From owner-freebsd-questions@FreeBSD.ORG Sat Jan 23 21:08:24 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B3DE106566C for ; Sat, 23 Jan 2010 21:08:24 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoom.lafn.org (zoom.lafn.org [206.117.18.8]) by mx1.freebsd.org (Postfix) with ESMTP id EE9BE8FC12 for ; Sat, 23 Jan 2010 21:08:23 +0000 (UTC) Received: from [10.0.1.4] (pool-71-109-144-133.lsanca.dsl-w.verizon.net [71.109.144.133]) (authenticated bits=0) by zoom.lafn.org (8.14.3/8.14.2) with ESMTP id o0NL8M7A083380 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 23 Jan 2010 13:08:23 -0800 (PST) (envelope-from bc979@lafn.org) References: <4B594FC0.3010200@el.net> <4B5973AD.8070603@locolomo.org> <772FAD6A-C534-4217-9AA7-274561879E86@lafn.org> <4B59887E.30301@locolomo.org> <4D14E7C8-DFFD-4580-8CD0-99BB3C4EB051@lafn.org> <4B5AE8FB.1030901@locolomo.org> In-Reply-To: <4B5AE8FB.1030901@locolomo.org> Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=iso-8859-1 Message-Id: <9E94EB55-A094-4E65-9820-C74EAF44E3EA@lafn.org> Content-Transfer-Encoding: quoted-printable From: Doug Hardie Date: Sat, 23 Jan 2010 13:08:21 -0800 To: Erik Norgaard X-Mailer: Apple Mail (2.1077) X-Virus-Scanned: clamav-milter 0.95.3 at zoom.lafn.org X-Virus-Status: Clean Cc: freebsd-questions - Subject: Re: pf rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2010 21:08:24 -0000 On 23 January 2010, at 04:18, Erik Norgaard wrote: > Doug Hardie wrote: >=20 >> This is quite interesting. I can't figure out the rules on my = system.=20 >=20 > Maybe try to simplify, clean up and structure your rules :) >=20 >> Here is the pf.conf file with all comments removed: >> table persist file "/etc/blackhole" >> table persist >> table persist >> table persist file "/etc/mail/whitelist" >> MAILHOSTS =3D "{zool.lafn.org}" >> no rdr on { lo0, lo1 } from any to any >> no rdr inet proto tcp from to any port smtp >> no rdr inet proto tcp from to any port smtp >> rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 = port spamd >> pass in log inet proto tcp to $MAILHOSTS port smtp keep state >> pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any = to any port 75 keep state >> block in quick log on $ext_if from to any >=20 > 1. pf allows short cuts, but these also makes it more difficult to = debug. I'd separate NAT from filtering, Ok. I guess you want some white space between them? Here it is with = the white space and comments: ext_if=3D"dc0" =20 table persist file "/etc/blackhole" table persist table persist table persist file "/etc/mail/whitelist" MAILHOSTS =3D "{zool.lafn.org}" # NAT/RDR Rules no rdr on { lo0, lo1 } from any to any no rdr inet proto tcp from to any port smtp no rdr inet proto tcp from to any port smtp rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port = spamd # Filter Rules pass in log inet proto tcp to $MAILHOSTS port smtp keep state pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to = any port 75 keep state block in quick log on $ext_if from to any Other than the comments I don't see the difference. > that is never use "rdr pass" even though pf allows it. You also need = to understand when rdr takes place to write your filtering rules. That would be really helpful if that information were available = somewhere it could be found. I have not been able to find that = anywhere. =20 >=20 > 2. you can deploy one of two policies: Default block with a whitelist = or default pass with a black list. Mixing these is a bad idea. >=20 > 3. $ext_if =3D dc0? I added that back in above. Somehow it got deleted with the comments. > 4. rdr needs an interface, I'm surprised that pf will parse the above, = and have no idea what it does with it. pfctl -sn should show you the nat = rules. zool# pfctl -sn No ALTQ support in kernel ALTQ related functions disabled no rdr on lo0 all no rdr on lo1 all no rdr inet proto tcp from to any port =3D smtp no rdr inet proto tcp from to any port =3D smtp rdr pass log inet proto tcp from any to any port =3D smtp -> 127.0.0.1 = port 8025 It seems to understand it just fine and it works properly. See man = spamd: The following pf.conf(5) example is suggested: table persist rdr pass inet proto tcp from ! to any \ port smtp -> 127.0.0.1 port spamd > 5. Organize your rules as scetched in last mail, grouping rules for = each interface, it really helps locating where things go wrong. =20 Other than the whitespace and comments they are. >=20 > I have log statements and catch all rules to ensure that if these are = triggered there is something in my ruleset I haven't taken into account. = I avoid using "any" except in default rules. >=20 >> Note: the blackhole file is empty as is the whitelist file. There = is an entry for 216.54.240.150 in spamd database. This is a test = system. >> Here is the output of tcpdump where I have only taken one entry for = each rule. I have listed the rule number at the front of each line: >> Rule 0: 14:01:27.133320 rule 0/0(match): pass in on dc0: = 216.54.240.150.55782 > 206.117.18.7.25: S 2501333595:2501333595(0) win = 65535 >> Rule 1: 02:26:44.755650 rule 1/0(match): pass in on sis0: = 71.109.144.133.40864 > 192.168.25.7.75: S 3941268770:3941268770(0) win = 65535 >> Rule 2: 10:44:45.037918 rule 2/0(match): block in on dc0: = 71.109.162.173.39529 > 206.117.18.7.75: . ack 145 win 65535 = >> Rule 4: 13:51:16.022700 rule 4/0(match): rdr in on dc0: = 216.54.240.150.49821 > 127.0.0.1.8025: S 2371633783:2371633783(0) win = 65535 >>=20 >> I found no entries for rule 3. There is virtually no traffic on this = system other than from me. >> As I look at pf.conf and tie the rules to the entries I get (rule = number at beginning of line): >> no rdr on { lo0, lo1 } from any to any >> no rdr inet proto tcp from to any port smtp >> 0 - no rdr inet proto tcp from to any port smtp >> 4 - rdr pass log inet proto tcp from any to any port smtp -> = 127.0.0.1 port spamd >> pass in log inet proto tcp to $MAILHOSTS port smtp keep state >> 1 - pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from = any to any port 75 keep state >> block in quick log on $ext_if from to any >> I have no clue which one is rule 2. The only block is the last entry = but that should never be used because the blackhole file is empty. = pfctl shows the table is empty also. >> The ordering seems to make no sense either. I also note that the man = page for pf.conf indicates in the BNF grammar for pf.conf that log is a = valid entry for no rdr. However, that always generates a syntax error. = Apparently there is no way to log the use of no rdr rules. >=20 > see, things seems to have been swapped around somehow, that rule 4 rdr = is really rule 0 again only now matches for the rdr action, in rule 0 it = matches pass action. or so it appears. >=20 > anyway, to interpret the output of pflog, you need the output from = pfctl -sr and pfctl -sn rather than your config file. zool# pfctl -sr No ALTQ support in kernel ALTQ related functions disabled pass in log inet proto tcp from any to 206.117.18.7 port =3D smtp flags = S/SA keep state pass in log on sis0 reply-to (sis0 192.168.25.1) inet proto tcp from any = to any port =3D 75 flags S/SA keep state block drop in log quick on dc0 from to any zool# pfctl -sn No ALTQ support in kernel ALTQ related functions disabled no rdr on lo0 all no rdr on lo1 all no rdr inet proto tcp from to any port =3D smtp no rdr inet proto tcp from to any port =3D smtp rdr pass log inet proto tcp from any to any port =3D smtp -> 127.0.0.1 = port 8025 >=20 > So, to solve your problem, separate first NAT and filtering. Things = becomes so much more clear. >=20 > Regards, Erik >=20 > --=20 > Erik N=F8rgaard > Ph: +34.666334818/+34.915211157 = http://www.locolomo.org >=20