Date: Sun, 8 May 2005 20:59:30 +0100 (BST) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: Fafa Hafiz Krantz <fteg@london.com> Cc: questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... Message-ID: <Pine.GSO.4.62.0505082053250.598@mail.ilrt.bris.ac.uk> In-Reply-To: <20050508102226.5380B4BEAD@ws1-1.us4.outblaze.com> References: <20050508102226.5380B4BEAD@ws1-1.us4.outblaze.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 8 May 2005, Fafa Hafiz Krantz wrote:
> Hello.
>
> My ruleset is all twisted.
> Unless I disable the default deny policy, this is what happens:
>
> * My nameserver setup goes disfunctional.
> * My web, mail and fileserver goes disfunctional.
> * I cannot SSH and FTP into certain servers.
> * I cannot ping my IP from the outside.
>
> Can anyone tell what's wrong?
> And maybe also how I can simplify my ruleset?
It's a question of letting DNS traffic _in_ to your nameserver:
> int_if="ep0"
> ext_if="lnc0"
>
> # *** Options
> #
> set block-policy drop
>
> # *** Scrub incoming packets
> #
> scrub in all
>
> # *** NAT
> #
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> rdr on $int_if proto tcp from any to any \
> port 21 -> 127.0.0.1 port 8021
>
> # *** Default deny policy
> #
> # block drop log all
>
> # *** Pass loopback traffic
> #
> pass quick on { lo0 $int_if }
>
> # *** Outgoing
> #
> pass out on $ext_if inet proto { tcp, udp, icmp } \
> from ($ext_if) to any keep state
>
> # *** Bootstrap
> #
> pass out on $ext_if inet proto udp \
> from any port 68 to any port 67 keep state
>
> # *** DNS and NTP
> #
> pass out on $ext_if inet proto udp \
> from ($ext_if) to any port { 53, 123 } keep state
>
> # *** SSH, HTTP and Ident
> #
> pass in on $ext_if inet proto tcp \
> from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state
pass in on $ext_if inet proto { tcp, udp } \
from any to ($ext_if) port 53
^^^ that lets the traffic in....
pass out on $ext_if inet proto { tcp, udp } \
from ($ext_if) port 53 to any
^^^ and that lets it back out.
If you add the "query-source address * port 53;" to your named.conf
"options" section, that'll suffice; additionally, since your DNS query
source port is then predictable, you can drop it from the DNS and NTP
rule.
> # *** Active FTP
> #
> pass in on $ext_if inet proto tcp \
> from port 20 to ($ext_if) user proxy flags S/SA keep state
--
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44 (0)117 9287088 (with luck) http://ioctl.org/jan/
Usenet: The separation of content AND presentation - simultaneously.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.62.0505082053250.598>