdp_enable="YES"
xrdp_sesman_enable="YES"
saslauthd_enable="YES"
openvassd_enable="YES"
openvasmd_enable="YES"
gsad_enable="YES"
pflog_logfile="/var/log/pflog"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
redis_enable="YES"
cbsd_workdir="/usr/vm"
cbsdrsyncd_enable="YES"
cbsdrsyncd_flags="--config=/usr/vm/etc/rsyncd.conf"
cbsdd_enable="YES"
rcshutdown_timeout="900"


What are anything internal not able to see the external world from a web 
browser?  Further, My Android cell phone chokes.

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
There shall be eternal summer in the grateful heart.  -Celia Thaxter
-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
There shall be eternal summer in the grateful heart.  -Celia Thaxter

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200401013728.GA47776>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact