Date: Fri, 22 Jan 2010 10:18:03 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: kalin m <kalin@el.net> Cc: freebsd-security@freebsd.org Subject: Re: pf rules Message-ID: <4B597B5B.6030802@infracaninophile.co.uk> In-Reply-To: <4B5958E2.9010509@el.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
kalin m wrote:
>
>
> hi all...
>
> doing testing with pf...
>
> how is it possible that if i have these rules below in pf.conf if i do:
> telnet that.host.org 25
>
> i get:
> Trying xx.xx.xx.xx...
> Connected to that.host.org.
> Escape character is '^]'.
> ........... etc .......
>
>
> pf.conf contetns:
>
> tcp_in = "{ www, https }"
> ftp_in = "{ ftp }"
> udp = "{ domain, ntp }"
> ping = "echoreq"
>
> set skip on lo
> scrub in
>
> antispoof for eth0 inet
>
> block in all
> pass out all keep state
> pass proto udp to any port $udp
> pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh
Did your ruleset actually load into pf? If you run:
# pfctl -nf pf.conf
then any output indicates a problem with your pf.conf. Also,
you can examine the loaded rule set by:
# pfctl -sr
This is generated from the pf.conf, but with all the list structures
expanded into separate rules.
You say: "antispoof for eth0 inet" -- this looks a bit dodgy to me:
'eth0' is a linuxism. There's no such network interface driver
under FreeBSD, and you should probably replace that with the actual name
of the interface out of the list returned by 'ifconfig -l' You don't really
need the 'inet' bit either -- that will be added automatically, as well as
matching 'inet6' rules if your system is IPv6 capable. Also, your
antispoof rules should come /after/ your generic 'block all' rule.
Handy hint: it's good practice when writing pf.conf to define a macro
with the interface name:
$ext_if = "em0"
and then use that macro liberally in your rules.
Hmmm... I suppose pf is actually enabled on your system? You'ld need
to put:
pf_enable="YES"
pflog_enable="YES"
into /etc/rc.conf to have it start automatically, or if you want to start
things manually, do:
# kldload pf
# pfctl -e
(but be careful with that if you aren't logged into the console, as you
can lock yourself out)
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAktZe2EACgkQ8Mjk52CukIw/aACfSWoSKDZq4kowGkyeHucVJYJY
qXMAoIE4cHa3VIbo8wHmrUlkzV+SOGoi
=7QFW
-----END PGP SIGNATURE-----
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B597B5B.6030802>