From owner-freebsd-pf@freebsd.org Wed Apr 1 01:37:10 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1B47927613F; Wed, 1 Apr 2020 01:37:10 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor.nl2k.ab.ca (doctor.nl2k.ab.ca [204.209.81.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48sTMK6JHNz44L6; Wed, 1 Apr 2020 01:37:01 +0000 (UTC) (envelope-from doctor@doctor.nl2k.ab.ca) Received: from doctor by doctor.nl2k.ab.ca with local (Exim 4.93.0.4 (FreeBSD)) (envelope-from ) id 1jJSJs-000Dir-Kd; Tue, 31 Mar 2020 19:37:28 -0600 Date: Tue, 31 Mar 2020 19:37:28 -0600 From: The Doctor To: freebsd-pf@freebsd.org, freebsd-questions@freebsd.org Subject: Re: FreeBSD bridging security router Message-ID: <20200401013728.GA47776@doctor.nl2k.ab.ca> References: <20200329183406.GB5418@doctor.nl2k.ab.ca> <20200329202922.GA32467@doctor.nl2k.ab.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200329202922.GA32467@doctor.nl2k.ab.ca> X-Rspamd-Queue-Id: 48sTMK6JHNz44L6 X-Spamd-Bar: ++ X-Spamd-Result: default: False [2.58 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(0.00)[+a]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(0.19)[0.192,0]; BAD_REP_POLICIES(0.10)[]; MIME_TRACE(0.00)[0:+]; URIBL_PBL(0.02)[empire.kred]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(0.00)[nl2k.ab.ca,quarantine]; NEURAL_SPAM_LONG(0.53)[0.532,0]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; INTRODUCTION(2.00)[]; ASN(0.00)[asn:6171, ipnet:204.209.81.0/24, country:CA]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-0.17)[ip: (-0.39), ipnet: 204.209.81.0/24(-0.19), asn: 6171(-0.16), country: CA(-0.09)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Apr 2020 01:37:10 -0000 Found it. The bridging was not set properly. However I run into a new problem. This is suppose to be a border gateway, but when I plug in the external interface, wireshark say traffic is flowing, but I test the browsers and they cannot find their target. So I have 1) pf.conf ## Set your public interface ## ext_if="bce1" ##Internal bridge for virtually hosted machines int_if="bce0" bridge0="bridge0" ## Set your server public IP address ## #ext_if_ip="192.168.81.7" int_if_ip="192.168.81.14" bridge0_ip="192.168.81.13" intnet = $int_if:network #Proxy for FTP proxy="127.0.0.1" proxyport="8021" #All virtal machines go here! win2019="192.168.81.18" kali="192.168.81.15" seconion="192.168.81.16" parrot="192.168.81.17" #In case you need a whole group vhosts =" { 192.168.81.16, 192.168.81.15, 192.168.81.17,192.168.81.18 }" ## Set and drop these IP ranges on public interface and any other troublemakers ## martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" ## Set http(80)/https (443) port here and other ports that need accessing ## webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,25,464,465,587,53,513,783,88,135,137,138,139,445,69,43,636,1024:65535}" # Radius radiusports = "{1645,1646,1812,1813 }" ## enable these services ## int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20,88,ftp, ssh,110,139,137,138,135,143,636,993,995,443,445,464,561,636,783,7500,8443,43,63,1024:65535}" int_udp_services = "{domain, ntp,69,88,137,138,139,445,464}" int_radius_services = "{1645,1646,1812,1813 }" ## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts ## set skip on lo set skip on bridge0 set skip on tap0 set skip on tap1 set skip on tap2 set skip on tap3 ## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ## set loginterface $ext_if set fingerprints "/etc/pf.os" # Deal with attacks based on incorrect handling of packet fragments scrub in all ################### TRANSLATION ############# #### NAT and RDR start nat on $ext_if from $intnet to any -> ($ext_if) nat on $intnet from $bridge0 to any -> ($intnet) nat on $bridge0 from $kali to any -> ($bridge0) nat on $bridge0 from $win2019 to any -> ($bridge0) nat on $bridge0 from $kali to any -> ($bridge0) ## PLease note for virtual machines you are passing the packects via the ## Virtual switch so treat as michine (tap) into switch (Bridge) into ## your macine acting as the host (exit) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # Redirect ftp traffic to proxy rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport ## Set default policy ## block return in log all block out all # We need to have an anchor for ftp-proxy anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 20 pass out proto tcp from $proxy to any port 21 pass out on $int_if inet proto {tcp, udp} from $int_if to any port ftp:ftp-proxy pass in on egress proto tcp to port 21 pass in on egress proto tcp to port 20 pass in on egress proto tcp to port > 49151 pass out quick on egress inet proto tcp from any to 192.168.81.1 flags S/SA pass out quick on egress inet proto tcp from any to 192.168.81.3 flags S/SA #set up virtual switch pass in quick on bridge0 all pass quick on tap0 all pass quick on tap1 all pass quick on tap2 all pass quick on tap3 all # Drop all Non-Routable Addresses block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block drop in quick on $vhosts from $martians to any block drop out quick on $vhosts from any to $martians ## Blocking spoofed packets antispoof quick for $int_if antispoof quick for $ext_if antispoof quick for $vhosts # Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only # I do not allow or accept ssh traffic from ALL for security reasons #pass in quick on $ext_if inet proto tcp from 192.168.81.0/24 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz" ## Use the following rule to enable ssh for ALL users from any IP address # ## pass in inet proto tcp to $ext_if port ssh ### [ OR ] ### pass in inet proto tcp to $int_if port 22 #pass in inet proto tcp to $ext_if port 22 pass in inet proto tcp to $vhosts port 22 pass in inet proto tcp to $int_if port 36941 #pass in inet proto tcp to $ext_if port 36941 pass in inet proto tcp to $vhosts port 36941 # Allow Ping-Pong stuff. Be a good sysadmin icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types keep state # allow out the default range for traceroute(8): pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state # All access to our Nginx/Apache/Lighttpd Webserver and other ports pass proto tcp from any to $int_if port $webports pass proto udp from any to $int_if port $webports pass proto udp from any to $int_if port $radiusports #pass proto tcp from any to $ext_if port $webports #pass proto udp from any to $ext_if port $webports #pass proto udp from any to $ext_if port $radiusports pass proto tcp from any to $vhosts port $webports pass proto udp from any to $vhosts port $webports pass in on $int_if proto tcp from any to any port = 36941 keep state pass in on $vhosts proto tcp from any to any port = 36941 keep state pass in on $kali proto tcp from any to any port = 36941 keep state # Allow essential outgoing traffic pass out quick on $int_if proto tcp to any port $int_tcp_services pass out quick on $int_if proto udp to any port $int_udp_services pass out quick on $int_if proto udp to any port $int_radius_services pass out quick on $ext_if proto tcp to any port $int_tcp_services pass out quick on $ext_if proto udp to any port $int_udp_services pass out quick on $ext_if proto udp to any port $int_radius_services pass out quick on $vhosts proto tcp to any port $int_tcp_services pass out quick on $vhosts proto udp to any port $int_udp_services #For radius make certain for older syatems port 1645 and current 1812 pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state pass in log quick on $int_if proto udp from any to any port = 1645 keep state pass in log quick on $int_if proto tcp from any to any port = 1812 flags S/SA keep state pass in log quick on $int_if proto udp from any to any port = 1812 keep state pass in log quick on $int_if proto tcp from any to any port = 36941 flags S/SA keep state pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state pass in log quick on $int_if proto udp from any to any port = 1645 keep state pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state pass in log quick on $ext_if proto udp from any to any port = 1812 keep state pass in log quick on $ext_if proto tcp from any to any port = 36941 flags S/SA keep state pass in log quick on $ext_if proto udp from any to any port = 36941 keep state pass in log quick on $vhosts proto tcp from any to any port = 36941 flags S/SA keep state pass in log quick on $vhosts proto udp from any to any port = 36941 keep state pass out quick all flags S/SA keep state # Add custom rules below block quick from pass quick proto { tcp, udp } from any to any port ssh \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload flush global) ## I wonder if sshguard works with pf. 2) rc.conf ## Set your public interface ## ext_if="bce1" ##Internal bridge for virtually hosted machines int_if="bce0" bridge0="bridge0" ## Set your server public IP address ## #ext_if_ip="192.168.81.7" int_if_ip="192.168.81.14" bridge0_ip="192.168.81.13" intnet = $int_if:network #Proxy for FTP proxy="127.0.0.1" proxyport="8021" #All virtal machines go here! win2019="192.168.81.18" kali="192.168.81.15" seconion="192.168.81.16" parrot="192.168.81.17" #In case you need a whole group vhosts =" { 192.168.81.16, 192.168.81.15, 192.168.81.17,192.168.81.18 }" ## Set and drop these IP ranges on public interface and any other troublemakers ## martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" ## Set http(80)/https (443) port here and other ports that need accessing ## webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,25,464,465,587,53,513,783,88,135,137,138,139,445,69,43,636,1024:65535}" # Radius radiusports = "{1645,1646,1812,1813 }" ## enable these services ## int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20,88,ftp, ssh,110,139,137,138,135,143,636,993,995,443,445,464,561,636,783,7500,8443,43,63,1024:65535}" int_udp_services = "{domain, ntp,69,88,137,138,139,445,464}" int_radius_services = "{1645,1646,1812,1813 }" ## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts ## set skip on lo set skip on bridge0 set skip on tap0 set skip on tap1 set skip on tap2 set skip on tap3 ## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ## set loginterface $ext_if set fingerprints "/etc/pf.os" # Deal with attacks based on incorrect handling of packet fragments scrub in all ################### TRANSLATION ############# #### NAT and RDR start nat on $ext_if from $intnet to any -> ($ext_if) nat on $intnet from $bridge0 to any -> ($intnet) nat on $bridge0 from $kali to any -> ($bridge0) nat on $bridge0 from $win2019 to any -> ($bridge0) nat on $bridge0 from $kali to any -> ($bridge0) ## PLease note for virtual machines you are passing the packects via the ## Virtual switch so treat as michine (tap) into switch (Bridge) into ## your macine acting as the host (exit) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # Redirect ftp traffic to proxy rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport ## Set default policy ## block return in log all block out all # We need to have an anchor for ftp-proxy anchor "ftp-proxy/*" pass out proto tcp from $proxy to any port 20 pass out proto tcp from $proxy to any port 21 pass out on $int_if inet proto {tcp, udp} from $int_if to any port ftp:ftp-proxy pass in on egress proto tcp to port 21 pass in on egress proto tcp to port 20 pass in on egress proto tcp to port > 49151 pass out quick on egress inet proto tcp from any to 192.168.81.1 flags S/SA pass out quick on egress inet proto tcp from any to 192.168.81.3 flags S/SA #set up virtual switch pass in quick on bridge0 all pass quick on tap0 all pass quick on tap1 all pass quick on tap2 all pass quick on tap3 all # Drop all Non-Routable Addresses block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block drop in quick on $vhosts from $martians to any block drop out quick on $vhosts from any to $martians ## Blocking spoofed packets antispoof quick for $int_if antispoof quick for $ext_if antispoof quick for $vhosts # Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only # I do not allow or accept ssh traffic from ALL for security reasons #pass in quick on $ext_if inet proto tcp from 192.168.81.0/24 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz" ## Use the following rule to enable ssh for ALL users from any IP address # ## pass in inet proto tcp to $ext_if port ssh ### [ OR ] ### pass in inet proto tcp to $int_if port 22 #pass in inet proto tcp to $ext_if port 22 pass in inet proto tcp to $vhosts port 22 pass in inet proto tcp to $int_if port 36941 #pass in inet proto tcp to $ext_if port 36941 pass in inet proto tcp to $vhosts port 36941 # Allow Ping-Pong stuff. Be a good sysadmin icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types keep state # allow out the default range for traceroute(8): pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state # All access to our Nginx/Apache/Lighttpd Webserver and other ports pass proto tcp from any to $int_if port $webports pass proto udp from any to $int_if port $webports pass proto udp from any to $int_if port $radiusports #pass proto tcp from any to $ext_if port $webports #pass proto udp from any to $ext_if port $webports #pass proto udp from any to $ext_if port $radiusports pass proto tcp from any to $vhosts port $webports pass proto udp from any to $vhosts port $webports pass in on $int_if proto tcp from any to any port = 36941 keep state pass in on $vhosts proto tcp from any to any port = 36941 keep state pass in on $kali proto tcp from any to any port = 36941 keep state # Allow essential outgoing traffic pass out quick on $int_if proto tcp to any port $int_tcp_services pass out quick on $int_if proto udp to any port $int_udp_services pass out quick on $int_if proto udp to any port $int_radius_services pass out quick on $ext_if proto tcp to any port $int_tcp_services pass out quick on $ext_if proto udp to any port $int_udp_services pass out quick on $ext_if proto udp to any port $int_radius_services pass out quick on $vhosts proto tcp to any port $int_tcp_services pass out quick on $vhosts proto udp to any port $int_udp_services #For radius make certain for older syatems port 1645 and current 1812 pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state pass in log quick on $int_if proto udp from any to any port = 1645 keep state pass in log quick on $int_if proto tcp from any to any port = 1812 flags S/SA keep state pass in log quick on $int_if proto udp from any to any port = 1812 keep state pass in log quick on $int_if proto tcp from any to any port = 36941 flags S/SA keep state pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state pass in log quick on $int_if proto udp from any to any port = 1645 keep state pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state pass in log quick on $ext_if proto udp from any to any port = 1812 keep state pass in log quick on $ext_if proto tcp from any to any port = 36941 flags S/SA keep state pass in log quick on $ext_if proto udp from any to any port = 36941 keep state pass in log quick on $vhosts proto tcp from any to any port = 36941 flags S/SA keep state pass in log quick on $vhosts proto udp from any to any port = 36941 keep state pass out quick all flags S/SA keep state # Add custom rules below block quick from pass quick proto { tcp, udp } from any to any port ssh \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload flush global) ## I wonder if sshguard works with pf. 2) rc.conf hostname="border.nk.ca" ifconfig_bce0="inet 192.168.81.14 netmask 255.255.255.0 promisc " ifconfig_bce1="up media 100baseTX mediaopt full-duplex promisc " ifconfig_bce2="up promisc" ifconfig_bce3="up promisc" defaultrouter="192.168.81.2" hald_enable="YES" named_enable="YES" sshd_enable="YES" sshguard_enable="YES" moused_enable="YES" ntpdate_enable="YES" ntpd_enable="YES" gateway_enable="YES" ipv6_gateway_enable="YES" pf_enable="YES" clamav_clamd_enable="YES" clamd_enable="YES" squid_enable="YES" tcsd_enable="YES" tcsd_mode="emulator" tpmd_enable="YES" dbus_enable="YES" apache24_enable="yes" postgresql_enable="YES" firebird_enable="YES" firebird_mode="superserver" suricata_enable="YES" suricata_divertport="8000" cloned_interfaces="bridge0 tap0 tap1 tap2 tap3" ifconfig_bridge0="addm bce2 addm tap0 addm tap1 addm tap2 addm tap3 up" #cloned_interfaces="bce0 bce1" ifconfig_bridge1="addm bce0 addm bce1 up" #firewall_enable="YES" #firewall_type="simple" #firewall_quiet="YES" #firewall_logging="YES" vm_enable="YES" vm_dir="/usr/vm/" vboxdrv_load="YES" xrdp_enable="YES" xrdp_sesman_enable="YES" saslauthd_enable="YES" openvassd_enable="YES" openvasmd_enable="YES" gsad_enable="YES" pflog_logfile="/var/log/pflog" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="AUTO" redis_enable="YES" cbsd_workdir="/usr/vm" cbsdrsyncd_enable="YES" cbsdrsyncd_flags="--config=/usr/vm/etc/rsyncd.conf" cbsdd_enable="YES" rcshutdown_timeout="900" What are anything internal not able to see the external world from a web browser? Further, My Android cell phone chokes. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism There shall be eternal summer in the grateful heart. -Celia Thaxter -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism There shall be eternal summer in the grateful heart. -Celia Thaxter