Date: Thu, 14 Feb 2013 19:22:34 +0100 From: Fleuriot Damien <ml@my.gd> To: Lisa Muir <34.24.34@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Releasing all outgoing ports for a particular IP. Message-ID: <48514518-3109-4BFE-8AB0-B93C694168F2@my.gd> In-Reply-To: <CACX=3hOwVgoZLu79JQ5LcBKNhkgaXOck3Dts9QG5k4wvMpG6zA@mail.gmail.com> References: <CACX=3hOwVgoZLu79JQ5LcBKNhkgaXOck3Dts9QG5k4wvMpG6zA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 14, 2013, at 7:06 PM, Lisa Muir <34.24.34@gmail.com> wrote:
> Hi Guys,
>=20
> Hope you might be able to help me with a query. Am a little past the
> newbie stage with pf, and moderately comfortable with it, but by no
> means a guru yet, finding my way.
>=20
> Have one firewall which has a public interface with multiple ip's and
> 5 private lans with the usual private lan space ip's. The machine has
> been running fine for a year and a bit, and I have various port
> forwarding things going, internal redirection for dmz hosts being
> accessed from the lan, port forwarding for public ip aliases's on the
> external interface. Two things have left me with questions, one is
> about UDP port forwarding which I got working but am not 100% happy
> with, and I'll come back to that in another thread, and today's one
> which is releasing all tcp ports for a particular IP which is in the
> "DMZ" vlan. In this case, the vlans are implemented at the switches,
> and a seperate interface on the pf firewall links into each vlan, no
> kernel based vlan in operation.
>=20
> As a rule, we restrict outgoing ports, we only allow out what we know
> about and approve, but we're putting in a CCTV transmitter into the
> DMZ which requires access to every tcp port for outgoing. Here is a
> cut down version of my pf.conf with the relevant data, starting with
> the definitions for interfaces, the host in question that I am testing
> with, and the ports:
>=20
> #####################
> # Definitions
> #
> # interfaces
>=20
> # Vlan1 is the switch management vlan
> vlan1_if =3D "em1"
>=20
> # Vlan2 is the business vlan
> vlan2_if =3D "em2"
>=20
> # Vlan3 is the topsec secretary vlan
> vlan3_if =3D "em3"
>=20
> # Vlan4 is the "dmz"
> vlan4_if =3D "em4"
>=20
> # Vlan5 is the domestic house vlan
> vlan5_if =3D "em5"
>=20
> # Wlan is the wireless lan in the building
> wlan_if =3D "msk0"
>=20
> # The em0 vlan is a direct cat-5 cable link to wireless broadband kit
> for public internet
> ext_if =3D "em0"
>=20
> # The em0_alias0 is a virtual interface for additional public ip
> stc_dvr_ext_if =3D "173.47.184.4"
>=20
> tunnel_if =3D "gif0"
> vpn_if =3D "tun0"
>=20
> # Host that we are testing our rules with
> emailserver =3D "10.168.3.99"
>=20
> # Ports that we want to open for this host, all tcp going out
> all_ports =3D "{ 1:65535 }"
>=20
>=20
>=20
> The lans, 1, 2, 3, wireless and are restricted to only trafficing on
> ports such as 80, 443, 25, 587, 143 etc.
>=20
> But I want my email server to go out on any port, so the following
> lines were added, which work:
>=20
>=20
> pass in on $vlan4_if proto tcp from $emailserver to any port =
$all_ports
> pass out on $ext_if proto tcp from $ext_if to any port $all_ports
>=20
>=20
>=20
> The first line of that is suitably restrictive, it only allows that
> one single host in the DMZ to traffic out on all tcp ports.
>=20
> its the next pass rule that bothers me. Because all lans nat through
> to the ext_if, this next line effectively opens up all ports to get
> out into the wild if any of them are accidently opened to get into the
> gateway. I'd like to be able to restrict that particular pass rule to
> a single host.
>=20
> Is that possible? or do I just have to live with the fact that I have
> it restricted at the pass in stage?
>=20
> When i get more info, I may be able to restrict the outgoing
> destination to a list of ip's rather than passing out to any, which
> will help tighten the rule up, but it seems a little unrestricted for
> my liking as is.
>=20
> Lisa.
I think what you want to do is not possible in this way, people more =
experienced will correct me if needed.
Perhaps you could try adjusting your outgoing NAT rules however ?
Example:
nat on $ext_if inet proto tcp from $emailserver to any
nat on $ext_if inet proto tcp from $dmz:network to any port { 80 443 25 =
465 =85 }
nat on $ext_if inet proto udp from $dmz:network to any port { 53 =85 }
See the approach here ?
Your packets from hosts other than the emailserver (which effectively =
has access to everything over TCP) won't go through.
Now, why do you bother with "ports $all_ports" at all ?
Just use:
pass in on $vlan4_if proto tcp from $emailserver to any
Next, if you only use ipv4 you might want to use the "inet" keyword in =
your rules, as such:
pass in on $vlan4_if inet proto =85
Last, unless you have specific reasons not to, why not make use of the =
"quick" keyword so that PF stops processing rules right where you want ?
pass in quick on $vlan4_if inet proto tcp=85
I hope this helps.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48514518-3109-4BFE-8AB0-B93C694168F2>